-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature activation for multi-tenancy #2568
Conversation
Reusing saveAnUpdateConfigs to perform specific updates on the `multitenancy_enabled` configuration flag. New APIs - GET /_plugins/_security/config/tenancy/multitenancy_enabled - PUT /_plugins/_security/config/tenancy/multitenancy_enabled New Permissions - securityconfig:admin/config/tenancy/multitenancy_enabled/read - securityconfig:admin/config/tenancy/multitenancy_enabled/update Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some inline comments if we look to move forward with this as dynamic configuration via a 'feature activate' pattern.
import org.opensearch.core.xcontent.ToXContentObject; | ||
import org.opensearch.core.xcontent.XContentBuilder; | ||
|
||
public class BooleanSettingRetrieveResponse extends ActionResponse implements ToXContentObject { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there are additional actions that reuse this pattern { "value": {VALUE} }
these names might need to be made more generic and moved outside of the tenancy package. The same is true for the Request types as well.
src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
Outdated
Show resolved
Hide resolved
@@ -92,8 +92,6 @@ | |||
import org.opensearch.security.test.helper.cluster.ClusterInfo; | |||
import org.opensearch.security.test.helper.file.FileHelper; | |||
|
|||
import static org.junit.jupiter.api.Assertions.fail; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was getting missing class exception when this assertion was triggered at runtime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. I checked out your branch and restored the original code and it worked fine for me. ./gradlew test --tests TenancyActionsTests
Package | Tests | Failures | Ignored | Duration | Success rate |
---|---|---|---|---|---|
org.opensearch.security.multitenancy.test | 2 | 0 | 0 | 12.698s | 100% |
src/main/java/org/opensearch/security/action/tenancy/MultiTenancyUpdateTransportAction.java
Show resolved
Hide resolved
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @peternied !
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/action/tenancy/EmptyRequest.java
Outdated
Show resolved
Hide resolved
public class MultiTenancyRetrieveAction extends ActionType<BooleanSettingRetrieveResponse> { | ||
|
||
public static final MultiTenancyRetrieveAction INSTANCE = new MultiTenancyRetrieveAction(); | ||
public static final String NAME = "securityconfig:admin/config/tenancy/multitenancy_enabled/read"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about using cluster:admin/config/tenancy/multitenancy_enabled/read
?
This is currently being used in ConfigUpdateAction.java
security/src/main/java/org/opensearch/security/action/configupdate/ConfigUpdateAction.java
Line 34 in 575c2bc
public static final String NAME = "cluster:admin/opendistro_security/config/update"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about making a new prefix instead of 'cluster'. What would you think about feature:cluster/tenancy/multitenancy_enabled/(read|update)
instead?
I'd like it to be unassociated from where the setting is stored, it should be abstract enough it could move to another plugin, it should indicate the scope (e.g. cluster wide!), and then the local namespace tenancy followed by feature name.
What do you think, other recommendations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about swapping the order of feature:cluster
to be cluster:feature
? Unless there is a reason to put feature first, I am generally in favor of broadest-->granlur(est) ordering for the route. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of cluster:feature/...
This should be clear in reading and will identify the scopes in the decreasing order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated it to cluster:feature/tenancy/multitenancy_enabled/update
- but it seems like we should also update the rest request url to be inline with this, otherwise the coupling is still in place.
src/main/java/org/opensearch/security/action/tenancy/MultiTenancyRetrieveTransportAction.java
Show resolved
Hide resolved
public class MultiTenancyUpdateAction extends ActionType<BooleanSettingRetrieveResponse> { | ||
|
||
public static final MultiTenancyUpdateAction INSTANCE = new MultiTenancyUpdateAction(); | ||
public static final String NAME = "securityconfig:admin/config/tenancy/multitenancy_enabled/update"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about using cluster:admin/config/tenancy/multitenancy_enabled/update
?
This is currently being used in ConfigUpdateAction.java
security/src/main/java/org/opensearch/security/action/configupdate/ConfigUpdateAction.java
Line 34 in 575c2bc
public static final String NAME = "cluster:admin/opendistro_security/config/update"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The point of these new actions is they can be permissioned separately from the security config, if I make them the same this removes its benefit, see the related issue for details
src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/multitenancy/test/TenancyActionsTests.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/multitenancy/test/TenancyActionsTests.java
Show resolved
Hide resolved
src/test/java/org/opensearch/security/multitenancy/test/TenancyActionsTests.java
Show resolved
Hide resolved
@@ -92,8 +92,6 @@ | |||
import org.opensearch.security.test.helper.cluster.ClusterInfo; | |||
import org.opensearch.security.test.helper.file.FileHelper; | |||
|
|||
import static org.junit.jupiter.api.Assertions.fail; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. I checked out your branch and restored the original code and it worked fine for me. ./gradlew test --tests TenancyActionsTests
Package | Tests | Failures | Ignored | Duration | Success rate |
---|---|---|---|---|---|
org.opensearch.security.multitenancy.test | 2 | 0 | 0 | 12.698s | 100% |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall I think this looks good.
public class MultiTenancyRetrieveAction extends ActionType<BooleanSettingRetrieveResponse> { | ||
|
||
public static final MultiTenancyRetrieveAction INSTANCE = new MultiTenancyRetrieveAction(); | ||
public static final String NAME = "securityconfig:admin/config/tenancy/multitenancy_enabled/read"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about swapping the order of feature:cluster
to be cluster:feature
? Unless there is a reason to put feature first, I am generally in favor of broadest-->granlur(est) ordering for the route. What do you think?
src/main/java/org/opensearch/security/action/tenancy/MultiTenancyRetrieveTransportAction.java
Show resolved
Hide resolved
@peternied IMO An action like What do you think about going one step up to say Something like
And then this endpoint can be supported without having |
Signed-off-by: Peter Nied <[email protected]>
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #2568 +/- ##
============================================
+ Coverage 61.28% 61.32% +0.04%
- Complexity 3333 3360 +27
============================================
Files 260 268 +8
Lines 18509 18598 +89
Branches 3269 3269
============================================
+ Hits 11344 11406 +62
- Misses 5573 5594 +21
- Partials 1592 1598 +6
... and 7 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Thanks for the comment @cwperks - I do not think every configuration setting should be exposed this way; however, this granularity allows for control over a subset of the values around the tenancy feature settings. Circling back to the original problem from #2444 the OpenSearch Managed Service does not provide access to modify the security configuration by its users. So when there is a value that is controlled by that configuration that could be allowed there is no way to expose access to it. In PR #2444 the multitenancy_enabled value is duplicated and synchronized. This draft pull request was created to granularize the access to that setting so it could be modified by users that are not running as super admin.
I think this is another approach that could be taken on to support the user scenarios for #2444. However, I didn't create a POC around this scenario for a couple of reasons:
|
Closing out this reference pull request, thanks everyone for the discussion and review! |
Description
Reusing saveAnUpdateConfigs to perform specific updates on the
multitenancy_enabled
configuration flag.New APIs
New Permissions
Issues Resolved
Testing
New integration tests have been included that exercise the new actions functionality.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.