Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separated DLS/FLS privilege evaluation from action privilege evaluation #4490

Merged
merged 7 commits into from
Jul 9, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Also changed DlsFlsValue to use context param
Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
  • Loading branch information
nibix committed Jul 4, 2024
commit 97d8d5420c59d714e5806b494d55ed53c9c41472
Original file line number Diff line number Diff line change
@@ -58,6 +58,7 @@
import org.opensearch.search.SearchHit;
import org.opensearch.search.builder.SearchSourceBuilder;
import org.opensearch.security.privileges.DocumentAllowList;
import org.opensearch.security.privileges.PrivilegesEvaluationContext;
import org.opensearch.security.queries.QueryBuilderTraverser;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
import org.opensearch.security.securityconf.EvaluatedDlsFlsConfig;
@@ -74,11 +75,9 @@ public class DlsFilterLevelActionHandler {
);

public static boolean handle(
String action,
ActionRequest request,
ActionListener<?> listener,
PrivilegesEvaluationContext context,
EvaluatedDlsFlsConfig evaluatedDlsFlsConfig,
Resolved resolved,
ActionListener<?> listener,
Client nodeClient,
ClusterService clusterService,
IndicesService indicesService,
@@ -91,6 +90,9 @@ public static boolean handle(
return true;
}

String action = context.getAction();
ActionRequest request = context.getRequest();

if (action.startsWith("cluster:")
|| action.startsWith("indices:admin/template/")
|| action.startsWith("indices:admin/index_template/")) {
@@ -112,11 +114,9 @@ public static boolean handle(
}

return new DlsFilterLevelActionHandler(
action,
request,
listener,
context,
evaluatedDlsFlsConfig,
resolved,
listener,
nodeClient,
clusterService,
indicesService,
@@ -142,23 +142,21 @@ public static boolean handle(
private DocumentAllowList documentAllowlist;

DlsFilterLevelActionHandler(
String action,
ActionRequest request,
ActionListener<?> listener,
PrivilegesEvaluationContext context,
EvaluatedDlsFlsConfig evaluatedDlsFlsConfig,
Resolved resolved,
ActionListener<?> listener,
Client nodeClient,
ClusterService clusterService,
IndicesService indicesService,
IndexNameExpressionResolver resolver,
DlsQueryParser dlsQueryParser,
ThreadContext threadContext
) {
this.action = action;
this.request = request;
this.action = context.getAction();
this.request = context.getRequest();
this.listener = listener;
this.evaluatedDlsFlsConfig = evaluatedDlsFlsConfig;
this.resolved = resolved;
this.resolved = context.getResolvedRequest();
this.nodeClient = nodeClient;
this.clusterService = clusterService;
this.indicesService = indicesService;
Original file line number Diff line number Diff line change
@@ -26,7 +26,6 @@

package org.opensearch.security.configuration;

import org.opensearch.action.ActionRequest;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.search.internal.SearchContext;
@@ -36,7 +35,7 @@

public interface DlsFlsRequestValve {

boolean invoke(String action, ActionRequest request, ActionListener<?> listener, PrivilegesEvaluationContext context);
boolean invoke(PrivilegesEvaluationContext context, ActionListener<?> listener);

void handleSearchContext(SearchContext context, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry);

@@ -45,7 +44,7 @@ public interface DlsFlsRequestValve {
public static class NoopDlsFlsRequestValve implements DlsFlsRequestValve {

@Override
public boolean invoke(String action, ActionRequest request, ActionListener<?> listener, PrivilegesEvaluationContext context) {
public boolean invoke(PrivilegesEvaluationContext context, ActionListener<?> listener) {
return true;
}

Original file line number Diff line number Diff line change
@@ -125,17 +125,17 @@ public void onConfigModelChanged(ConfigModel configModel) {

/**
*
* @param request
* @param listener
* @return false on error
*/
@Override
public boolean invoke(String action, ActionRequest request, final ActionListener<?> listener, PrivilegesEvaluationContext context) {
public boolean invoke(PrivilegesEvaluationContext context, final ActionListener<?> listener) {

EvaluatedDlsFlsConfig evaluatedDlsFlsConfig = configModel.getSecurityRoles()
.filter(context.getMappedRoles())
.getDlsFls(context.getUser(), dfmEmptyOverwritesAll, resolver, clusterService, namedXContentRegistry);

ActionRequest request = context.getRequest();
IndexResolverReplacer.Resolved resolved = context.getResolvedRequest();

if (log.isDebugEnabled()) {
@@ -303,7 +303,7 @@ public boolean invoke(String action, ActionRequest request, final ActionListener
return false;
}

if (action.contains("plugins/replication")) {
if (context.getAction().contains("plugins/replication")) {
listener.onFailure(
new OpenSearchSecurityException(
"Cross Cluster Replication is not supported when FLS or DLS or Fieldmasking is activated",
@@ -339,11 +339,9 @@ public boolean invoke(String action, ActionRequest request, final ActionListener

if (doFilterLevelDls && filteredDlsFlsConfig.hasDls()) {
return DlsFilterLevelActionHandler.handle(
action,
request,
listener,
context,
evaluatedDlsFlsConfig,
resolved,
listener,
nodeClient,
clusterService,
OpenSearchSecurityPlugin.GuiceHolder.getIndicesService(),
Original file line number Diff line number Diff line change
@@ -389,7 +389,7 @@ private <Request extends ActionRequest, Response extends ActionResponse> void ap
if (pres.isAllowed()) {
auditLog.logGrantedPrivileges(action, request, task);
auditLog.logIndexEvent(action, request, task);
if (!dlsFlsValve.invoke(action, request, listener, context)) {
if (!dlsFlsValve.invoke(context, listener)) {
return;
}
final CreateIndexRequestBuilder createIndexRequestBuilder = pres.getCreateIndexRequestBuilder();
Loading