Skip to content

Commit

Permalink
Add missing settings to plugin allowed list (opensearch-project#1814)
Browse files Browse the repository at this point in the history 
* Add missing settings to plugin allowed list

As settings have migrated from opendistro_security -> plugins.security, there were missed settings for the audit filter entries. This caused unknown setting errors when starting OpenSearch, and these settings values were not being applied correctly affecting the runtime behavior of the audit log filters.

Signed-off-by: Stephen Crawford <[email protected]>
  • Loading branch information
@peternied @stephen-crawford
peternied authored and stephen-crawford committed Nov 10, 2022
1 parent ad62d32 commit 38feee3
Show file tree
Hide file tree
Showing 7 changed files with 269 additions and 67 deletions.
28 changes: 28 additions & 0 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
Expand All @@ -44,6 +45,7 @@
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
Expand Down Expand Up @@ -118,6 +120,7 @@
import org.opensearch.security.auditlog.AuditLog.Origin;
import org.opensearch.security.auditlog.AuditLogSslExceptionHandler;
import org.opensearch.security.auditlog.NullAuditLog;
import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries;
import org.opensearch.security.auditlog.impl.AuditLogImpl;
import org.opensearch.security.auth.BackendRegistry;
import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
Expand Down Expand Up @@ -949,6 +952,31 @@ public List<Setting<?>> getSettings() {
settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Property.NodeScope, Property.Filtered));

final BiFunction<String, Boolean, Setting<Boolean>> boolSettingNodeScopeFiltered = (String keyWithNamespace, Boolean value) -> Setting.boolSetting(keyWithNamespace, value, Property.NodeScope, Property.Filtered);

Arrays.stream(FilterEntries.values()).map(filterEntry -> {
switch(filterEntry) {
case DISABLE_REST_CATEGORIES:
case DISABLE_TRANSPORT_CATEGORIES:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), disabledCategories, Function.identity(), Property.NodeScope);
case IGNORE_REQUESTS:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), Property.NodeScope);
case IGNORE_USERS:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), ignoredUsers, Function.identity(), Property.NodeScope);
// All boolean settings with default of true
case ENABLE_REST:
case ENABLE_TRANSPORT:
case EXCLUDE_SENSITIVE_HEADERS:
case LOG_REQUEST_BODY:
case RESOLVE_INDICES:
return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), true);
case RESOLVE_BULK_REQUESTS:
return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), false);
default:
throw new RuntimeException("Please add support for new FilterEntries value '" + filterEntry.name() + "'");
}
}).forEach(settings::add);


// Security - Audit - Sink
settings.add(Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, Property.NodeScope, Property.Filtered));
Expand Down
105 changes: 76 additions & 29 deletions src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
import org.opensearch.security.support.WildcardMatcher;

import static org.opensearch.security.DefaultObjectMapper.getOrDefault;
import static org.opensearch.security.support.ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT;

/**
* Class represents configuration for audit logging.
Expand Down Expand Up @@ -126,9 +127,9 @@ public static AuditConfig from(final Settings settings) {
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public static class Filter {
private static Set<String> FIELDS = DefaultObjectMapper.getFields(Filter.class);
@VisibleForTesting
public static final Filter DEFAULT = Filter.from(Settings.EMPTY);
private static Set<String> FIELDS = DefaultObjectMapper.getFields(Filter.class);

private final boolean isRestApiAuditEnabled;
private final boolean isTransportApiAuditEnabled;
Expand Down Expand Up @@ -170,23 +171,52 @@ public static class Filter {
this.disabledTransportCategories = disabledTransportCategories;
}

public enum FilterEntries {
ENABLE_REST("enable_rest", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST),
ENABLE_TRANSPORT("enable_transport", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT),
RESOLVE_BULK_REQUESTS("resolve_bulk_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS),
LOG_REQUEST_BODY("log_request_body", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY),
RESOLVE_INDICES("resolve_indices", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES),
EXCLUDE_SENSITIVE_HEADERS("exclude_sensitive_headers", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS),
DISABLE_REST_CATEGORIES("disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES),
DISABLE_TRANSPORT_CATEGORIES("disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES),
IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS),
IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS);

private final String key;
private final String legacyKeyWithNamespace;
FilterEntries(final String entryKey, final String legacyKeyWithNamespace) {
this.key = entryKey;
this.legacyKeyWithNamespace = legacyKeyWithNamespace;
}
public String getKey() {
return this.key;
}
public String getKeyWithNamespace() {
return SECURITY_AUDIT_CONFIG_DEFAULT + "."+ this.key;
}
public String getLegacyKeyWithNamespace() {
return this.legacyKeyWithNamespace;
}
}

@JsonCreator
@VisibleForTesting
public static Filter from(Map<String, Object> properties) throws JsonProcessingException {
if (!FIELDS.containsAll(properties.keySet())) {
throw new UnrecognizedPropertyException(null, "Unrecognized field(s) present in the input data for audit filter config", null, Filter.class, null, null);
}

final boolean isRestApiAuditEnabled = getOrDefault(properties,"enable_rest", true);
final boolean isTransportAuditEnabled = getOrDefault(properties,"enable_transport", true);
final boolean resolveBulkRequests = getOrDefault(properties, "resolve_bulk_requests", false);
final boolean logRequestBody = getOrDefault(properties, "log_request_body", true);
final boolean resolveIndices = getOrDefault(properties, "resolve_indices", true);
final boolean excludeSensitiveHeaders = getOrDefault(properties, "exclude_sensitive_headers", true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, "ignore_users", DEFAULT_IGNORED_USERS));
final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, "ignore_requests", Collections.emptyList()));
final boolean isRestApiAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_REST.getKey(), true);
final boolean isTransportAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_TRANSPORT.getKey(), true);
final boolean resolveBulkRequests = getOrDefault(properties, FilterEntries.RESOLVE_BULK_REQUESTS.getKey(), false);
final boolean logRequestBody = getOrDefault(properties, FilterEntries.LOG_REQUEST_BODY.getKey(), true);
final boolean resolveIndices = getOrDefault(properties, FilterEntries.RESOLVE_INDICES.getKey(), true);
final boolean excludeSensitiveHeaders = getOrDefault(properties, FilterEntries.EXCLUDE_SENSITIVE_HEADERS.getKey(), true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_REST_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS));
final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()));

return new Filter(
isRestApiAuditEnabled,
Expand All @@ -208,24 +238,16 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
* @return audit configuration filter
*/
public static Filter from(Settings settings) {
final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true);
final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true);
final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false);
final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true);
final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true);
final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES);
final Set<AuditCategory> disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES);

final Set<String> ignoredAuditUsers = ConfigConstants.getSettingAsSet(
settings,
ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS,
DEFAULT_IGNORED_USERS,
false);

final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(settings.getAsList(
ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS,
Collections.emptyList()));
final boolean isRestApiAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_REST, true);
final boolean isTransportAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_TRANSPORT, true);
final boolean resolveBulkRequests = fromSettingBoolean(settings, FilterEntries.RESOLVE_BULK_REQUESTS, false);
final boolean logRequestBody = fromSettingBoolean(settings, FilterEntries.LOG_REQUEST_BODY, true);
final boolean resolveIndices = fromSettingBoolean(settings, FilterEntries.RESOLVE_INDICES, true);
final boolean excludeSensitiveHeaders = fromSettingBoolean(settings, FilterEntries.EXCLUDE_SENSITIVE_HEADERS, true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_REST_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_TRANSPORT_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS);
final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList());

return new Filter(isRestApiAuditEnabled,
isTransportAuditEnabled,
Expand All @@ -239,6 +261,31 @@ public static Filter from(Settings settings) {
disabledTransportCategories);
}

static boolean fromSettingBoolean(final Settings settings, FilterEntries filterEntry, final boolean defaultValue) {
return settings.getAsBoolean(filterEntry.getKeyWithNamespace(), settings.getAsBoolean(filterEntry.getLegacyKeyWithNamespace(), defaultValue));
}

static Set<String> fromSettingStringSet(final Settings settings, FilterEntries filterEntry, final List<String> defaultValue) {
final String defaultDetectorValue = "__DEFAULT_DETECTION__";
final Set<String> stringSetOfKey = ConfigConstants.getSettingAsSet(
settings,
filterEntry.getKeyWithNamespace(),
ImmutableList.of(defaultDetectorValue),
true);

final boolean foundDefault = stringSetOfKey.stream().anyMatch(defaultDetectorValue::equals);
if (!foundDefault) {
return stringSetOfKey;
}

// Fallback to the legacy keyname
return ConfigConstants.getSettingAsSet(
settings,
filterEntry.getLegacyKeyWithNamespace(),
defaultValue,
true);
}

/**
* Checks if auditing for REST API is enabled or disabled
* @return true/false
Expand Down
7 changes: 0 additions & 7 deletions src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@

import com.google.common.collect.ImmutableSet;

import org.opensearch.common.settings.Settings;
import org.opensearch.security.support.ConfigConstants;

public enum AuditCategory {
BAD_HEADERS,
FAILED_LOGIN,
Expand All @@ -45,8 +42,4 @@ public static Set<AuditCategory> parse(final Collection<String> categories) {
.map(AuditCategory::valueOf)
.collect(ImmutableSet.toImmutableSet());
}

public static Set<AuditCategory> from(final Settings settings, final String key) {
return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true));
}
}
8 changes: 8 additions & 0 deletions src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,14 @@ public AuditCategory getCategory() {
return msgCategory;
}

public Origin getOrigin() {
return (Origin) this.auditInfo.get(ORIGIN);
}

public String getPrivilege() {
return (String) this.auditInfo.get(PRIVILEGE);
}

public String getExceptionStackTrace() {
return (String) this.auditInfo.get(EXCEPTION);
}
Expand Down
26 changes: 17 additions & 9 deletions src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

package org.opensearch.security.auditlog;

import java.util.Arrays;
import java.util.Collection;

import com.fasterxml.jackson.databind.JsonNode;
Expand All @@ -26,6 +27,8 @@
import org.opensearch.security.test.helper.file.FileHelper;
import org.opensearch.security.test.helper.rest.RestHelper;

import static org.opensearch.security.auditlog.config.AuditConfig.DEPRECATED_KEYS;

public abstract class AbstractAuditlogiUnitTest extends SingleClusterTest {

protected RestHelper rh = null;
Expand All @@ -36,20 +39,25 @@ protected String getResourceFolder() {
return "auditlog";
}

protected final void setup(Settings additionalSettings) throws Exception {
final Settings.Builder auditSettingsBuilder = Settings.builder();
final Settings.Builder additionalSettingsBuilder = Settings.builder().put(additionalSettings);
AuditConfig.DEPRECATED_KEYS.forEach(key -> {
if (additionalSettingsBuilder.get(key) != null) {
auditSettingsBuilder.put(key, additionalSettings.get(key));
additionalSettingsBuilder.remove(key);
protected final void setup(Settings settings) throws Exception {
final Settings.Builder auditConfigSettings = Settings.builder();
final Settings.Builder defaultNodeSettings = Settings.builder();
// Separate the cluster defaults from audit settings that will be applied after the cluster is up
settings.keySet().forEach(key -> {
final boolean moveToAuditConfig = Arrays.stream(AuditConfig.Filter.FilterEntries.values())
.anyMatch(entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key))
|| DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase);
if (moveToAuditConfig) {
auditConfigSettings.put(key, settings.get(key));
} else {
defaultNodeSettings.put(key, settings.get(key));
}
});

final Settings nodeSettings = defaultNodeSettings(additionalSettingsBuilder.build());
final Settings nodeSettings = defaultNodeSettings(defaultNodeSettings.build());
setup(Settings.EMPTY, new DynamicSecurityConfig(), nodeSettings, init);
rh = restHelper();
updateAuditConfig(auditSettingsBuilder.build());
updateAuditConfig(auditConfigSettings.build());
}

protected Settings defaultNodeSettings(Settings additionalSettings) {
Expand Down
Loading

0 comments on commit 38feee3

Please sign in to comment.