Skip to content

Commit 3c50704

Browse files
nibixnibix
committed
Fixed IllegalArgumentException when building stateful index privileges (opensearch-project#5217)
Signed-off-by: Nils Bandener <[email protected]> (cherry picked from commit 4e1158c)
1 parent 59cee02 commit 3c50704

File tree

2 files changed

+48
-1
lines changed

2 files changed

+48
-1
lines changed

src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java

+31
Original file line numberDiff line numberDiff line change
@@ -929,6 +929,37 @@ public void hasExplicitIndexPrivilege_errors() throws Exception {
929929
.startsWith("Exceptions encountered during privilege evaluation:\n" + "Error while evaluating role role_with_errors")
930930
);
931931
}
932+
933+
@Test
934+
public void aliasesOnDataStreamBackingIndices() throws Exception {
935+
// We create a meta data object with a data stream ds_a. Implicitly, the utility method will create
936+
// the backing indices ".ds-ds_a-000001", ".ds-ds_a-000002" and ".ds-ds_a-000003".
937+
// Additionally, we create an alias which only contains ".ds-ds_a-000001", but not the other backing indices.
938+
Map<String, IndexAbstraction> metadata = dataStreams("ds_a").alias("alias_a").of(".ds-ds_a-000001").build().getIndicesLookup();
939+
SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml(
940+
"role:\n"
941+
+ " index_permissions:\n"
942+
+ " - index_patterns: ['alias_a']\n"
943+
+ " allowed_actions: ['indices:data/write/index']",
944+
CType.ROLES
945+
);
946+
ActionPrivileges subject = new ActionPrivileges(roles, FlattenedActionGroups.EMPTY, () -> metadata, Settings.EMPTY);
947+
subject.updateStatefulIndexPrivileges(metadata, 2);
948+
949+
PrivilegesEvaluatorResponse resultForIndexCoveredByAlias = subject.hasIndexPrivilege(
950+
ctx("role"),
951+
Set.of("indices:data/write/index"),
952+
IndexResolverReplacer.Resolved.ofIndex(".ds-ds_a-000001")
953+
);
954+
assertThat(resultForIndexCoveredByAlias, isAllowed());
955+
956+
PrivilegesEvaluatorResponse resultForIndexNotCoveredByAlias = subject.hasIndexPrivilege(
957+
ctx("role"),
958+
Set.of("indices:data/write/index"),
959+
IndexResolverReplacer.Resolved.ofIndex(".ds-ds_a-000002")
960+
);
961+
assertThat(resultForIndexNotCoveredByAlias, isForbidden());
962+
}
932963
}
933964

934965
/**

src/main/java/org/opensearch/security/privileges/ActionPrivileges.java

+17-1
Original file line numberDiff line numberDiff line change
@@ -1026,7 +1026,23 @@ static class StatefulIndexPrivileges {
10261026
if (indicesEntry.getValue() instanceof IndexAbstraction.Alias) {
10271027
// For aliases we additionally add the sub-indices to the privilege map
10281028
for (IndexMetadata subIndex : indicesEntry.getValue().getIndices()) {
1029-
indexToRoles.get(subIndex.getIndex().getName()).add(roleName);
1029+
String subIndexName = subIndex.getIndex().getName();
1030+
// We need to check whether the subIndex is part of the global indices
1031+
// metadata map because that map has been filtered by relevantOnly().
1032+
// This method removes all closed indices and data stream backing indices
1033+
// because these indices get a separate treatment. However, these indices
1034+
// might still appear as member indices of aliases. Trying to add these
1035+
// to the SubSetBuilder indexToRoles would result in an IllegalArgumentException
1036+
// because the subIndex will not be part of the super set.
1037+
if (indices.containsKey(subIndexName)) {
1038+
indexToRoles.get(subIndexName).add(roleName);
1039+
} else {
1040+
log.debug(
1041+
"Ignoring member index {} of alias {}. This is usually the case because the index is closed or a data stream backing index.",
1042+
subIndexName,
1043+
indicesEntry.getKey()
1044+
);
1045+
}
10301046
}
10311047
}
10321048

0 commit comments

Comments
 (0)