Onboards flow-framework plugin to resource-sharing and access control framework #1251
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… framework Signed-off-by: Darshit Chanpura <[email protected]>
|
CI will resolve once: opensearch-project/security#5677 is merged. |
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
requested review from
amitgalitz,
dbwiddis,
jackiehanyang,
joshpalis,
junweid62,
ohltyler and
owaiskazi19
as code owners
…e-sharing tests Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-permissions
branch
from
8f62909 to
6937e06
Compare
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-permissions
branch
from
dace39b to
69009e6
Compare
|
CI blocked by #1252 |
Signed-off-by: Darshit Chanpura <[email protected]>
owaiskazi19
reviewed
Oct 21, 2025
|
|
||
| dependencies { | ||
| // For resource access control | ||
| compileOnly group: 'org.opensearch', name:'opensearch-security-spi', version:"3.4.0-SNAPSHOT" |
There was a problem hiding this comment.
Can we fetch the version from the variable?
| testImplementation("org.junit.jupiter:junit-jupiter:${junitJupiterVersion}") | ||
| testImplementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${versions.jackson_databind}") | ||
|
|
||
| testImplementation 'org.awaitility:awaitility:4.3.0' |
| // | Output for ./bin/opensearch-plugin:ERROR: transport error 202: connect failed: Connection refused | ||
| // | ERROR: JDWP Transport dt_socket failed to initialize, TRANSPORT_INIT(510) | ||
| // | JDWP exit error AGENT_ERROR_TRANSPORT_INIT(197): No transports initialized [src/jdk.jdwp.agent/share/native/libjdwp/debugInit.c:700]. | ||
| // So instead, we listen to a debugger by saying server=y and suspend=n |
There was a problem hiding this comment.
Can we remove the comments?
| * @return true if resource-authz should be used, false otherwise | ||
| */ | ||
| public static boolean shouldUseResourceAuthz(String resourceType) { | ||
| var client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient(); |
There was a problem hiding this comment.
Can we make it explicit
Suggested change
| var client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient(); | |
| ResourceSharingClient client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient(); |
| * @param onSuccess consumer function to execute if resource sharing feature is enabled | ||
| * @param fallbackOn501 consumer function to execute if resource sharing feature is disabled. | ||
| */ | ||
| public static void verifyResourceAccessAndProcessRequest(String resourceType, Runnable onSuccess, Runnable fallbackOn501) { |
There was a problem hiding this comment.
Suggested change
| public static void verifyResourceAccessAndProcessRequest(String resourceType, Runnable onSuccess, Runnable fallbackOn501) { | |
| public static void verifyResourceAccessAndProcessRequest(String resourceType, Runnable onSuccess, Runnable onFailure) { |
|
|
||
| private Subject subject; | ||
|
|
||
| public PluginClient(Client delegate) { |
There was a problem hiding this comment.
Suggested change
| public PluginClient(Client delegate) { | |
| public PluginClient(Client client) { |
| super(delegate); | ||
| } | ||
|
|
||
| public PluginClient(Client delegate, Subject subject) { |
There was a problem hiding this comment.
Suggested change
| public PluginClient(Client delegate, Subject subject) { | |
| public PluginClient(Client client, Subject subject) { |
| super(delegate); | ||
| } | ||
|
|
||
| public PluginClient(Client delegate, Subject subject) { |
There was a problem hiding this comment.
Where this constructor used?
| Request request, | ||
| ActionListener<Response> listener | ||
| ) { | ||
| if (subject == null) { |
There was a problem hiding this comment.
subject would be null with the first constructor call, right?
| * Accessor for resource sharing client | ||
| */ | ||
| public class ResourceSharingClientAccessor { | ||
| private ResourceSharingClient CLIENT; |
There was a problem hiding this comment.
Can make it as thread safe?
Suggested change
| private ResourceSharingClient CLIENT; | |
| private final AtomicReference<ResourceSharingClient> client = new AtomicReference<>(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implements resource-access-control for workflow and workflow_state.
Related Issues
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.