Skip to content

Onboards flow-framework plugin to resource-sharing and access control framework #1251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Onboards flow-framework plugin to resource-sharing and access control framework #1251

wants to merge 8 commits into from

Conversation

@DarshitChanpura
Copy link
Member

@DarshitChanpura DarshitChanpura commented Oct 13, 2025
edited
Loading

Description

Implements resource-access-control for workflow and workflow_state.

Related Issues

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura
Copy link
Member Author

CI will resolve once: opensearch-project/security#5677 is merged.

@DarshitChanpura
Adds javadoc and a changelog entry
dc16660 
Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura DarshitChanpura marked this pull request as ready for review October 14, 2025 15:50
@DarshitChanpura
Copy link
Member Author

CI blocked by #1252

owaiskazi19
owaiskazi19 reviewed Oct 21, 2025
View reviewed changes
Copy link
Member

@owaiskazi19 owaiskazi19 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1st iteration

build.gradle Outdated
testImplementation("org.junit.jupiter:junit-jupiter:${junitJupiterVersion}")
testImplementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${versions.jackson_databind}")

testImplementation 'org.awaitility:awaitility:4.3.0'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Constant for the version

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack.

build.gradle
// | Output for ./bin/opensearch-plugin:ERROR: transport error 202: connect failed: Connection refused
// | ERROR: JDWP Transport dt_socket failed to initialize, TRANSPORT_INIT(510)
// | JDWP exit error AGENT_ERROR_TRANSPORT_INIT(197): No transports initialized [src/jdk.jdwp.agent/share/native/libjdwp/debugInit.c:700].
// So instead, we listen to a debugger by saying server=y and suspend=n
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the comments?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, let's keep it to understand what these changes mean.

src/main/java/org/opensearch/flowframework/util/ParseUtils.java
* @return true if resource-authz should be used, false otherwise
*/
public static boolean shouldUseResourceAuthz(String resourceType) {
var client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make it explicit

Suggested change
var client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient();
ResourceSharingClient client = ResourceSharingClientAccessor.getInstance().getResourceSharingClient();

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compilation may fail if security plugin is absent and by extension SPI is absent as well.
(because of the import statement)

src/main/java/org/opensearch/flowframework/util/PluginClient.java
Request request,
ActionListener<Response> listener
) {
if (subject == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

subject would be null with the first constructor call, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't expect subject to be null, this is added to ensure robustness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owaiskazi19 owaiskazi19 owaiskazi19 left review comments

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@joshpalis joshpalis Awaiting requested review from joshpalis joshpalis is a code owner

@ohltyler ohltyler Awaiting requested review from ohltyler ohltyler is a code owner

@amitgalitz amitgalitz Awaiting requested review from amitgalitz amitgalitz is a code owner

@jackiehanyang jackiehanyang Awaiting requested review from jackiehanyang jackiehanyang is a code owner

@junweid62 junweid62 Awaiting requested review from junweid62 junweid62 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Onboard flow-framework plugin to Centralized Resource AuthZ framework

2 participants

@DarshitChanpura @owaiskazi19