Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update default behavior for _cat/indices to return indices visible to requesting user #5196

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Update default behavior for _cat/indices to return indices visible to requesting user #5196

wants to merge 3 commits into from
+193 −58

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Mar 21, 2025

Description

Opening this PR up to show what's required for changing the default behavior of _cat/indices so that it always returns a list of the indices that the requesting user has access to.

This makes it possible to have roles where the index pattern is scoped down from *. In the current behavior, this role would always get a forbidden error when calling _cat/indices unless do_not_fail_on_forbidden is set to true.

test:
  cluster_permissions: []
  index_permissions:
    - index_patterns:
        - "test-*"
      allowed_actions:
        - indices_all
  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

Resolves #5195

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

cwperks
cwperks commented Mar 21, 2025
View reviewed changes
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java Outdated
@@ -538,7 +536,8 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
}
}

boolean dnfofPossible = dnfofEnabled && DNFOF_MATCHER.test(action0);
boolean dnfofPossible = (dnfofEnabled && DNFOF_MATCHER.test(action0))
|| Set.of("indices:monitor/settings/get", "indices:monitor/stats").contains(action0);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be extracted to a different constant

cwperks added 2 commits March 21, 2025 16:12
@cwperks
Fix unit test
483623f 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks
Fix failing test
dcaa783 
Signed-off-by: Craig Perkins <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Mar 21, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.73%. Comparing base (dae9f6c) to head (dcaa783).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5196      +/-   ##
==========================================
+ Coverage   71.67%   71.73%   +0.05%     
==========================================
  Files         337      337              
  Lines       22789    22791       +2     
  Branches     3606     3606              
==========================================
+ Hits        16334    16348      +14     
+ Misses       4651     4639      -12     
  Partials     1804     1804
Files with missing lines Coverage Δ
...earch/security/privileges/PrivilegesEvaluator.java 74.11% <100.00%> (+0.15%) ⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura will be requested when the pull request is marked ready for review DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho will be requested when the pull request is marked ready for review derek-ho is a code owner

@nibix nibix Awaiting requested review from nibix nibix will be requested when the pull request is marked ready for review nibix is a code owner

@peternied peternied Awaiting requested review from peternied peternied will be requested when the pull request is marked ready for review peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 will be requested when the pull request is marked ready for review RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta will be requested when the pull request is marked ready for review reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin will be requested when the pull request is marked ready for review willyborankin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reconsider default behavior for DNFOF in 3.0.0
1 participant
@cwperks