[Resource Access Control] [Part2] Introduces a client for Resource Access Control and adds concrete implementation for resource access control #5194
Conversation
DarshitChanpura
requested review from
cwperks,
derek-ho,
nibix,
peternied,
RyanL1997,
reta and
willyborankin
as code owners
Signed-off-by: Darshit Chanpura <[email protected]>
…ntrol implementation in common package Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-sharing-client
branch
from
33c2dc4 to
89d3a63
Compare
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-sharing-client
branch
from
597172b to
52f4ac5
Compare
DarshitChanpura
changed the title
There was a problem hiding this comment.
Thanks for this interesting PR @DarshitChanpura !
I have added a couple of comments and questions. As I went through the code linearly, I also commented both on conceptual things and code level things (which I mostly marked with Nit:). I would recommend that you first have a look on conceptual things ... we can talk about the Nit stuff later.
If you want, we can also schedule a conversation at some point in time.
client/src/main/java/org/opensearch/security/client/resources/ResourceSharingNodeClient.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/resources/rest/ResourceAccessRequest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-sharing-client
branch
from
e38b67e to
e05ae8a
Compare
Signed-off-by: Darshit Chanpura <[email protected]>
…tion Signed-off-by: Darshit Chanpura <[email protected]>
…into resource-sharing-client
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
resource-sharing-client
branch
from
d3b4304 to
31b0d0b
Compare
Signed-off-by: Darshit Chanpura <[email protected]>
…nges log level Signed-off-by: Darshit Chanpura <[email protected]>
src/main/java/org/opensearch/security/resources/rest/ResourceAccessRestAction.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Darshit Chanpura <[email protected]>
| "entities_to_revoke": { | ||
| "roles": ["shared-roles"] | ||
| } |
There was a problem hiding this comment.
Does this need to be modified w.r.t. default action group?
There was a problem hiding this comment.
no, this is just a list of entities. Action-groups will be supplied separately (not in scope of v1)
| - **Endpoint:** | ||
| ``` | ||
| GET /_plugins/_security/resources/list/{resource_index} | ||
| ``` | ||
| - **Description:** | ||
| Retrieves a list of **resources that the current user has access to** within the specified `{resource_index}`. | ||
|
|
||
| #### **Response:** |
There was a problem hiding this comment.
What are the performance implications of the "extra hop" with the resource sharing security index?
There was a problem hiding this comment.
As we discussed during the design phase, there are is no concept of joins in OpenSearch. So the alternative to current approach would be to store resource data inside resource-sharing index, which results in significant amount of duplication and something we are moving away from.
| resourceSharingClient.verifyResourceAccess( | ||
| resourceId, | ||
| RESOURCE_INDEX_NAME, | ||
| SampleResourceScope.PUBLIC.value(), |
There was a problem hiding this comment.
Please update this if we are removing the concept of scopes from this change
|
|
||
| #### **Method Signature:** | ||
| ```java | ||
| void shareResource(String resourceId, String resourceIndex, Map<String, Object> shareWith, ActionListener<ResourceSharing> listener); |
There was a problem hiding this comment.
Comment about this and other similar methods - since we know that the keys would be "roles", "users", and "backend_roles", can we somehow enforce that they provide a ShareWith datastructure, instead of accepting an arbitrary map here?
There was a problem hiding this comment.
This will eventually be replaced with ShareWith class. I can replace it for now to be of type: SharedWithActionGroup.ActionGroupRecipient
| private String securityOrFeatureDisabledMessage() { | ||
| boolean sharingEnabled = settings.getAsBoolean( | ||
| ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, | ||
| ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT | ||
| ); | ||
|
|
||
| Settings securitySettings = settings.getByPrefix(ConfigConstants.SECURITY_SETTINGS_PREFIX); | ||
| boolean securityDisabled = securitySettings.isEmpty() | ||
| || this.settings.getAsBoolean( | ||
| ConfigConstants.OPENSEARCH_SECURITY_DISABLED, | ||
| ConfigConstants.OPENSEARCH_SECURITY_DISABLED_DEFAULT | ||
| ); | ||
|
|
||
| if (securityDisabled) return "Security Plugin is disabled."; | ||
| if (!sharingEnabled) return "ShareableResource Access Control feature is disabled."; | ||
| return ""; | ||
| } |
There was a problem hiding this comment.
Nit: do we want to check here whether system index protections is enabled, and also return a message if so? Since the feature is dependent on that?
There was a problem hiding this comment.
This is checked at Transport Actions since that is the common sink between Rest APIs and client. Checkout ShareResourceTransportAction
Signed-off-by: Darshit Chanpura <[email protected]>
| * @return True if the resource is owned by the user, false otherwise. | ||
| */ | ||
| private boolean isOwnerOfResource(ResourceSharing document, String userName) { | ||
| return document.getCreatedBy() != null && document.getCreatedBy().getCreator().equals(userName); |
There was a problem hiding this comment.
Question/concern here is whether username would be guaranteed to be unique, specifically when considering multiple SSO providers/internal users?
#5185 must be merged before merging this.
#5016 is being broken down into smaller pieces. This is part 2.
Description
Introduces a client to be consumed by plugins, and adds concrete implementation of ResourceAccessControl.
There are 4 java APIs as well as 4 REST APIs introduced as part of this PR. Plugins will leverage the client to call the java APIs to implement resource access control.
Refer to the RESOURCE_ACCESS_CONTROL_FOR_PLUGINS.md file to understand in-depth implementation of this feature.
Issues Resolved
Testing
Check List
- [ ] API changes companion pull request createdBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.