opensearch-project · cwperks · Oct 20, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
@@ -15,7 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
 - Improve array validator to also check for blank string in addition to null ([#5714](https://github.com/opensearch-project/security/pull/5714))
 - Use RestRequestFilter.getFilteredRequest to declare sensitive API params ([#5710](https://github.com/opensearch-project/security/pull/5710))
-
+- Updates DlsFlsValveImpl condition to return true if request is internal and not a protected resource request ([#5721](https://github.com/opensearch-project/security/pull/5721))
 
 ### Refactoring
 - [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests ([#5717](https://github.com/opensearch-project/security/pull/5717))

@@ -70,20 +70,25 @@ public void testSampleResourceSharingIndexExists() {
     public void fullAccessUser_canCRUD() {
         api.assertApiGet(resourceId, FULL_ACCESS_USER, HttpStatus.SC_OK, "sample");
         api.assertApiUpdate(resourceId, FULL_ACCESS_USER, "sampleUpdateAdmin", HttpStatus.SC_OK);
+        api.assertApiGetSearch(FULL_ACCESS_USER, HttpStatus.SC_OK, 1, "sample");
+        api.createSampleResourceAs(FULL_ACCESS_USER);
+        api.assertApiGetSearch(FULL_ACCESS_USER, HttpStatus.SC_OK, 2, "sample");
         api.assertApiDelete(resourceId, FULL_ACCESS_USER, HttpStatus.SC_OK);
     }
 
     @Test
     public void limitedAccessUser_canCRUD() {
         api.assertApiGet(resourceId, LIMITED_ACCESS_USER, HttpStatus.SC_OK, "sample");
         api.assertApiUpdate(resourceId, LIMITED_ACCESS_USER, "sampleUpdateAdmin", HttpStatus.SC_FORBIDDEN);
+        api.assertApiGetSearch(LIMITED_ACCESS_USER, HttpStatus.SC_OK, 1, "sample");
         api.assertApiDelete(resourceId, LIMITED_ACCESS_USER, HttpStatus.SC_FORBIDDEN);
     }
 
     @Test
     public void noAccessUser_canCRUD() {
         api.assertApiGet(resourceId, NO_ACCESS_USER, HttpStatus.SC_FORBIDDEN, "");
         api.assertApiUpdate(resourceId, NO_ACCESS_USER, "sampleUpdateAdmin", HttpStatus.SC_FORBIDDEN);
+        api.assertApiGetSearchForbidden(NO_ACCESS_USER);
         api.assertApiDelete(resourceId, NO_ACCESS_USER, HttpStatus.SC_FORBIDDEN);
     }
 }
@@ -163,13 +163,11 @@ public boolean invoke(PrivilegesEvaluationContext context, final ActionListener<
         }
         ActionRequest request = context.getRequest();
         if (HeaderHelper.isInternalOrPluginRequest(threadContext)) {
-            IndexResolverReplacer.Resolved resolved = context.getResolvedRequest();
             if (resourceSharingEnabledSetting.getDynamicSettingValue() && request instanceof SearchRequest) {
-
+                IndexResolverReplacer.Resolved resolved = context.getResolvedRequest();
                 Set<String> protectedIndices = resourcePluginInfo.getResourceIndicesForProtectedTypes();
                 WildcardMatcher resourceIndicesMatcher = WildcardMatcher.from(protectedIndices);
                 if (resourceIndicesMatcher.matchAll(resolved.getAllIndices())) {
-
                     IndexToRuleMap<DlsRestriction> sharedResourceMap = ResourceSharingDlsUtils.resourceRestrictions(
                         namedXContentRegistry,
                         resolved,
@@ -187,9 +185,8 @@ public boolean invoke(PrivilegesEvaluationContext context, final ActionListener<
                         threadContext
                     );
                 }
-            } else {
-                return true;
             }
+            return true;
         }
         DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get();
         IndexResolverReplacer.Resolved resolved = context.getResolvedRequest();