Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System index permissions #2887

Merged
merged 77 commits into from
Sep 7, 2023
Merged

System index permissions #2887

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
aebb383
#2553 System Indices check for extensions and tests
samuelcostae Jun 20, 2023
06403bd
#2553 System Indices tests response body checks
samuelcostae Jun 20, 2023
b6e0062
#2553 gradle spotless
samuelcostae Jun 20, 2023
e89ebab
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jun 26, 2023
59020e4
#2553 Refactoring of ConfigModelV6 and ConfigModelV7 to be based on t…
samuelcostae Jun 26, 2023
3a7c274
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 6, 2023
d88ec3e
#2553 Tests refactoring
samuelcostae Jul 6, 2023
07eabc1
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 6, 2023
5b89dfc
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 19, 2023
7206556
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 24, 2023
e190c4b
#2553 Code Style Fixes
samuelcostae Jul 24, 2023
dfcab85
#2553 Code Style Fixes
samuelcostae Jul 24, 2023
d2c4398
Merge remote-tracking branch 'ossecurityfork/#2553_refresh' into #255…
samuelcostae Jul 24, 2023
38ddd65
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 26, 2023
5d772bb
protected SystemIndices Feature Flag
samuelcostae Jul 26, 2023
4f161ed
SnapshotRestoreTests and SecurityIndexAccessEvaluatorTest tests changes
samuelcostae Jul 27, 2023
d22547e
Merge branch 'main' into #2553_refresh
samuelcostae Jul 27, 2023
273f10f
SnapshotRestoreTests and SecurityIndexAccessEvaluatorTest tests changes
samuelcostae Jul 27, 2023
3268145
SnapshotRestoreTests and SecurityIndexAccessEvaluatorTest tests changes
samuelcostae Jul 27, 2023
233fdde
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 27, 2023
c784438
more int retries
samuelcostae Jul 27, 2023
b2a05bc
security test change
samuelcostae Jul 28, 2023
153558a
removing v6 from codova test coverage
samuelcostae Jul 31, 2023
2237090
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 31, 2023
16caf78
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 31, 2023
2a525df
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Jul 31, 2023
b0a6c9a
Denylist draft
samuelcostae Aug 1, 2023
9d02e2b
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 1, 2023
60121a0
Fix issue from merge
samuelcostae Aug 1, 2023
5a48cc8
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 1, 2023
a6e26bb
Refactoring of New control flag while keeping old evaluator process i…
samuelcostae Aug 3, 2023
713857a
Refactoring of New control flag while keeping old evaluator process i…
samuelcostae Aug 3, 2023
55fedcb
Build failure
samuelcostae Aug 3, 2023
6b30d1b
Merge branch 'main' into #2553_refresh
samuelcostae Aug 3, 2023
8e27e79
Merge branch '#2553_refresh' of github.com:samuelcostae/security into…
samuelcostae Aug 3, 2023
707eb27
Test changes and adding Security Index as a standard to be blocked in…
samuelcostae Aug 4, 2023
964692b
Test changes and adding Security Index as a standard to be blocked in…
samuelcostae Aug 4, 2023
0eb4427
Test changes
samuelcostae Aug 4, 2023
739eb06
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 7, 2023
b3d100a
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 7, 2023
c7e3d5c
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 8, 2023
854d1df
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 8, 2023
7f7944d
Making Deny List non-configurable.
samuelcostae Aug 8, 2023
88f6e3e
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 9, 2023
0785f16
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 9, 2023
57e64d1
removing changes from certain tests
samuelcostae Aug 9, 2023
5b939fd
Merge branch 'opensearch-project:main' into #2553_refresh
samuelcostae Aug 14, 2023
3541d3c
Merge remote-tracking branch 'origin/#2553_refresh' into #2553_refresh
samuelcostae Aug 14, 2023
6d026f7
Merge branch 'main' into #2553_refresh
samuelcostae Aug 16, 2023
cf447ef
Spotless Check and Adding one more test for coverage
samuelcostae Aug 16, 2023
d774664
Merge branch 'main' into #2553_refresh
samuelcostae Aug 22, 2023
1606b77
TypePerm Test for code coverage and removed TypePerm constructor para…
samuelcostae Aug 31, 2023
a14ea25
Merge branch 'main' into #2553_refresh
samuelcostae Aug 31, 2023
7f08d0d
Refactors a file
DarshitChanpura Aug 31, 2023
43382fa
Merge remote-tracking branch 'upstream/main' into #2553_refresh
DarshitChanpura Aug 31, 2023
b48823b
Cleans up code
DarshitChanpura Sep 1, 2023
f3f7808
Splits up system index tests into 3 files for 3 scenarios and refacto…
DarshitChanpura Sep 1, 2023
5c099e2
Adds tests for system index disabled scenario
DarshitChanpura Sep 1, 2023
cb2a666
Adds tests for scneario when system index is enabled and system index…
DarshitChanpura Sep 1, 2023
0632ecd
Adds tests for scneario when system index is enabled and system index…
DarshitChanpura Sep 1, 2023
1210024
Adds snapshot restore tests for remaining scenarios
DarshitChanpura Sep 1, 2023
20da0b5
Fixes typo in Dev guide
DarshitChanpura Sep 1, 2023
3a222d7
Merge remote-tracking branch 'upstream/main' into #2553_refresh
DarshitChanpura Sep 1, 2023
58666fe
Adds more tests for user with no system index access and renames the …
DarshitChanpura Sep 1, 2023
d90f297
Cleans up SecurityIndexAccessEvaluator and related tests
DarshitChanpura Sep 2, 2023
e10be93
Refactors changes related to config models
DarshitChanpura Sep 2, 2023
429d07f
Adds more tests for index access evaluator and refactors some code
DarshitChanpura Sep 2, 2023
87d6ad8
Merge remote-tracking branch 'upstream/main' into #2553_refresh
DarshitChanpura Sep 5, 2023
72021f7
Reverting all Model changes
peternied Sep 5, 2023
526a824
Simpler SecurityRoles interface
peternied Sep 5, 2023
e595953
Adds more tests around system index permissions and cleans up code
DarshitChanpura Sep 5, 2023
7d00991
Adds tests to SecurityIndexAccessEvaluator
DarshitChanpura Sep 6, 2023
ffcf0b5
Merge branch 'main' into #2553_refresh
DarshitChanpura Sep 6, 2023
c2ab7e6
Addresses most of the PR feedback
DarshitChanpura Sep 6, 2023
8f48a10
Fills the hasExplicitIndexPermission method in v6 config
DarshitChanpura Sep 6, 2023
4fde43e
Fixes ConfigModelV6 hasExplicitPermission and adds test
DarshitChanpura Sep 6, 2023
98832d9
Refactors some variables in SecurityIndexAccessEvaluator
DarshitChanpura Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@ public PrivilegesEvaluatorResponse evaluate(
}

// Security index access
if (securityIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse).isComplete()) {
if (securityIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, securityRoles).isComplete()) {
return presponse;
}

Expand Down
73 changes: 41 additions & 32 deletions src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@
package org.opensearch.security.privileges;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
Expand All @@ -42,6 +41,8 @@
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
import org.opensearch.security.securityconf.IndexPattern;
import org.opensearch.security.securityconf.SecurityRoles;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.tasks.Task;
Expand All @@ -55,7 +56,6 @@ public class SecurityIndexAccessEvaluator {
private final WildcardMatcher securityDeniedActionMatcher;
private final IndexResolverReplacer irr;
private final boolean filterSecurityIndex;

// for system-indices configuration
private final WildcardMatcher systemIndexMatcher;
private final boolean systemIndexEnabled;
Expand All @@ -75,7 +75,6 @@ public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog,
ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY,
ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT
);

final boolean restoreSecurityIndexEnabled = settings.getAsBoolean(
ConfigConstants.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED,
false
Expand Down Expand Up @@ -105,9 +104,26 @@ public PrivilegesEvaluatorResponse evaluate(
final Task task,
final String action,
final Resolved requestedResolved,
final PrivilegesEvaluatorResponse presponse
final PrivilegesEvaluatorResponse presponse,
final SecurityRoles securityRoles
) {

final boolean isDebugEnabled = log.isDebugEnabled();

if (matchAnySystemIndices(requestedResolved) && !checkSystemIndexPermissionsForUser(securityRoles)) {
auditLog.logSecurityIndexAttempt(request, action, task);
if (log.isInfoEnabled()) {
log.info(
"No {} permission for user roles {} to System Indices {}",
action,
securityRoles,
getProtectedIndexes(requestedResolved).stream().collect(Collectors.joining(", "))
);
}
presponse.allowed = false;
samuelcostae marked this conversation as resolved.
Show resolved Hide resolved
return presponse.markComplete();
}

if (securityDeniedActionMatcher.test(action)) {
if (requestedResolved.isLocalAll()) {
if (filterSecurityIndex) {
Expand All @@ -122,35 +138,11 @@ public PrivilegesEvaluatorResponse evaluate(
);
}
return presponse;
} else {
auditLog.logSecurityIndexAttempt(request, action, task);
log.warn("{} for '_all' indices is not allowed for a regular user", action);
presponse.allowed = false;
return presponse.markComplete();
}
} else if (matchAnySystemIndices(requestedResolved)) {
if (filterSecurityIndex) {
Set<String> allWithoutSecurity = new HashSet<>(requestedResolved.getAllIndices());
allWithoutSecurity.remove(securityIndex);
if (allWithoutSecurity.isEmpty()) {
if (isDebugEnabled) {
log.debug("Filtered '{}' but resulting list is empty", securityIndex);
}
presponse.allowed = false;
return presponse.markComplete();
}
irr.replace(request, false, allWithoutSecurity.toArray(new String[0]));
if (isDebugEnabled) {
log.debug("Filtered '{}', resulting list is {}", securityIndex, allWithoutSecurity);
}
return presponse;
} else {
auditLog.logSecurityIndexAttempt(request, action, task);
final String foundSystemIndexes = getProtectedIndexes(requestedResolved).stream().collect(Collectors.joining(", "));
log.warn("{} for '{}' index is not allowed for a regular user", action, foundSystemIndexes);
presponse.allowed = false;
return presponse.markComplete();
}
auditLog.logSecurityIndexAttempt(request, action, task);
log.info("{} for '_all' indices is not allowed for a regular user", action);
presponse.allowed = false;
return presponse.markComplete();
}
}

Expand All @@ -175,6 +167,23 @@ public PrivilegesEvaluatorResponse evaluate(
return presponse;
}

private boolean checkSystemIndexPermissionsForUser(SecurityRoles securityRoles) {
// The generic wildcard "*" permission shouldn't give access to SystemIndices, so excluding it from the user roles's permissions
// before the check
Set<WildcardMatcher> userPermissions = securityRoles.getRoles()
.stream()
.flatMap(role -> role.getIpatterns().stream())
.map(IndexPattern::getNonWildCardPerms)
.collect(Collectors.toSet());

for (WildcardMatcher userPermission : userPermissions.stream().collect(Collectors.toSet())) {
if (userPermission.matchAny(ConfigConstants.SYSTEM_INDEX_PERMISSION)) {
return true;
}
}
return false;
}

private boolean matchAnySystemIndices(final Resolved requestedResolved) {
return !getProtectedIndexes(requestedResolved).isEmpty();
}
Expand Down
Loading