ruanyl · wanglam · Mar 6, 2024 · Sep 15, 2023 · Oct 8, 2023 · Oct 16, 2023
@@ -277,4 +277,7 @@
 # vis_augmenter.pluginAugmentationEnabled: true
 
 # Set the value to true to enable workspace feature
-# workspace.enabled: false
+# workspace.enabled: false
+# Set the value to false to disable permission check on workspace
+# Permission check depends on OpenSearch Dashboards has authentication enabled, set it to false if no authentication is configured
+# workspace.permission.enabled: true
@@ -105,6 +105,7 @@ export {
   StringValidationRegex,
   StringValidationRegexString,
   WorkspaceObject,
+  WorkspaceAttribute,
 } from '../types';
 
 export {

@@ -45,7 +45,7 @@ import { HttpFetchOptions, HttpSetup } from '../http';
 
 type SavedObjectsFindOptions = Omit<
   SavedObjectFindOptionsServer,
-  'sortOrder' | 'rootSearchFields' | 'typeToNamespacesMap'
+  'sortOrder' | 'rootSearchFields' | 'typeToNamespacesMap' | 'ACLSearchParams'
 >;
 
 type PromiseType<T extends Promise<any>> = T extends Promise<infer U> ? U : never;
@@ -392,17 +392,14 @@ export class SavedObjectsClient {
       finalWorkspaces = Array.from(new Set([currentWorkspaceId]));
     }
 
-    const renamedQuery = renameKeys<Omit<SavedObjectsFindOptions, 'ACLSearchParams'>, any>(
-      renameMap,
-      {
-        ...options,
-        ...(finalWorkspaces
-          ? {
-              workspaces: finalWorkspaces,
-            }
-          : {}),
-      }
-    );
+    const renamedQuery = renameKeys<SavedObjectsFindOptions, any>(renameMap, {
+      ...options,
+      ...(finalWorkspaces
+        ? {
+            workspaces: finalWorkspaces,
+          }
+        : {}),
+    });
     const query = pick.apply(null, [renamedQuery, ...Object.values<string>(renameMap)]) as Partial<
       Record<string, any>
     >;

@@ -322,6 +322,11 @@ export {
   importSavedObjectsFromStream,
   resolveSavedObjectsImportErrors,
   SavedObjectsDeleteByWorkspaceOptions,
+  ACL,
+  Principals,
+  TransformedPermission,
+  PrincipalType,
+  Permissions,
 } from './saved_objects';
 
 export {

@@ -84,3 +84,11 @@ export {
 
 export { savedObjectsConfig, savedObjectsMigrationConfig } from './saved_objects_config';
 export { SavedObjectTypeRegistry, ISavedObjectTypeRegistry } from './saved_objects_type_registry';
+
+export {
+  Permissions,
+  ACL,
+  Principals,
+  TransformedPermission,
+  PrincipalType,
+} from './permission_control/acl';
@@ -823,6 +823,7 @@ export class SavedObjectsRepository {
       filter,
       preference,
       workspaces,
+      ACLSearchParams,
     } = options;
 
     if (!type && !typeToNamespacesMap) {
@@ -897,6 +898,7 @@ export class SavedObjectsRepository {
           hasReference,
           kueryNode,
           workspaces,
+          ACLSearchParams,
         }),
       },
     };

@@ -646,6 +646,79 @@ describe('#getQueryParams', () => {
         });
       });
     });
+
+    describe('when using ACLSearchParams search', () => {
+      it('no ACLSearchParams provided', () => {
+        const result: Result = getQueryParams({
+          registry,
+          ACLSearchParams: {},
+        });
+        expect(result.query.bool.filter[1]).toEqual(undefined);
+      });
+
+      it('workspaces provided in ACLSearchParams', () => {
+        const result: Result = getQueryParams({
+          registry,
+          ACLSearchParams: {
+            workspaces: ['foo'],
+          },
+        });
+        expect(result.query.bool.filter[1]).toEqual({
+          bool: { should: [{ terms: { workspaces: ['foo'] } }] },
+        });
+      });
+
+      it('principals and permissionModes provided in ACLSearchParams', () => {
+        const result: Result = getQueryParams({
+          registry,
+          ACLSearchParams: {
+            principals: {
+              users: ['user-foo'],
+              groups: ['group-foo'],
+            },
+            permissionModes: ['read'],
+          },
+        });
+        expect(result.query.bool.filter[1]).toEqual({
+          bool: {
+            should: [
+              {
+                bool: {
+                  filter: [
+                    {
+                      bool: {
+                        should: [
+                          {
+                            terms: {
+                              'permissions.read.users': ['user-foo'],
+                            },
+                          },
+                          {
+                            term: {
+                              'permissions.read.users': '*',
+                            },
+                          },
+                          {
+                            terms: {
+                              'permissions.read.groups': ['group-foo'],
+                            },
+                          },
+                          {
+                            term: {
+                              'permissions.read.groups': '*',
+                            },
+                          },
+                        ],
+                      },
+                    },
+                  ],
+                },
+              },
+            ],
+          },
+        });
+      });
+    });
   });
 
   describe('namespaces property', () => {

@@ -34,6 +34,8 @@ type KueryNode = any;
 
 import { ISavedObjectTypeRegistry } from '../../../saved_objects_type_registry';
 import { ALL_NAMESPACES_STRING, DEFAULT_NAMESPACE_STRING } from '../utils';
+import { SavedObjectsFindOptions } from '../../../types';
+import { ACL } from '../../../permission_control/acl';
 
 /**
  * Gets the types based on the type. Uses mappings to support
@@ -166,6 +168,7 @@ interface QueryParams {
   hasReference?: HasReferenceQueryParams;
   kueryNode?: KueryNode;
   workspaces?: string[];
+  ACLSearchParams?: SavedObjectsFindOptions['ACLSearchParams'];
 }
 
 export function getClauseForReference(reference: HasReferenceQueryParams) {
@@ -223,6 +226,7 @@ export function getQueryParams({
   hasReference,
   kueryNode,
   workspaces,
+  ACLSearchParams,
 }: QueryParams) {
   const types = getTypes(
     registry,
@@ -279,7 +283,59 @@ export function getQueryParams({
     }
   }
 
-  return { query: { bool } };
+  const result = { query: { bool } };
+
+  if (ACLSearchParams) {
+    const shouldClause: any = [];
+    if (ACLSearchParams.permissionModes?.length && ACLSearchParams.principals) {
+      const permissionDSL = ACL.generateGetPermittedSavedObjectsQueryDSL(
+        ACLSearchParams.permissionModes,
+        ACLSearchParams.principals
+      );
+      shouldClause.push(permissionDSL.query);
+    }
+
+    if (ACLSearchParams.workspaces?.length) {
+      shouldClause.push({
+        terms: {
+          workspaces: ACLSearchParams.workspaces,
+        },
+      });
+    }
+
+    if (shouldClause.length) {
+      bool.filter.push({
+        bool: {
+          should: [
+            /**
+             * Return those objects without workspaces field and permissions field to keep find find API backward compatible
+             */
+            {
+              bool: {
+                must_not: [
+                  {
+                    exists: {
+                      field: 'workspaces',
+                    },
+                  },
+                  {
+                    exists: {
+                      field: 'permissions',
+                    },
+                  },
+                ],
+              },
+            },
+            ...shouldClause,
+          ],
+        },
+      });
+    }
+
+    return result;
+  }
+
+  return result;
 }
 
 // we only want to add match_phrase_prefix clauses

@@ -34,6 +34,7 @@ import { IndexMapping } from '../../../mappings';
 import { getQueryParams } from './query_params';
 import { getSortingParams } from './sorting_params';
 import { ISavedObjectTypeRegistry } from '../../../saved_objects_type_registry';
+import { SavedObjectsFindOptions } from '../../../types';
 
 type KueryNode = any;
 
@@ -53,6 +54,7 @@ interface GetSearchDslOptions {
   };
   kueryNode?: KueryNode;
   workspaces?: string[];
+  ACLSearchParams?: SavedObjectsFindOptions['ACLSearchParams'];
 }
 
 export function getSearchDsl(
@@ -73,6 +75,7 @@ export function getSearchDsl(
     hasReference,
     kueryNode,
     workspaces,
+    ACLSearchParams,
   } = options;
 
   if (!type) {
@@ -96,6 +99,7 @@ export function getSearchDsl(
       hasReference,
       kueryNode,
       workspaces,
+      ACLSearchParams,
     }),
     ...getSortingParams(mappings, type, sortField, sortOrder),
   };

@@ -45,6 +45,7 @@ export {
 } from './import/types';
 
 import { SavedObject } from '../../types';
+import { Principals } from './permission_control/acl';
 
 type KueryNode = any;
 
@@ -112,6 +113,14 @@ export interface SavedObjectsFindOptions {
   preference?: string;
   /** If specified, will only retrieve objects that are in the workspaces */
   workspaces?: string[];
+  /**
+   * The params here will be combined with bool clause and is used for filtering with ACL structure.
+   */
+  ACLSearchParams?: {
+    workspaces?: string[];
+    principals?: Principals;
+    permissionModes?: string[];
+  };
 }
 
 /**

@@ -9,3 +9,10 @@ export const WORKSPACE_FATAL_ERROR_APP_ID = 'workspace_fatal_error';
 export const WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID = 'workspace';
 export const WORKSPACE_CONFLICT_CONTROL_SAVED_OBJECTS_CLIENT_WRAPPER_ID =
   'workspace_conflict_control';
+
+export enum WorkspacePermissionMode {
+  Read = 'read',
+  Write = 'write',
+  LibraryRead = 'library_read',
+  LibraryWrite = 'library_write',
+}
@@ -7,6 +7,9 @@ import { schema, TypeOf } from '@osd/config-schema';
 
 export const configSchema = schema.object({
   enabled: schema.boolean({ defaultValue: false }),
+  permission: schema.object({
+    enabled: schema.boolean({ defaultValue: true }),
+  }),
 });
 
-export type ConfigSchema = TypeOf<typeof configSchema>;
+export type WorkspacePluginConfigType = TypeOf<typeof configSchema>;