Skip to content

Commit 6446268

Browse files
willyborankinwillyborankin
authored
Separate config option to enable restapi: permissions (opensearch-project#2605)
Added config settings plugins.security.restapi.admin.enabled which enables/disables :resapi permissions. Default is false Signed-off-by: Andrey Pleskach <ples@aiven.io>
1 parent 4988a74 commit 6446268

12 files changed

Lines changed: 83 additions & 55 deletions

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1027,7 +1027,8 @@ public List<Setting<?>> getSettings() {
10271027
// OpenSearch Security - REST API
10281028
settings.add(Setting.listSetting(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here
10291029
settings.add(Setting.groupSetting(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Property.NodeScope));
1030-
1030+
settings.add(Setting.boolSetting(ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED, false, Property.NodeScope, Property.Filtered));
1031+
10311032
settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Property.NodeScope, Property.Filtered));
10321033
settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Property.NodeScope, Property.Filtered));
10331034

src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,8 @@
6666
import org.opensearch.security.user.User;
6767
import org.opensearch.threadpool.ThreadPool;
6868

69+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
70+
6971
public abstract class AbstractApiAction extends BaseRestHandler {
7072

7173
protected final Logger log = LogManager.getLogger(this.getClass());
@@ -94,7 +96,9 @@ protected AbstractApiAction(final Settings settings, final Path configPath, fina
9496
this.restApiPrivilegesEvaluator = new RestApiPrivilegesEvaluator(settings, adminDNs, evaluator,
9597
principalExtractor, configPath, threadPool);
9698
this.restApiAdminPrivilegesEvaluator =
97-
new RestApiAdminPrivilegesEvaluator(threadPool.getThreadContext(), evaluator, adminDNs);
99+
new RestApiAdminPrivilegesEvaluator(
100+
threadPool.getThreadContext(), evaluator, adminDNs,
101+
settings.getAsBoolean(SECURITY_RESTAPI_ADMIN_ENABLED, false));
98102
this.auditLog = auditLog;
99103
}
100104

src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@
2929
import org.opensearch.security.support.WildcardMatcher;
3030
import org.opensearch.security.user.User;
3131

32+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
33+
3234
public class RestApiAdminPrivilegesEvaluator {
3335

3436
protected final Logger logger = LogManager.getLogger(RestApiAdminPrivilegesEvaluator.class);
@@ -85,13 +87,17 @@ default String build() {
8587

8688
private final AdminDNs adminDNs;
8789

90+
private final boolean restapiAdminEnabled;
91+
8892
public RestApiAdminPrivilegesEvaluator(
8993
final ThreadContext threadContext,
9094
final PrivilegesEvaluator privilegesEvaluator,
91-
final AdminDNs adminDNs) {
95+
final AdminDNs adminDNs,
96+
final boolean restapiAdminEnabled) {
9297
this.threadContext = threadContext;
9398
this.privilegesEvaluator = privilegesEvaluator;
9499
this.adminDNs = adminDNs;
100+
this.restapiAdminEnabled = restapiAdminEnabled;
95101
}
96102

97103
public boolean isCurrentUserRestApiAdminFor(final Endpoint endpoint, final String action) {
@@ -108,20 +114,31 @@ public boolean isCurrentUserRestApiAdminFor(final Endpoint endpoint, final Strin
108114
return true;
109115
}
110116
if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) {
111-
if (logger.isDebugEnabled()) {
112-
logger.debug("No permission found for {} endpoint", endpoint);
113-
}
117+
logger.debug("No permission found for {} endpoint", endpoint);
114118
return false;
115119
}
116120
final String permission = ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build(action);
117-
if (logger.isDebugEnabled()) {
118-
logger.debug("Checking permission {} for endpoint {}", permission, endpoint);
119-
}
120-
return privilegesEvaluator.hasRestAdminPermissions(
121+
final boolean hasAccess = privilegesEvaluator.hasRestAdminPermissions(
121122
userAndRemoteAddress.getLeft(),
122123
userAndRemoteAddress.getRight(),
123124
permission
124125
);
126+
if (logger.isDebugEnabled()) {
127+
logger.debug(
128+
"User {} with permission {} {} access to endpoint {}",
129+
userAndRemoteAddress.getLeft().getName(),
130+
permission,
131+
hasAccess ? "has" : "has no",
132+
endpoint
133+
);
134+
logger.debug(
135+
"{} set to {}. {} use access decision",
136+
SECURITY_RESTAPI_ADMIN_ENABLED,
137+
restapiAdminEnabled,
138+
restapiAdminEnabled ? "Will" : "Will not"
139+
);
140+
}
141+
return hasAccess && restapiAdminEnabled;
125142
}
126143

127144
public boolean containsRestApiAdminPermissions(final Object configObject) {

src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsAction.java

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -72,8 +72,6 @@ public class SecuritySSLCertsAction extends AbstractApiAction {
7272

7373
private final boolean certificatesReloadEnabled;
7474

75-
private final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator;
76-
7775
private final boolean httpsEnabled;
7876

7977
public SecuritySSLCertsAction(final Settings settings,
@@ -91,8 +89,6 @@ public SecuritySSLCertsAction(final Settings settings,
9189
final boolean certificatesReloadEnabled) {
9290
super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, privilegesEvaluator, threadPool, auditLog);
9391
this.securityKeyStore = securityKeyStore;
94-
this.restApiAdminPrivilegesEvaluator =
95-
new RestApiAdminPrivilegesEvaluator(threadPool.getThreadContext(), privilegesEvaluator, adminDNs);
9692
this.certificatesReloadEnabled = certificatesReloadEnabled;
9793
this.httpsEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true);
9894
}

src/main/java/org/opensearch/security/support/ConfigConstants.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,11 +248,11 @@ public enum RolesMappingResolution {
248248
public static final String SECURITY_DLS_MODE = "plugins.security.dls.mode";
249249
// REST API
250250
public static final String SECURITY_RESTAPI_ROLES_ENABLED = "plugins.security.restapi.roles_enabled";
251+
public static final String SECURITY_RESTAPI_ADMIN_ENABLED = "plugins.security.restapi.admin.enabled";
251252
public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "plugins.security.restapi.endpoints_disabled";
252253
public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "plugins.security.restapi.password_validation_regex";
253254
public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "plugins.security.restapi.password_validation_error_message";
254255

255-
// Illegal Opcodes from here on
256256
public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "plugins.security.unsupported.disable_rest_auth_initially";
257257
public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "plugins.security.unsupported.disable_intertransport_auth_initially";
258258
public static final String SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY = "plugins.security.unsupported.passive_intertransport_auth_initially";

src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
3030

3131
import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
32+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
3233

3334
public class ActionGroupsApiTest extends AbstractRestApiUnitTest {
3435
private final String ENDPOINT;
@@ -362,7 +363,7 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean userAdminCert
362363

363364
@Test
364365
public void testActionGroupsApiForRestAdmin() throws Exception {
365-
setupWithRestRoles();
366+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
366367
rh.sendAdminCertificate = false;
367368
// create index
368369
setupStarfleetIndex();
@@ -380,7 +381,7 @@ public void testActionGroupsApiForRestAdmin() throws Exception {
380381

381382
@Test
382383
public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception {
383-
setupWithRestRoles();
384+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
384385
rh.sendAdminCertificate = false;
385386
// create index
386387
setupStarfleetIndex();
@@ -398,7 +399,7 @@ public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception {
398399

399400
@Test
400401
public void testCreateActionGroupWithRestAdminPermissionsForbidden() throws Exception {
401-
setupWithRestRoles();
402+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
402403
rh.sendAdminCertificate = false;
403404
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
404405
final Header restApiAdminActionGroupsHeader = encodeBasicHeader("rest_api_admin_actiongroups", "rest_api_admin_actiongroups");

src/test/java/org/opensearch/security/dlic/rest/api/AllowlistApiTest.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
import static org.hamcrest.Matchers.equalTo;
3838
import static org.junit.Assert.assertEquals;
3939
import static org.junit.Assert.assertTrue;
40+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
4041

4142
/**
4243
* Testing class to verify that {@link AllowlistApiAction} works correctly.
@@ -158,7 +159,7 @@ public void testAllowlistApi() throws Exception {
158159

159160
@Test
160161
public void testAllowlistApiWithPermissions() throws Exception {
161-
setupWithRestRoles();
162+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
162163

163164
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
164165
final Header restApiAllowlistHeader = encodeBasicHeader("rest_api_admin_allowlist", "rest_api_admin_allowlist");
@@ -170,7 +171,7 @@ public void testAllowlistApiWithPermissions() throws Exception {
170171

171172
@Test
172173
public void testAllowlistApiWithAllowListPermissions() throws Exception {
173-
setupWithRestRoles();
174+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
174175

175176
final Header restApiAllowlistHeader = encodeBasicHeader("rest_api_admin_allowlist", "rest_api_admin_allowlist");
176177
final Header restApiUserHeader = encodeBasicHeader("test", "test");

src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
import static org.hamcrest.MatcherAssert.assertThat;
3838
import static org.hamcrest.Matchers.equalTo;
3939
import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
40+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
4041

4142
public class NodesDnApiTest extends AbstractRestApiUnitTest {
4243
private HttpResponse response;
@@ -184,7 +185,10 @@ public void testNodesDnApi() throws Exception {
184185

185186
@Test
186187
public void testNodesDnApiWithPermissions() throws Exception {
187-
Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true)
188+
Settings settings =
189+
Settings.builder()
190+
.put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true)
191+
.put(SECURITY_RESTAPI_ADMIN_ENABLED, true)
188192
.build();
189193
setupWithRestRoles(settings);
190194
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");

src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
3232

3333
import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
34+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
3435

3536
public class RolesApiTest extends AbstractRestApiUnitTest {
3637
private final String ENDPOINT;
@@ -77,15 +78,17 @@ public void testAllRolesForSuperAdmin() throws Exception {
7778

7879
@Test
7980
public void testAllRolesForRestAdmin() throws Exception {
80-
setupWithRestRoles();
81+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
8182
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
83+
rh.sendAdminCertificate = false;
8284
checkSuperAdminRoles(new Header[]{restApiAdminHeader});
8385
}
8486

8587
@Test
8688
public void testAllRolesForRolesRestAdmin() throws Exception {
87-
setupWithRestRoles();
89+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
8890
final Header restApiAdminRolesHeader = encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles");
91+
rh.sendAdminCertificate = false;
8992
checkSuperAdminRoles(new Header[]{restApiAdminRolesHeader});
9093
}
9194

@@ -519,7 +522,7 @@ void verifyPatchForSuperAdmin(final Header[] header, final boolean sendAdminCert
519522

520523
@Test
521524
public void testRolesApiWithAllRestApiPermissions() throws Exception {
522-
setupWithRestRoles();
525+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
523526

524527
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
525528

@@ -539,7 +542,7 @@ public void testRolesApiWithAllRestApiPermissions() throws Exception {
539542

540543
@Test
541544
public void testRolesApiWithRestApiRolePermission() throws Exception {
542-
setupWithRestRoles();
545+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
543546

544547
final Header restApiRolesHeader = encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles");
545548

@@ -560,7 +563,7 @@ public void testRolesApiWithRestApiRolePermission() throws Exception {
560563

561564
@Test
562565
public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception {
563-
setupWithRestRoles();
566+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
564567
rh.sendAdminCertificate = false;
565568

566569
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
@@ -632,7 +635,7 @@ public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws
632635

633636
@Test
634637
public void testDeleteRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception {
635-
setupWithRestRoles();
638+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
636639
rh.sendAdminCertificate = false;
637640

638641
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");

src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
3030

3131
import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
32+
import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
3233

3334
public class RolesMappingApiTest extends AbstractRestApiUnitTest {
3435
private final String ENDPOINT;
@@ -98,7 +99,7 @@ public void testRolesMappingApi() throws Exception {
9899

99100
@Test
100101
public void testRolesMappingApiWithFullPermissions() throws Exception {
101-
setupWithRestRoles();
102+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
102103
rh.sendAdminCertificate = false;
103104

104105
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
@@ -466,7 +467,7 @@ void verifyNonSuperAdminUser(final Header[] header) throws Exception {
466467

467468
@Test
468469
public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws Exception {
469-
setupWithRestRoles();
470+
setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
470471
rh.sendAdminCertificate = false;
471472

472473
final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");

0 commit comments

Comments
 (0)