opensearch-project
diff --git a/‎build.gradle‎
Lines changed: 0 additions & 1 deletion b/‎build.gradle‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎config/roles.yml‎
Lines changed: 14 additions & 1 deletion b/‎config/roles.yml‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java‎
Lines changed: 5 additions & 10 deletions b/‎src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java‎
Lines changed: 5 additions & 10 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java‎
Lines changed: 16 additions & 6 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java‎
Lines changed: 7 additions & 0 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java‎
Lines changed: 25 additions & 2 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java‎
Lines changed: 7 additions & 0 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/AllowlistApiAction.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java‎
Lines changed: 7 additions & 0 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AuthTokenProcessorAction.java‎
Lines changed: 8 additions & 0 deletions b/‎src/main/java/org/opensearch/security/dlic/rest/api/AuthTokenProcessorAction.java‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java‎
Lines changed: 2 additions & 1 deletion b/‎src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java‎
Lines changed: 2 additions & 1 deletion
@@ -289,7 +289,6 @@ configurations.all {
 }
 
 dependencies {
-    implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
     implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
     implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
     implementation 'com.google.guava:guava:30.0-jre'
 
@@ -9,7 +9,20 @@ kibana_read_only:
 # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
 security_rest_api_access:
   reserved: true
- 
+
+security_rest_api_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'restapi:admin/actiongroups'
+    - 'restapi:admin/allowlist'
+    - 'restapi:admin/internalusers'
+    - 'restapi:admin/nodesdn'
+    - 'restapi:admin/roles'
+    - 'restapi:admin/rolesmapping'
+    - 'restapi:admin/ssl/certs/info'
+    - 'restapi:admin/ssl/certs/reload'
+    - 'restapi:admin/tenants'
+
 # Allows users to view monitors, destinations and alerts
 alerting_read_access:
   reserved: true
 
@@ -158,8 +158,6 @@
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.SslExceptionHandler;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
-import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction;
-import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
 import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
@@ -473,16 +471,11 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
             if(!SSLConfig.isSslOnlyMode()) {
                 handlers.add(new SecurityInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool)));
                 handlers.add(new SecurityHealthAction(settings, restController, Objects.requireNonNull(backendRegistry)));
-                handlers.add(new SecuritySSLCertsInfoAction(settings, restController, sks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns)));
                 handlers.add(new DashboardsInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool)));
                 handlers.add(new TenantInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool),
                         Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
-                handlers.add(new SecurityConfigUpdateAction(settings, restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
-                handlers.add(new SecurityWhoAmIAction(settings ,restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
-                if (sslCertReloadEnabled) {
-                    handlers.add(new SecuritySSLReloadCertsAction(settings, restController, sks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns)));
-                }
-
+                handlers.add(new SecurityConfigUpdateAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
+                handlers.add(new SecurityWhoAmIAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 handlers.addAll(
                         SecurityRestApiActions.getHandler(
                                 settings,
@@ -494,7 +487,9 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                                 evaluator,
                                 threadPool,
                                 Objects.requireNonNull(auditLog),
-                                Objects.requireNonNull(userService))
+                                Objects.requireNonNull(userService),
+                                sks,
+                                sslCertReloadEnabled)
                 );
                 log.debug("Added {} rest handler(s)", handlers.size());
             }
 
@@ -75,9 +75,9 @@ public abstract class AbstractApiAction extends BaseRestHandler {
 	final ThreadPool threadPool;
 	protected String securityIndexName;
 	private final RestApiPrivilegesEvaluator restApiPrivilegesEvaluator;
+	protected final RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator;
 	protected final AuditLog auditLog;
 	protected final Settings settings;
-	private AdminDNs adminDNs;
 
 	protected AbstractApiAction(final Settings settings, final Path configPath, final RestController controller,
                                 final Client client, final AdminDNs adminDNs, final ConfigurationRepository cl,
@@ -88,12 +88,13 @@ protected AbstractApiAction(final Settings settings, final Path configPath, fina
 		this.securityIndexName = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME,
 				ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
 
-		this.adminDNs = adminDNs;
 		this.cl = cl;
 		this.cs = cs;
 		this.threadPool = threadPool;
 		this.restApiPrivilegesEvaluator = new RestApiPrivilegesEvaluator(settings, adminDNs, evaluator,
 				principalExtractor, configPath, threadPool);
+		this.restApiAdminPrivilegesEvaluator =
+				new RestApiAdminPrivilegesEvaluator(threadPool.getThreadContext(), evaluator, adminDNs);
 		this.auditLog = auditLog;
 	}
 
@@ -195,7 +196,12 @@ protected void handlePut(final RestChannel channel, final RestRequest request, f
 		}
 
 		boolean existed = existingConfiguration.exists(name);
-		existingConfiguration.putCObject(name, DefaultObjectMapper.readTree(content, existingConfiguration.getImplementingClass()));
+		final Object newContent = DefaultObjectMapper.readTree(content, existingConfiguration.getImplementingClass());
+		if (!hasPermissionsToCreate(existingConfiguration, newContent, getResourceName())) {
+			forbidden(channel, "No permissions");
+			return;
+		}
+		existingConfiguration.putCObject(name, newContent);
 
 		AbstractApiAction.saveAndUpdateConfigs(this.securityIndexName, client, getConfigName(), existingConfiguration, new OnSucessActionListener<IndexResponse>(channel) {
 
@@ -216,6 +222,12 @@ protected void handlePost(final RestChannel channel, final RestRequest request,
 		notImplemented(channel, Method.POST);
 	}
 
+	protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,
+											 final Object content,
+											 final String resourceName) throws IOException {
+		return false;
+	}
+
 	protected void handleGet(final RestChannel channel, RestRequest request, Client client, final JsonNode content)
 			throws IOException{
 
@@ -445,7 +457,6 @@ protected static XContentBuilder convertToJson(RestChannel channel, ToXContent t
 	}
 
 	protected void response(RestChannel channel, RestStatus status, String message) {
-
 		try {
 			final XContentBuilder builder = channel.newBuilder();
 			builder.startObject();
@@ -556,8 +567,7 @@ public String getName() {
 	protected abstract Endpoint getEndpoint();
 
 	protected boolean isSuperAdmin() {
-		User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-		return adminDNs.isAdmin(user);
+		return restApiAdminPrivilegesEvaluator.isCurrentUserRestApiAdminFor(getEndpoint());
 	}
 
 	/**
 
@@ -83,6 +83,13 @@ public AccountApiAction(Settings settings,
         this.threadContext = threadPool.getThreadContext();
     }
 
+    @Override
+    protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,
+                                             final Object content,
+                                             final String resourceName) {
+        return true;
+    }
+
     @Override
     public List<Route> routes() {
         return routes;
 
@@ -118,12 +118,35 @@ protected void handlePut(RestChannel channel, RestRequest request, Client client
 
 		// Prevent the case where action group references to itself in the allowed_actions.
 		final SecurityDynamicConfiguration<?> existingActionGroupsConfig = load(getConfigName(), false);
-		existingActionGroupsConfig.putCObject(name, DefaultObjectMapper.readTree(content, existingActionGroupsConfig.getImplementingClass()));
+		final Object actionGroup = DefaultObjectMapper.readTree(content, existingActionGroupsConfig.getImplementingClass());
+		existingActionGroupsConfig.putCObject(name, actionGroup);
 		if (hasActionGroupSelfReference(existingActionGroupsConfig, name)) {
 			badRequestResponse(channel, name + " cannot be an allowed_action of itself");
 			return;
 		}
-
+		// prevent creation of groups for REST admin api
+		if (restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(actionGroup)) {
+			forbidden(channel, "Not allowed");
+			return;
+		}
 		super.handlePut(channel, request, client, content);
 	}
+
+	@Override
+	protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfiguration,
+											 final Object content,
+											 final String resourceName) throws IOException {
+		if (restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(content)) {
+			return false;
+		}
+		return true;
+	}
+
+	@Override
+	protected boolean isReadOnly(SecurityDynamicConfiguration<?> existingConfiguration, String name) {
+		if (restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(existingConfiguration.getCEntry(name))) {
+			return true;
+		}
+		return super.isReadOnly(existingConfiguration, name);
+	}
 }
@@ -98,6 +98,13 @@ public AllowlistApiAction(final Settings settings, final Path configPath, final
         super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool, auditLog);
     }
 
+    @Override
+    protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,
+                                             final Object content,
+                                             final String resourceName) {
+        return true;
+    }
+
     @Override
     protected void handleApiRequest(final RestChannel channel, final RestRequest request, final Client client) throws IOException {
         if (!isSuperAdmin()) {
 
@@ -165,6 +165,13 @@ public AuditApiAction(final Settings settings,
         }
     }
 
+    @Override
+    protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,
+                                             final Object content,
+                                             final String resourceName) {
+        return true;
+    }
+
     @Override
     public List<Route> routes() {
         return routes;
 
@@ -34,6 +34,7 @@
 import org.opensearch.security.dlic.rest.validation.NoOpValidator;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
 import org.opensearch.threadpool.ThreadPool;
 
@@ -53,6 +54,13 @@ public AuthTokenProcessorAction(final Settings settings, final Path configPath,
 				auditLog);
 	}
 
+	@Override
+	protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,
+											 final Object content,
+											 final String resourceName) {
+		return true;
+	}
+
 	@Override
 	public List<Route> routes() {
 		return routes;
 
@@ -28,5 +28,6 @@ public enum Endpoint {
     VALIDATE,
     WHITELIST,
     ALLOWLIST,
-    NODESDN;
+    NODESDN,
+    SSL;
 }
Original file line number	Diff line number	Diff line change
`@@ -289,7 +289,6 @@ configurations.all {`
`289`	`289`	`}`
`290`	`290`
`291`	`291`	`dependencies {`
`292`		`- implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'`
`293`	`292`	`implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"`
`294`	`293`	`implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"`
`295`	`294`	`implementation 'com.google.guava:guava:30.0-jre'`
Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,13 @@ public AuditApiAction(final Settings settings,`
`165`	`165`	`}`
`166`	`166`	`}`
`167`	`167`
	`168`	`+ @Override`
	`169`	`+ protected boolean hasPermissionsToCreate(final SecurityDynamicConfiguration<?> dynamicConfigFactory,`
	`170`	`+ final Object content,`
	`171`	`+ final String resourceName) {`
	`172`	`+ return true;`
	`173`	`+ }`
	`174`	`+`
`168`	`175`	`@Override`
`169`	`176`	`public List<Route> routes() {`
`170`	`177`	`return routes;`
Original file line number	Diff line number	Diff line change
`@@ -28,5 +28,6 @@ public enum Endpoint {`
`28`	`28`	`VALIDATE,`
`29`	`29`	`WHITELIST,`
`30`	`30`	`ALLOWLIST,`
`31`		`- NODESDN;`
	`31`	`+ NODESDN,`
	`32`	`+ SSL;`
`32`	`33`	`}`