diff --git a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java
index 877e6fd787..3f098854b2 100644
--- a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java
@@ -24,6 +24,7 @@
import org.opensearch.common.settings.Settings;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
+import org.opensearch.security.support.ActionPatternConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.tasks.Task;
@@ -55,15 +56,19 @@ public ProtectedIndexAccessEvaluator(final Settings settings, AuditLog auditLog)
this.auditLog = auditLog;
final List<String> indexDeniedActionPatterns = new ArrayList<String>();
- indexDeniedActionPatterns.add("indices:data/write*");
- indexDeniedActionPatterns.add("indices:admin/delete*");
- indexDeniedActionPatterns.add("indices:admin/mapping/delete*");
- indexDeniedActionPatterns.add("indices:admin/mapping/put*");
- indexDeniedActionPatterns.add("indices:admin/freeze*");
- indexDeniedActionPatterns.add("indices:admin/settings/update*");
- indexDeniedActionPatterns.add("indices:admin/aliases");
- indexDeniedActionPatterns.add("indices:admin/close*");
- indexDeniedActionPatterns.add("cluster:admin/snapshot/restore*");
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesData.WRITE_ALL);
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.DELETE_INDEX);
+ // action does not exist in OpenSearch-
+ // https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices/mapping
+ //indexDeniedActionPatterns.add("indices:admin/mapping/delete*");
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.PUT_MAPPING);
+ // action does not exist in OpenSearch-
+ // https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices
+ //indexDeniedActionPatterns.add("indices:admin/freeze*");
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.UPDATE_SETTINGS);
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.ALIASES);
+ indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.CLOSE);
+ indexDeniedActionPatterns.add(ActionPatternConstants.ClusterOperations.SNAPSHOT_RESTORE);
this.deniedActionMatcher = WildcardMatcher.from(indexDeniedActionPatterns);
}
diff --git a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
index 99828f7b17..a56497b08f 100644
--- a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
@@ -38,12 +38,19 @@
import org.opensearch.action.ActionRequest;
import org.opensearch.action.RealtimeRequest;
+import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotAction;
+import org.opensearch.action.admin.indices.alias.IndicesAliasesAction;
+import org.opensearch.action.admin.indices.close.CloseIndexAction;
+import org.opensearch.action.admin.indices.delete.DeleteIndexAction;
+import org.opensearch.action.admin.indices.mapping.put.PutMappingAction;
+import org.opensearch.action.admin.indices.settings.put.UpdateSettingsAction;
import org.opensearch.action.search.SearchRequest;
import org.opensearch.common.settings.Settings;
import org.opensearch.indices.SystemIndexRegistry;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
+import org.opensearch.security.support.ActionPatternConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.security.user.User;
@@ -71,6 +78,9 @@ public class SystemIndexAccessEvaluator {
private final boolean isSystemIndexEnabled;
private final boolean isSystemIndexPermissionEnabled;
private final static ImmutableSet<String> SYSTEM_INDEX_PERMISSION_SET = ImmutableSet.of(ConfigConstants.SYSTEM_INDEX_PERMISSION);
+ // Pattern for all actions like indices:data/write/index, indices:data/write/bulk, indices:data/write/delete,
+ // indices:data/write/reindex, etc
+ public static final String INDICES_DATA_WRITE_ALL_ACTIONS_PATTERN = "indices:data/write/*";
public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) {
this.securityIndex = settings.get(
@@ -97,8 +107,8 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In
final List<String> deniedActionPatternsList = deniedActionPatterns();
final List<String> deniedActionPatternsListNoSnapshot = new ArrayList<>(deniedActionPatternsList);
- deniedActionPatternsListNoSnapshot.add("indices:admin/close*");
- deniedActionPatternsListNoSnapshot.add("cluster:admin/snapshot/restore*");
+ deniedActionPatternsListNoSnapshot.add(CloseIndexAction.NAME + "*"); // "indices:admin/close*"
+ deniedActionPatternsListNoSnapshot.add(RestoreSnapshotAction.NAME + "*"); // "cluster:admin/snapshot/restore*"
deniedActionsMatcher = WildcardMatcher.from(
restoreSecurityIndexEnabled ? deniedActionPatternsList : deniedActionPatternsListNoSnapshot
@@ -111,13 +121,17 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In
private static List<String> deniedActionPatterns() {
final List<String> securityIndexDeniedActionPatternsList = new ArrayList<>();
- securityIndexDeniedActionPatternsList.add("indices:data/write*");
- securityIndexDeniedActionPatternsList.add("indices:admin/delete*");
- securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
- securityIndexDeniedActionPatternsList.add("indices:admin/mapping/put*");
- securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
- securityIndexDeniedActionPatternsList.add("indices:admin/settings/update*");
- securityIndexDeniedActionPatternsList.add("indices:admin/aliases");
+ securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesData.WRITE_ALL); // "indices:data/write*"
+ securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.DELETE_INDEX); // "indices:admin/delete*"
+ // action does not exist in OpenSearch-
+ // https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices/mapping
+ // securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
+ securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.PUT_MAPPING); // indices:admin/mapping/put*
+ // action does not exist in OpenSearch-
+ // https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices
+ // securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
+ securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.UPDATE_SETTINGS); // "indices:admin/settings/update*"
+ securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.ALIASES); // "indices:admin/aliases"
return securityIndexDeniedActionPatternsList;
}
diff --git a/src/main/java/org/opensearch/security/support/ActionPatternConstants.java b/src/main/java/org/opensearch/security/support/ActionPatternConstants.java
new file mode 100644
index 0000000000..3d201e930a
--- /dev/null
+++ b/src/main/java/org/opensearch/security/support/ActionPatternConstants.java
@@ -0,0 +1,130 @@
+package org.opensearch.security.support;
+
+import org.opensearch.action.admin.cluster.shards.ClusterSearchShardsAction;
+import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotAction;
+import org.opensearch.action.admin.indices.alias.IndicesAliasesAction;
+import org.opensearch.action.admin.indices.alias.get.GetAliasesAction;
+import org.opensearch.action.admin.indices.close.CloseIndexAction;
+import org.opensearch.action.admin.indices.create.AutoCreateAction;
+import org.opensearch.action.admin.indices.delete.DeleteIndexAction;
+import org.opensearch.action.admin.indices.mapping.get.GetFieldMappingsAction;
+import org.opensearch.action.admin.indices.mapping.put.PutMappingAction;
+import org.opensearch.action.admin.indices.resolve.ResolveIndexAction;
+import org.opensearch.action.admin.indices.settings.get.GetSettingsAction;
+import org.opensearch.action.admin.indices.settings.put.UpdateSettingsAction;
+import org.opensearch.action.admin.indices.stats.IndicesStatsAction;
+import org.opensearch.action.admin.indices.upgrade.post.UpgradeAction;
+import org.opensearch.action.search.SearchAction;
+import org.opensearch.action.index.IndexAction;
+import org.opensearch.action.delete.DeleteAction;
+import org.opensearch.action.search.SearchScrollAction;
+import org.opensearch.action.bulk.BulkAction;
+import org.opensearch.action.get.MultiGetAction;
+import org.opensearch.action.search.MultiSearchAction;
+import org.opensearch.action.termvectors.MultiTermVectorsAction;
+import org.opensearch.action.update.UpdateAction;
+import org.opensearch.action.admin.indices.create.CreateIndexAction;
+import org.opensearch.action.admin.indices.mapping.put.AutoPutMappingAction;
+import org.opensearch.index.reindex.ReindexAction;
+import org.opensearch.script.mustache.RenderSearchTemplateAction;
+
+/**
+ * Constants defining patterns for various OpenSearch actions.
+ * These patterns are used for permission checking and action filtering.
+ */
+public final class ActionPatternConstants {
+
+ private ActionPatternConstants() {
+ // Prevent instantiation
+ }
+ /**
+ * Constants for index data operations (read/write)
+ */
+ public static final class IndicesData {
+ /** Pattern matching all write operations on indices */
+ public static final String WRITE_ALL = "indices:data/write/*";
+ /** Pattern matching all read operations on indices */
+ public static final String READ_ALL = "indices:data/read/*";
+
+ private IndicesData() {}
+ }
+
+ /**
+ * Constants for index administration operations
+ */
+ public static final class IndicesAdmin {
+ public static final String DELETE_INDEX = DeleteIndexAction.NAME + "*";
+ public static final String PUT_MAPPING = PutMappingAction.NAME + "*";
+ public static final String UPDATE_SETTINGS = UpdateSettingsAction.NAME + "*";
+ public static final String ALIASES = IndicesAliasesAction.NAME;
+ public static final String CLOSE = CloseIndexAction.NAME + "*";
+ public static final String GET_FIELD_MAPPINGS = GetFieldMappingsAction.NAME + "*";
+ public static final String GET_ALIASES = GetAliasesAction.NAME + "*";
+ public static final String RESOLVE_INDEX = ResolveIndexAction.NAME + "*";
+ public static final String UPGRADE = UpgradeAction.NAME + "*";
+ public static final String AUTO_CREATE = AutoCreateAction.NAME;
+ public static final String AUTO_PUT_MAPPING = AutoPutMappingAction.NAME;
+ public static final String CREATE_INDEX = CreateIndexAction.NAME;
+
+ private IndicesAdmin() {}
+ }
+
+ /**
+ * Constants for cluster-level operations
+ */
+ public static final class ClusterOperations {
+ public static final String SNAPSHOT_RESTORE = RestoreSnapshotAction.NAME + "*";
+ public static final String BASE_PATTERN = "cluster:";
+
+ private ClusterOperations() {}
+ }
+
+ /**
+ * Constants for monitoring operations
+ */
+ public static final class MonitorOperations {
+ public static final String GET_SETTINGS = GetSettingsAction.NAME + "*";
+ public static final String STATS = IndicesStatsAction.NAME + "*";
+
+ private MonitorOperations() {}
+ }
+
+ /**
+ * Constants for search-related operations
+ */
+ public static final class SearchOperations {
+ public static final String SEARCH = SearchAction.NAME;
+ public static final String SCROLL = SearchScrollAction.NAME;
+ public static final String MULTI_SEARCH = MultiSearchAction.NAME;
+ public static final String RENDER_TEMPLATE = RenderSearchTemplateAction.NAME;
+
+ public static final String SEARCH_SHARDS = ClusterSearchShardsAction.NAME + "*";
+
+ private SearchOperations() {}
+ }
+
+ /**
+ * Constants for document-level operations
+ */
+ public static final class DocumentOperations {
+ public static final String INDEX = IndexAction.NAME;
+ public static final String DELETE = DeleteAction.NAME;
+ public static final String BULK = BulkAction.NAME;
+ public static final String MULTI_GET = MultiGetAction.NAME;
+ public static final String MULTI_TERM_VECTORS = MultiTermVectorsAction.NAME;
+ public static final String REINDEX = ReindexAction.NAME;
+ public static final String UPDATE = UpdateAction.NAME;
+
+ private DocumentOperations() {}
+ }
+
+ /**
+ * Constants for template-related operations
+ */
+ public static final class TemplateOperations {
+ public static final String ADMIN_TEMPLATE = "indices:admin/template/";
+ public static final String ADMIN_INDEX_TEMPLATE = "indices:admin/index_template/";
+
+ private TemplateOperations() {}
+ }
+}