Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove hard coded action names, pull from core instead #4978

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Remove hard coded action names, pull from core instead #4978

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1a6efbf
Remove hard coded action names, pull from core instead
shikharj05 Dec 19, 2024
eab306a
Adding Constants file and refactoring to use constants
shikharj05 Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 14 additions & 9 deletions src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.opensearch.common.settings.Settings;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.support.ActionPatternConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.tasks.Task;
Expand Down Expand Up @@ -55,15 +56,19 @@ public ProtectedIndexAccessEvaluator(final Settings settings, AuditLog auditLog)
this.auditLog = auditLog;

final List<String> indexDeniedActionPatterns = new ArrayList<String>();
indexDeniedActionPatterns.add("indices:data/write*");
indexDeniedActionPatterns.add("indices:admin/delete*");
indexDeniedActionPatterns.add("indices:admin/mapping/delete*");
indexDeniedActionPatterns.add("indices:admin/mapping/put*");
indexDeniedActionPatterns.add("indices:admin/freeze*");
indexDeniedActionPatterns.add("indices:admin/settings/update*");
indexDeniedActionPatterns.add("indices:admin/aliases");
indexDeniedActionPatterns.add("indices:admin/close*");
indexDeniedActionPatterns.add("cluster:admin/snapshot/restore*");
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesData.WRITE_ALL);
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.DELETE_INDEX);
// action does not exist in OpenSearch-
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices/mapping
//indexDeniedActionPatterns.add("indices:admin/mapping/delete*");
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.PUT_MAPPING);
// action does not exist in OpenSearch-
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices
//indexDeniedActionPatterns.add("indices:admin/freeze*");
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.UPDATE_SETTINGS);
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.ALIASES);
indexDeniedActionPatterns.add(ActionPatternConstants.IndicesAdmin.CLOSE);
indexDeniedActionPatterns.add(ActionPatternConstants.ClusterOperations.SNAPSHOT_RESTORE);
this.deniedActionMatcher = WildcardMatcher.from(indexDeniedActionPatterns);
}

Expand Down
32 changes: 23 additions & 9 deletions src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,19 @@

import org.opensearch.action.ActionRequest;
import org.opensearch.action.RealtimeRequest;
import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotAction;
import org.opensearch.action.admin.indices.alias.IndicesAliasesAction;
import org.opensearch.action.admin.indices.close.CloseIndexAction;
import org.opensearch.action.admin.indices.delete.DeleteIndexAction;
import org.opensearch.action.admin.indices.mapping.put.PutMappingAction;
import org.opensearch.action.admin.indices.settings.put.UpdateSettingsAction;
import org.opensearch.action.search.SearchRequest;
import org.opensearch.common.settings.Settings;
import org.opensearch.indices.SystemIndexRegistry;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
import org.opensearch.security.support.ActionPatternConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.security.user.User;
Expand Down Expand Up @@ -71,6 +78,9 @@ public class SystemIndexAccessEvaluator {
private final boolean isSystemIndexEnabled;
private final boolean isSystemIndexPermissionEnabled;
private final static ImmutableSet<String> SYSTEM_INDEX_PERMISSION_SET = ImmutableSet.of(ConfigConstants.SYSTEM_INDEX_PERMISSION);
// Pattern for all actions like indices:data/write/index, indices:data/write/bulk, indices:data/write/delete,
// indices:data/write/reindex, etc
public static final String INDICES_DATA_WRITE_ALL_ACTIONS_PATTERN = "indices:data/write/*";

public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) {
this.securityIndex = settings.get(
Expand All @@ -97,8 +107,8 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In
final List<String> deniedActionPatternsList = deniedActionPatterns();

final List<String> deniedActionPatternsListNoSnapshot = new ArrayList<>(deniedActionPatternsList);
deniedActionPatternsListNoSnapshot.add("indices:admin/close*");
deniedActionPatternsListNoSnapshot.add("cluster:admin/snapshot/restore*");
deniedActionPatternsListNoSnapshot.add(CloseIndexAction.NAME + "*"); // "indices:admin/close*"
deniedActionPatternsListNoSnapshot.add(RestoreSnapshotAction.NAME + "*"); // "cluster:admin/snapshot/restore*"

deniedActionsMatcher = WildcardMatcher.from(
restoreSecurityIndexEnabled ? deniedActionPatternsList : deniedActionPatternsListNoSnapshot
Expand All @@ -111,13 +121,17 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In

private static List<String> deniedActionPatterns() {
final List<String> securityIndexDeniedActionPatternsList = new ArrayList<>();
securityIndexDeniedActionPatternsList.add("indices:data/write*");
securityIndexDeniedActionPatternsList.add("indices:admin/delete*");
securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
securityIndexDeniedActionPatternsList.add("indices:admin/mapping/put*");
securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
securityIndexDeniedActionPatternsList.add("indices:admin/settings/update*");
securityIndexDeniedActionPatternsList.add("indices:admin/aliases");
securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesData.WRITE_ALL); // "indices:data/write*"
securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.DELETE_INDEX); // "indices:admin/delete*"
// action does not exist in OpenSearch-
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices/mapping
// securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.PUT_MAPPING); // indices:admin/mapping/put*
// action does not exist in OpenSearch-
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices
// securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.UPDATE_SETTINGS); // "indices:admin/settings/update*"
securityIndexDeniedActionPatternsList.add(ActionPatternConstants.IndicesAdmin.ALIASES); // "indices:admin/aliases"
return securityIndexDeniedActionPatternsList;
}

Expand Down
130 changes: 130 additions & 0 deletions src/main/java/org/opensearch/security/support/ActionPatternConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
package org.opensearch.security.support;

import org.opensearch.action.admin.cluster.shards.ClusterSearchShardsAction;
import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotAction;
import org.opensearch.action.admin.indices.alias.IndicesAliasesAction;
import org.opensearch.action.admin.indices.alias.get.GetAliasesAction;
import org.opensearch.action.admin.indices.close.CloseIndexAction;
import org.opensearch.action.admin.indices.create.AutoCreateAction;
import org.opensearch.action.admin.indices.delete.DeleteIndexAction;
import org.opensearch.action.admin.indices.mapping.get.GetFieldMappingsAction;
import org.opensearch.action.admin.indices.mapping.put.PutMappingAction;
import org.opensearch.action.admin.indices.resolve.ResolveIndexAction;
import org.opensearch.action.admin.indices.settings.get.GetSettingsAction;
import org.opensearch.action.admin.indices.settings.put.UpdateSettingsAction;
import org.opensearch.action.admin.indices.stats.IndicesStatsAction;
import org.opensearch.action.admin.indices.upgrade.post.UpgradeAction;
import org.opensearch.action.search.SearchAction;
import org.opensearch.action.index.IndexAction;
import org.opensearch.action.delete.DeleteAction;
import org.opensearch.action.search.SearchScrollAction;
import org.opensearch.action.bulk.BulkAction;
import org.opensearch.action.get.MultiGetAction;
import org.opensearch.action.search.MultiSearchAction;
import org.opensearch.action.termvectors.MultiTermVectorsAction;
import org.opensearch.action.update.UpdateAction;
import org.opensearch.action.admin.indices.create.CreateIndexAction;
import org.opensearch.action.admin.indices.mapping.put.AutoPutMappingAction;
import org.opensearch.index.reindex.ReindexAction;
import org.opensearch.script.mustache.RenderSearchTemplateAction;

/**
* Constants defining patterns for various OpenSearch actions.
* These patterns are used for permission checking and action filtering.
*/
public final class ActionPatternConstants {

private ActionPatternConstants() {
// Prevent instantiation
}
/**
* Constants for index data operations (read/write)
*/
public static final class IndicesData {
/** Pattern matching all write operations on indices */
public static final String WRITE_ALL = "indices:data/write/*";
/** Pattern matching all read operations on indices */
public static final String READ_ALL = "indices:data/read/*";

private IndicesData() {}
}

/**
* Constants for index administration operations
*/
public static final class IndicesAdmin {
public static final String DELETE_INDEX = DeleteIndexAction.NAME + "*";
public static final String PUT_MAPPING = PutMappingAction.NAME + "*";
public static final String UPDATE_SETTINGS = UpdateSettingsAction.NAME + "*";
public static final String ALIASES = IndicesAliasesAction.NAME;
public static final String CLOSE = CloseIndexAction.NAME + "*";
public static final String GET_FIELD_MAPPINGS = GetFieldMappingsAction.NAME + "*";
public static final String GET_ALIASES = GetAliasesAction.NAME + "*";
public static final String RESOLVE_INDEX = ResolveIndexAction.NAME + "*";
public static final String UPGRADE = UpgradeAction.NAME + "*";
public static final String AUTO_CREATE = AutoCreateAction.NAME;
public static final String AUTO_PUT_MAPPING = AutoPutMappingAction.NAME;
public static final String CREATE_INDEX = CreateIndexAction.NAME;

private IndicesAdmin() {}
}

/**
* Constants for cluster-level operations
*/
public static final class ClusterOperations {
public static final String SNAPSHOT_RESTORE = RestoreSnapshotAction.NAME + "*";
public static final String BASE_PATTERN = "cluster:";

private ClusterOperations() {}
}

/**
* Constants for monitoring operations
*/
public static final class MonitorOperations {
public static final String GET_SETTINGS = GetSettingsAction.NAME + "*";
public static final String STATS = IndicesStatsAction.NAME + "*";

private MonitorOperations() {}
}

/**
* Constants for search-related operations
*/
public static final class SearchOperations {
public static final String SEARCH = SearchAction.NAME;
public static final String SCROLL = SearchScrollAction.NAME;
public static final String MULTI_SEARCH = MultiSearchAction.NAME;
public static final String RENDER_TEMPLATE = RenderSearchTemplateAction.NAME;

public static final String SEARCH_SHARDS = ClusterSearchShardsAction.NAME + "*";

private SearchOperations() {}
}

/**
* Constants for document-level operations
*/
public static final class DocumentOperations {
public static final String INDEX = IndexAction.NAME;
public static final String DELETE = DeleteAction.NAME;
public static final String BULK = BulkAction.NAME;
public static final String MULTI_GET = MultiGetAction.NAME;
public static final String MULTI_TERM_VECTORS = MultiTermVectorsAction.NAME;
public static final String REINDEX = ReindexAction.NAME;
public static final String UPDATE = UpdateAction.NAME;

private DocumentOperations() {}
}

/**
* Constants for template-related operations
*/
public static final class TemplateOperations {
public static final String ADMIN_TEMPLATE = "indices:admin/template/";
public static final String ADMIN_INDEX_TEMPLATE = "indices:admin/index_template/";

private TemplateOperations() {}
}
}
Loading