Modularized PrivilegeEvaluator

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

CHANGELOG.md

@@ -35,6 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Replace AccessController and remove restriction on word Extension ([#5750](https://github.com/opensearch-project/security/pull/5750))
 - Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
 - [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 ([#5763](https://github.com/opensearch-project/security/pull/5763))
+- Modularized PrivilegesEvaluator ([#5791](https://github.com/opensearch-project/security/pull/5791))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.1 ([#5678](https://github.com/opensearch-project/security/pull/5678), [#5764](https://github.com/opensearch-project/security/pull/5764))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -142,6 +142,7 @@
 import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries;
 import org.opensearch.security.auditlog.impl.AuditLogImpl;
 import org.opensearch.security.auth.BackendRegistry;
+import org.opensearch.security.auth.RolesInjector;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl;
 import org.opensearch.security.configuration.AdminDNs;
@@ -150,7 +151,6 @@
 import org.opensearch.security.configuration.ConfigurationRepository;
 import org.opensearch.security.configuration.DlsFlsRequestValve;
 import org.opensearch.security.configuration.DlsFlsValveImpl;
-import org.opensearch.security.configuration.PrivilegesInterceptorImpl;
 import org.opensearch.security.configuration.SecurityConfigVersionHandler;
 import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper;
 import org.opensearch.security.dlic.rest.api.Endpoint;
@@ -166,12 +166,13 @@
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.identity.SecurePluginSubject;
 import org.opensearch.security.identity.SecurityTokenManager;
+import org.opensearch.security.privileges.ConfigurableRoleMapper;
+import org.opensearch.security.privileges.PrivilegesConfiguration;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluationException;
-import org.opensearch.security.privileges.PrivilegesEvaluator;
-import org.opensearch.security.privileges.PrivilegesInterceptor;
 import org.opensearch.security.privileges.ResourceAccessEvaluator;
 import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
+import org.opensearch.security.privileges.RoleMapper;
 import org.opensearch.security.privileges.actionlevel.RoleBasedActionPrivileges;
 import org.opensearch.security.privileges.dlsfls.DlsFlsBaseContext;
 import org.opensearch.security.resolver.IndexResolverReplacer;
@@ -270,7 +271,8 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
 
     private boolean sslCertReloadEnabled;
     private volatile SecurityInterceptor si;
-    private volatile PrivilegesEvaluator evaluator;
+    private volatile PrivilegesConfiguration privilegesConfiguration;
+    private volatile RoleMapper roleMapper;
     private volatile UserService userService;
     private volatile RestLayerPrivilegesEvaluator restLayerEvaluator;
     private volatile ConfigurationRepository cr;
@@ -623,19 +625,25 @@ public List<RestHandler> getRestHandlers(
             // FGAC enabled == not sslOnly
             if (!SSLConfig.isSslOnlyMode()) {
                 handlers.add(
-                    new SecurityInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool))
+                    new SecurityInfoAction(
+                        settings,
+                        restController,
+                        Objects.requireNonNull(privilegesConfiguration),
+                        Objects.requireNonNull(threadPool)
+                    )
                 );
                 handlers.add(
                     new SecurityHealthAction(
                         settings,
                         restController,
                         Objects.requireNonNull(backendRegistry),
-                        Objects.requireNonNull(evaluator)
+                        Objects.requireNonNull(privilegesConfiguration)
                     )
                 );
                 handlers.add(
                     new DashboardsInfoAction(
-                        Objects.requireNonNull(evaluator),
+                        Objects.requireNonNull(privilegesConfiguration),
+                        Objects.requireNonNull(cr),
                         Objects.requireNonNull(threadPool),
                         resourceSharingEnabledSetting
                     )
@@ -644,7 +652,7 @@ public List<RestHandler> getRestHandlers(
                     new TenantInfoAction(
                         settings,
                         restController,
-                        Objects.requireNonNull(evaluator),
+                        Objects.requireNonNull(privilegesConfiguration),
                         Objects.requireNonNull(threadPool),
                         Objects.requireNonNull(cs),
                         Objects.requireNonNull(adminDns),
@@ -682,7 +690,8 @@ public List<RestHandler> getRestHandlers(
                         cr,
                         cs,
                         principalExtractor,
-                        evaluator,
+                        roleMapper,
+                        privilegesConfiguration,
                         threadPool,
                         Objects.requireNonNull(auditLog),
                         sslSettingsManager,
@@ -753,7 +762,8 @@ public void onIndexModule(IndexModule indexModule) {
                     cs,
                     auditLog,
                     ciol,
-                    evaluator,
+                    privilegesConfiguration,
+                    roleMapper,
                     dlsFlsValve::getCurrentConfig,
                     dlsFlsBaseContext
                 )
@@ -1139,15 +1149,11 @@ public Collection<Object> createComponents(
 
         UserFactory userFactory = new UserFactory.Caching(settings);
 
-        final PrivilegesInterceptor privilegesInterceptor;
-
         namedXContentRegistry.set(xContentRegistry);
         if (SSLConfig.isSslOnlyMode()) {
             auditLog = new NullAuditLog();
-            privilegesInterceptor = new PrivilegesInterceptor(resolver, clusterService, localClient, threadPool);
         } else {
             auditLog = new AuditLogImpl(settings, configPath, localClient, threadPool, resolver, clusterService, environment, userFactory);
-            privilegesInterceptor = new PrivilegesInterceptorImpl(resolver, clusterService, localClient, threadPool);
         }
 
         sslExceptionHandler = new AuditLogSslExceptionHandler(auditLog);
@@ -1169,21 +1175,29 @@ public Collection<Object> createComponents(
         final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
 
         rsIndexHandler = new ResourceSharingIndexHandler(localClient, threadPool, resourcePluginInfo);
-        evaluator = new PrivilegesEvaluator(
+
+        RoleMapper roleMapper = new RolesInjector.InjectedRoleMapper(
+            new ConfigurableRoleMapper(cr, settings),
+            threadPool.getThreadContext()
+        );
+        this.roleMapper = roleMapper;
+
+        PrivilegesConfiguration privilegesConfiguration = new PrivilegesConfiguration(
+            cr,
             clusterService,
             clusterService::state,
+            localClient,
+            roleMapper,
             threadPool,
-            threadPool.getThreadContext(),
-            cr,
             resolver,
             auditLog,
             settings,
-            privilegesInterceptor,
-            cih,
+            cih::getReasonForUnavailability,
             irr
         );
+        this.privilegesConfiguration = privilegesConfiguration;
 
-        dlsFlsBaseContext = new DlsFlsBaseContext(evaluator, threadPool.getThreadContext(), adminDns);
+        dlsFlsBaseContext = new DlsFlsBaseContext(privilegesConfiguration, threadPool.getThreadContext(), adminDns);
 
         if (SSLConfig.isSslOnlyMode()) {
             dlsFlsValve = new DlsFlsRequestValve.NoopDlsFlsRequestValve();
@@ -1203,7 +1217,7 @@ public Collection<Object> createComponents(
             cr.subscribeOnChange(configMap -> { ((DlsFlsValveImpl) dlsFlsValve).updateConfiguration(cr.getConfiguration(CType.ROLES)); });
         }
 
-        resourceAccessHandler = new ResourceAccessHandler(threadPool, rsIndexHandler, adminDns, evaluator, resourcePluginInfo);
+        resourceAccessHandler = new ResourceAccessHandler(threadPool, rsIndexHandler, adminDns, resourcePluginInfo);
 
         // Assign resource sharing client to each extension
         // Using the non-gated client (i.e. no additional permissions required)
@@ -1228,7 +1242,7 @@ public Collection<Object> createComponents(
 
         sf = new SecurityFilter(
             settings,
-            evaluator,
+            privilegesConfiguration,
             adminDns,
             dlsFlsValve,
             auditLog,
@@ -1249,7 +1263,7 @@ public Collection<Object> createComponents(
             principalExtractor = ReflectionHelper.instantiatePrincipalExtractor(principalExtractorClass);
         }
 
-        restLayerEvaluator = new RestLayerPrivilegesEvaluator(evaluator);
+        restLayerEvaluator = new RestLayerPrivilegesEvaluator(privilegesConfiguration);
 
         securityRestHandler = new SecurityRestFilter(
             backendRegistry,
@@ -1266,7 +1280,6 @@ public Collection<Object> createComponents(
         dcf.registerDCFListener(compatConfig);
         dcf.registerDCFListener(irr);
         dcf.registerDCFListener(xffResolver);
-        dcf.registerDCFListener(evaluator);
         dcf.registerDCFListener(securityRestHandler);
         dcf.registerDCFListener(tokenManager);
         if (!(auditLog instanceof NullAuditLog)) {
@@ -1306,7 +1319,7 @@ public Collection<Object> createComponents(
         components.add(cr);
         components.add(xffResolver);
         components.add(backendRegistry);
-        components.add(evaluator);
+        components.add(privilegesConfiguration);
         components.add(restLayerEvaluator);
         components.add(si);
         components.add(dcf);
@@ -2408,7 +2421,7 @@ public PluginSubject getPluginSubject(Plugin plugin) {
                 }
             }
             pluginPermissions.getCluster_permissions().add(BulkAction.NAME);
-            evaluator.updatePluginToActionPrivileges(pluginPrincipal, pluginPermissions);
+            privilegesConfiguration.updatePluginToActionPrivileges(pluginPrincipal, pluginPermissions);
         }
         return subject;
     }

src/main/java/org/opensearch/security/auth/RolesInjector.java

@@ -15,6 +15,8 @@
 
 package org.opensearch.security.auth;
 
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -23,8 +25,12 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.common.transport.TransportAddress;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.privileges.RoleMapper;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
 import org.opensearch.threadpool.ThreadPool;
@@ -90,6 +96,52 @@ private void addUser(final User user, final ThreadPool threadPool) {
         if (ctx.getPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER) == null) {
             ctx.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, new UserSubjectImpl(threadPool, user));
         }
+    }
+
+    /**
+     * For users injected by this class, no role mapping shall be performed. This RoleMapper checks whether there
+     * is an injected user (by header) and skips default role mapping (realized by the delegate) if so.
+     */
+    public static class InjectedRoleMapper implements RoleMapper {
+
+        private final ThreadContext threadContext;
+        private final RoleMapper defaultRoleMapper;
+
+        public InjectedRoleMapper(RoleMapper defaultRoleMapper, ThreadContext threadContext) {
+            this.threadContext = threadContext;
+            this.defaultRoleMapper = defaultRoleMapper;
+        }
 
+        @Override
+        public ImmutableSet<String> map(User user, TransportAddress caller) {
+            ImmutableSet<String> mappedRoles;
+
+            if (threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES) != null) {
+                // Just return the security roles, like they were initialized in the injectUserAndRoles() method above
+                mappedRoles = user.getSecurityRoles();
+            } else {
+                // No injected user => use default role mapping
+                mappedRoles = defaultRoleMapper.map(user, caller);
+            }
+
+            String injectedRolesValidationString = threadContext.getTransient(
+                ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION
+            );
+            if (injectedRolesValidationString != null) {
+                // Moved from
+                // https://github.com/opensearch-project/security/blob/d29095f26dba1a26308c69b608dc926bd40c0f52/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java#L406
+                // See also https://github.com/opensearch-project/security/pull/1367
+                HashSet<String> injectedRolesValidationSet = new HashSet<>(Arrays.asList(injectedRolesValidationString.split(",")));
+                if (!mappedRoles.containsAll(injectedRolesValidationSet)) {
+                    throw new OpenSearchSecurityException(
+                        String.format("No mapping for %s on roles %s", user, injectedRolesValidationSet),
+                        RestStatus.FORBIDDEN
+                    );
+                }
+                mappedRoles = ImmutableSet.copyOf(injectedRolesValidationSet);
+            }
+
+            return mappedRoles;
+        }
     }
 }

src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java

@@ -101,4 +101,12 @@ public Boolean hasClusterManager() {
         }
         return false;
     }
+
+    public String getReasonForUnavailability() {
+        if (!hasClusterManager()) {
+            return CLUSTER_MANAGER_NOT_PRESENT;
+        } else {
+            return null;
+        }
+    }
 }

src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java

@@ -89,7 +89,7 @@
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.client.Client;
 
-import static org.opensearch.security.privileges.PrivilegesEvaluator.isClusterPerm;
+import static org.opensearch.security.privileges.PrivilegesEvaluatorImpl.isClusterPerm;
 
 public class DlsFlsValveImpl implements DlsFlsRequestValve {
 

src/main/java/org/opensearch/security/configuration/PrivilegesInterceptorImpl.java

@@ -13,6 +13,7 @@
 
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Supplier;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
@@ -45,12 +46,12 @@
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.security.privileges.DashboardsMultiTenancyConfiguration;
 import org.opensearch.security.privileges.DocumentAllowList;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesInterceptor;
 import org.opensearch.security.privileges.TenantPrivileges;
 import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
-import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.user.User;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.client.Client;
@@ -77,13 +78,20 @@ public class PrivilegesInterceptorImpl extends PrivilegesInterceptor {
 
     protected final Logger log = LogManager.getLogger(this.getClass());
 
+    private final Supplier<TenantPrivileges> tenantPrivilegesSupplier;
+    private final Supplier<DashboardsMultiTenancyConfiguration> multiTenancyConfigurationSupplier;
+
     public PrivilegesInterceptorImpl(
         IndexNameExpressionResolver resolver,
         ClusterService clusterService,
         Client client,
-        ThreadPool threadPool
+        ThreadPool threadPool,
+        Supplier<TenantPrivileges> tenantPrivilegesSupplier,
+        Supplier<DashboardsMultiTenancyConfiguration> multiTenancyConfigurationSupplier
     ) {
         super(resolver, clusterService, client, threadPool);
+        this.tenantPrivilegesSupplier = tenantPrivilegesSupplier;
+        this.multiTenancyConfigurationSupplier = multiTenancyConfigurationSupplier;
     }
 
     /**
@@ -97,25 +105,26 @@ public ReplaceResult replaceDashboardsIndex(
         final ActionRequest request,
         final String action,
         final User user,
-        final DynamicConfigModel config,
         final Resolved requestedResolved,
-        final PrivilegesEvaluationContext context,
-        final TenantPrivileges tenantPrivileges
+        final PrivilegesEvaluationContext context
     ) {
+        DashboardsMultiTenancyConfiguration config = this.multiTenancyConfigurationSupplier.get();
 
-        final boolean enabled = config.isDashboardsMultitenancyEnabled();// config.dynamic.kibana.multitenancy_enabled;
+        final boolean enabled = config.multitenancyEnabled();// config.dynamic.kibana.multitenancy_enabled;
 
         if (!enabled) {
             return CONTINUE_EVALUATION_REPLACE_RESULT;
         }
 
+        TenantPrivileges tenantPrivileges = this.tenantPrivilegesSupplier.get();
+
         // next two lines needs to be retrieved from configuration
-        final String dashboardsServerUsername = config.getDashboardsServerUsername();// config.dynamic.kibana.server_username;
-        final String dashboardsIndexName = config.getDashboardsIndexname();// config.dynamic.kibana.index;
+        final String dashboardsServerUsername = config.dashboardsServerUsername();// config.dynamic.kibana.server_username;
+        final String dashboardsIndexName = config.dashboardsIndex();// config.dynamic.kibana.index;
 
         String requestedTenant = user.getRequestedTenant();
         if (USER_TENANT.equals(requestedTenant)) {
-            final boolean private_tenant_enabled = config.isDashboardsPrivateTenantEnabled();
+            final boolean private_tenant_enabled = config.privateTenantEnabled();
             if (!private_tenant_enabled) {
                 return ACCESS_DENIED_REPLACE_RESULT;
             }