Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.4] Point in time security changes #2223

Merged
merged 1 commit into from
Nov 3, 2022

Conversation

opensearch-trigger-bot[bot]
Copy link
Contributor

Backport 207cfcc from #2094

Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>

Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bharath-techie @dhruv16dhr Please confirm this change should be backported.

@codecov-commenter
Copy link

codecov-commenter commented Nov 2, 2022

Codecov Report

Merging #2223 (8b6cb5a) into 2.4 (b715b6a) will increase coverage by 0.07%.
The diff coverage is 97.22%.

@@             Coverage Diff              @@
##                2.4    #2223      +/-   ##
============================================
+ Coverage     60.97%   61.04%   +0.07%     
- Complexity     3236     3249      +13     
============================================
  Files           257      258       +1     
  Lines         18089    18123      +34     
  Branches       3225     3231       +6     
============================================
+ Hits          11030    11064      +34     
+ Misses         5490     5488       -2     
- Partials       1569     1571       +2     
Impacted Files Coverage Δ
...ch/security/privileges/PitPrivilegesEvaluator.java 96.42% <96.42%> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java 79.95% <100.00%> (+0.08%) ⬆️
...earch/security/privileges/PrivilegesEvaluator.java 72.38% <100.00%> (+0.35%) ⬆️
...earch/security/resolver/IndexResolverReplacer.java 65.34% <100.00%> (ø)
...iance/ComplianceIndexingOperationListenerImpl.java 63.23% <0.00%> (+1.47%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@bharath-techie
Copy link
Contributor

Yes @peternied these changes are needed for 2.4

@peternied peternied merged commit 2a1e7d7 into 2.4 Nov 3, 2022
@peternied peternied deleted the backport/backport-2094-to-2.4 branch November 3, 2022 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants