Shrink operation privileges evaluation #3716
Conversation
Signed-off-by: Maciej Mierzwa <[email protected]>
MaciejMierzwa
requested review from
DarshitChanpura,
RyanL1997,
cliu123,
cwperks,
davidlago,
peternied,
reta,
stephen-crawford and
willyborankin
as code owners
Signed-off-by: Maciej Mierzwa <[email protected]>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3716 +/- ##
==========================================
+ Coverage 64.88% 66.21% +1.32%
==========================================
Files 292 292
Lines 20776 20779 +3
Branches 3409 3410 +1
==========================================
+ Hits 13481 13759 +278
+ Misses 5606 5322 -284
- Partials 1689 1698 +9
|
Signed-off-by: Maciej Mierzwa <[email protected]>
|
I cherry-picked changes made in this PR to not combine bug fix and test fix. |
stephen-crawford
left a comment
stephen-crawford
left a comment
There was a problem hiding this comment.
Hi @MaciejMierzwa, just one question but otherwise looks good.
Judging from this it looks like the issue was that the index replacer resolver was not filtering properly? Is that the change this implements which corrects the evaluation?
Exactly. It wasn't even analyzing incoming requests. After going through that part of the code, in PriviledgesEvaluator it assumes the most restrictive access control -> As a result only user with wildcard access could perform shrink operation. |
|
Thank you @MaciejMierzwa . There was another case of this recently with SearchTemplateRequests too where a SearchTemplateRequest was falling through the cracks of IndexResolverReplacer and it required a user to have permissions to search all indices in order to use Search Template: opensearch-project/OpenSearch#9122 |
### Description Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: #2141 ### Issues Resolved #2141 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [x] New functionality includes testing - [x] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> (cherry picked from commit 3c01fde) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Backport 3c01fde from #3716. Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
### Description Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: opensearch-project#2141 ### Issues Resolved opensearch-project#2141 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [x] New functionality includes testing - [x] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>
3 participants
Description
Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: #2141
Issues Resolved
#2141
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.