-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Plugins to request to perform cluster actions and index actions with their assigned PluginSubject and prompt on install #15778
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
@sohami I opened this Draft PR to show how a mechanism can work for plugins to request to perform an enumerable set of transport actions within a opensearch-project/opensearch-plugins#238 (comment)' @prudhvigodithi You may be interested in this PR as well. |
❌ Gradle check result for a841f06: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Craig Perkins <[email protected]>
❌ Gradle check result for 394c47a: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for fde386d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
*/ | ||
@SuppressWarnings("removal") | ||
public static Settings parseRequestedActions(Path file) throws IOException { | ||
return Settings.builder().loadFromPath(file).build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I chose to use the Settings object in here since Settings already supports reading in Yaml files.
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
❌ Gradle check result for c12df2d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Craig Perkins <[email protected]>
❌ Gradle check result for df6853b: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❕ Gradle check result for df6853b: UNSTABLE Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Description
In #14630, a new extension point was created called IdentityAwarePlugin that has a single method called
assignSubject
. The subject that is given to IdentityAwarePlugin is intended to be a replacement fortry (ThreadContext.StoredContext ctx = threadContext.stashContext() { ... }
) and ensures that the security plugin can enforce authz checks on transport actions in this privileged block. The replacement is utilizing the assigned plugin subject and instead wrapping a block withpluginSubject.runAs(() -> { ... })
which injects an identity associated with the plugin so that the Security plugin (i.e. the IdentityPlugin) can authorize the transport actions instead of allowing the plugin to operate unrestricted.This PR allows a plugin to define a
plugin-permissions.yml
file on the same level asplugin-security.policy
file that can have 2 keys: 1)cluster.actions
and 2)indices.actions
Example
This PR modifies the
plugin-cli
to prompt a cluster admin with the requested permissions. See an example below where I modified the security plugin to be anIdentityAwarePlugin
and request permission to write to thesecurity-auditlog-*
index pattern. The security plugin always needs to be able to write to this index pattern regardless of the authenticated user's permissions.In order to extract the requested actions in
plugin-cli
I had to create a new method in the PluginsService to try instantiating a plugin with empty settings.Related Issues
#15958
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.