Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add User.isAdminDn to User class #547

Merged
merged 5 commits into from
Nov 14, 2023

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Oct 9, 2023

Description

Adds a static helper method on the User class to determine if the user is in the security plugin's plugins.security.authcz.admin_dn list.

Issues Resolved

opensearch-project/security#3413

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks
Copy link
Member Author

cwperks commented Oct 9, 2023

@dhrubo-os @ylwu-amzn Let me know if this helps. There should be some testing performed with the security plugin installed, but this should let you determine if the current user is in the admin_dn list (i.e. user is a super user)

Edit: This is where the super user gets authenticated in the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L215-L220

@codecov
Copy link

codecov bot commented Oct 9, 2023

Codecov Report

Merging #547 (dc0047c) into main (2ef47f9) will increase coverage by 0.58%.
Report is 2 commits behind head on main.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main     #547      +/-   ##
============================================
+ Coverage     74.55%   75.14%   +0.58%     
- Complexity      872      874       +2     
============================================
  Files           130      130              
  Lines          5680     5685       +5     
  Branches        698      698              
============================================
+ Hits           4235     4272      +37     
+ Misses         1139     1104      -35     
- Partials        306      309       +3     
Files Coverage Δ
...n/java/org/opensearch/commons/ConfigConstants.java 87.50% <ø> (ø)
...ain/java/org/opensearch/commons/authuser/User.java 88.23% <100.00%> (+0.40%) ⬆️

... and 1 file with indirect coverage changes


public static boolean isSuperUser(User user, Settings settings) {
List<String> adminDns = settings.getAsList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList());
return adminDns.contains(user.getName());

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we might need some backward compatibility? What happens if user is null? then it will throw exception in line 259. And I'm not a security person, so I don't know how to handle this situation. Just wanted to call out here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added null check

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually when the user is super admin, the user object is null. Reference

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah same for ml-commons

Copy link
Member Author

@cwperks cwperks Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see details here.

There are 2 cases of superadmin:

  1. Plugin stashed the threadcontext (user == null)
  2. User connects to cluster using admin certificate <- scope of this PR

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Capturing discussion on this PR:

  1. User is null means 1 of 2 things - 1) Security is not enabled or 2) plugin is operating in a stashContext block
  2. User is non-null then - 1) User is a regular user (including anonymous) or 2) User is a superuser (meaning request comes from admin cert)

This PR pertains to 2) above and also relies on:

  1. When security is enabled a user will always be present in the threadcontext
  2. The plugin dev will ensure they are not making any calls to read the currently authenticated user from within a stashContext block

cwperks and others added 3 commits October 9, 2023 23:21
@dhrubo-os
Copy link

Do we need to mark this PR as draft? Are we planning to merge this?

@cwperks cwperks marked this pull request as ready for review October 12, 2023 18:06
@cwperks
Copy link
Member Author

cwperks commented Oct 12, 2023

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

@dhrubo-os
Copy link

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

I'll share within next week.

@dhrubo-os
Copy link

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

I'll share within next week.

Just Raised a draft PR to show the example

We are going to use this function similar like this way

Currently for the easy development we added this method in our ml-commons plugin end. But eventually we want to use this method

Please let me know if you have any question or concern. Thanks.

@cwperks
Copy link
Member Author

cwperks commented Oct 30, 2023

Hey @dhrubo-os, thank you for providing the linked PRs for example usage. If I'm reading the PR correctly it means that if a regular user creates a model its not hidden, but if a superuser creates a model then its hidden?

Have you considered separate transport actions so that those actions are authorized separately? i.e.:

  1. TransportRegisterModelAction
  2. TransportRegisterHiddenModelAction

If you have a separate transport action then you can permission users to perform the register hidden model action through a separate "admin-level" role.

Roles for ml-commons plugin: https://github.com/opensearch-project/security/blob/main/config/roles.yml#L273-L295

While there are already instances in plugins of plugins having to implement their own authz models based on user's backend roles, this will be yet another instance of something that should be the responsibility of the security plugin that is implemented in a plugin.

Signed-off-by: Craig Perkins <[email protected]>
@cwperks cwperks changed the title Add User.isSuperUser to User class Add User.isAdminDn to User class Nov 13, 2023
@AWSHurneyt AWSHurneyt merged commit 107be59 into opensearch-project:main Nov 14, 2023
9 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 14, 2023
* Add User.isSuperUser to User class

Signed-off-by: Craig Perkins <[email protected]>

* Add null check

Signed-off-by: Craig Perkins <[email protected]>

* Add another test

Signed-off-by: Craig Perkins <[email protected]>

* Make method non-static and require a user to exist to call method

Signed-off-by: Craig Perkins <[email protected]>

* Change to isAdminDn

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 107be59)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
lezzago pushed a commit that referenced this pull request Nov 14, 2023
* Add User.isSuperUser to User class



* Add null check



* Add another test



* Make method non-static and require a user to exist to call method



* Change to isAdminDn



---------



(cherry picked from commit 107be59)

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
AWSHurneyt pushed a commit to AWSHurneyt/common-utils that referenced this pull request Apr 12, 2024
…-project#562)

* Add User.isSuperUser to User class



* Add null check



* Add another test



* Make method non-static and require a user to exist to call method



* Change to isAdminDn



---------



(cherry picked from commit 107be59)

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: AWSHurneyt <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants