-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add User.isAdminDn to User class #547
Conversation
Signed-off-by: Craig Perkins <[email protected]>
@dhrubo-os @ylwu-amzn Let me know if this helps. There should be some testing performed with the security plugin installed, but this should let you determine if the current user is in the Edit: This is where the super user gets authenticated in the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L215-L220 |
Codecov Report
@@ Coverage Diff @@
## main #547 +/- ##
============================================
+ Coverage 74.55% 75.14% +0.58%
- Complexity 872 874 +2
============================================
Files 130 130
Lines 5680 5685 +5
Branches 698 698
============================================
+ Hits 4235 4272 +37
+ Misses 1139 1104 -35
- Partials 306 309 +3
|
|
||
public static boolean isSuperUser(User user, Settings settings) { | ||
List<String> adminDns = settings.getAsList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList()); | ||
return adminDns.contains(user.getName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we might need some backward compatibility? What happens if user is null? then it will throw exception in line 259. And I'm not a security person, so I don't know how to handle this situation. Just wanted to call out here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added null check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually when the user is super admin, the user object is null. Reference
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah same for ml-commons
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see details here.
There are 2 cases of superadmin:
- Plugin stashed the threadcontext (user == null)
- User connects to cluster using admin certificate <- scope of this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Capturing discussion on this PR:
- User is null means 1 of 2 things - 1) Security is not enabled or 2) plugin is operating in a stashContext block
- User is non-null then - 1) User is a regular user (including anonymous) or 2) User is a superuser (meaning request comes from admin cert)
This PR pertains to 2) above and also relies on:
- When security is enabled a user will always be present in the threadcontext
- The plugin dev will ensure they are not making any calls to read the currently authenticated user from within a stashContext block
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Do we need to mark this PR as draft? Are we planning to merge this? |
Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized. |
I'll share within next week. |
Just Raised a draft PR to show the example We are going to use this function similar like this way Currently for the easy development we added this method in our ml-commons plugin end. But eventually we want to use this method Please let me know if you have any question or concern. Thanks. |
Hey @dhrubo-os, thank you for providing the linked PRs for example usage. If I'm reading the PR correctly it means that if a regular user creates a model its not hidden, but if a superuser creates a model then its hidden? Have you considered separate transport actions so that those actions are authorized separately? i.e.:
If you have a separate transport action then you can permission users to perform the register hidden model action through a separate "admin-level" role. Roles for ml-commons plugin: https://github.com/opensearch-project/security/blob/main/config/roles.yml#L273-L295 While there are already instances in plugins of plugins having to implement their own authz models based on user's backend roles, this will be yet another instance of something that should be the responsibility of the security plugin that is implemented in a plugin. |
Signed-off-by: Craig Perkins <[email protected]>
* Add User.isSuperUser to User class Signed-off-by: Craig Perkins <[email protected]> * Add null check Signed-off-by: Craig Perkins <[email protected]> * Add another test Signed-off-by: Craig Perkins <[email protected]> * Make method non-static and require a user to exist to call method Signed-off-by: Craig Perkins <[email protected]> * Change to isAdminDn Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 107be59) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Add User.isSuperUser to User class * Add null check * Add another test * Make method non-static and require a user to exist to call method * Change to isAdminDn --------- (cherry picked from commit 107be59) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…-project#562) * Add User.isSuperUser to User class * Add null check * Add another test * Make method non-static and require a user to exist to call method * Change to isAdminDn --------- (cherry picked from commit 107be59) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: AWSHurneyt <[email protected]>
Description
Adds a static helper method on the User class to determine if the user is in the security plugin's
plugins.security.authcz.admin_dn
list.Issues Resolved
opensearch-project/security#3413
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.