Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add User.isAdminDn to User class #547

Merged
merged 5 commits into from
Nov 14, 2023
Merged

Add User.isAdminDn to User class #547

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0a87fdd
Add User.isSuperUser to User class
cwperks Oct 9, 2023
e5aaee8
Add null check
cwperks Oct 10, 2023
afdf043
Add another test
cwperks Oct 10, 2023
527e2d2
Make method non-static and require a user to exist to call method
cwperks Oct 12, 2023
dc0047c
Change to isAdminDn
cwperks Nov 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/main/java/org/opensearch/commons/ConfigConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,7 @@ private static Setting<SecureString> createFallbackInsecureSetting(String key) {
public static final String INJECTED_USER = "injected_user";
public static final String OPENSEARCH_SECURITY_USE_INJECTED_USER_FOR_PLUGINS = "plugins.security_use_injected_user_for_plugins";
public static final String OPENSEARCH_SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled";
public static final String OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";
public static final String OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT = "_opendistro_security_user_info";

}
8 changes: 8 additions & 0 deletions src/main/java/org/opensearch/commons/authuser/User.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
Expand All @@ -19,8 +20,10 @@
import org.opensearch.client.Response;
import org.opensearch.common.Nullable;
import org.opensearch.common.inject.internal.ToStringBuilder;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.xcontent.XContentHelper;
import org.opensearch.common.xcontent.json.JsonXContent;
import org.opensearch.commons.ConfigConstants;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
Expand Down Expand Up @@ -250,4 +253,9 @@ public List<String> getCustomAttNames() {
public String getRequestedTenant() {
return requestedTenant;
}

public static boolean isSuperUser(User user, Settings settings) {
List<String> adminDns = settings.getAsList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList());
return adminDns.contains(user.getName());
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we might need some backward compatibility? What happens if user is null? then it will throw exception in line 259. And I'm not a security person, so I don't know how to handle this situation. Just wanted to call out here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added null check

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually when the user is super admin, the user object is null. Reference

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah same for ml-commons

Copy link
Member Author

@cwperks cwperks Oct 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see details here.

There are 2 cases of superadmin:

  1. Plugin stashed the threadcontext (user == null)
  2. User connects to cluster using admin certificate <- scope of this PR

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Capturing discussion on this PR:

  1. User is null means 1 of 2 things - 1) Security is not enabled or 2) plugin is operating in a stashContext block
  2. User is non-null then - 1) User is a regular user (including anonymous) or 2) User is a superuser (meaning request comes from admin cert)

This PR pertains to 2) above and also relies on:

  1. When security is enabled a user will always be present in the threadcontext
  2. The plugin dev will ensure they are not making any calls to read the currently authenticated user from within a stashContext block

}
}
36 changes: 36 additions & 0 deletions src/test/java/org/opensearch/commons/authuser/UserTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,13 @@

import java.io.IOException;
import java.util.Arrays;
import java.util.List;

import org.junit.jupiter.api.Test;
import org.opensearch.common.io.stream.BytesStreamOutput;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.commons.ConfigConstants;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;

Expand Down Expand Up @@ -202,4 +204,38 @@ public void testParseUserStringMalformed() {
User user = User.parse(str);
assertNull(user);
}

@Test
public void testUserIsSuperUserTrue() {
Settings settings = Settings
.builder()
.putList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, List.of("CN=kirk,OU=client,O=client,L=test, C=de"))
.build();
ThreadContext tc = new ThreadContext(Settings.EMPTY);
tc
.putTransient(
OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT,
"CN=kirk,OU=client,O=client,L=test, C=de|backendrole1,backendrole2|role1,role2"
);
String str = tc.getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT);
User user = User.parse(str);
assertTrue(User.isSuperUser(user, settings));
}

@Test
public void testUserIsSuperUserFalse() {
Settings settings = Settings
.builder()
.putList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, List.of("CN=spock,OU=client,O=client,L=test, C=de"))
.build();
ThreadContext tc = new ThreadContext(Settings.EMPTY);
tc
.putTransient(
OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT,
"CN=kirk,OU=client,O=client,L=test, C=de|backendrole1,backendrole2|role1,role2"
);
String str = tc.getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT);
User user = User.parse(str);
assertFalse(User.isSuperUser(user, settings));
}
}
Loading