Skip to content

Access control for results in trigger execution context#1991

Merged
AWSHurneyt merged 26 commits into
opensearch-project:mainfrom
cloud-gov:remove-alert-message-results
Jan 26, 2026
Merged

Access control for results in trigger execution context#1991
AWSHurneyt merged 26 commits into
opensearch-project:mainfrom
cloud-gov:remove-alert-message-results

Conversation

@markdboyd
Copy link
Copy Markdown
Contributor

@markdboyd markdboyd commented Nov 21, 2025
edited
Loading

Description

This PR includes a few changes:

  • Adds a NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES setting to specify which user roles should have access to results from a trigger execution context
  • Adds a getter for a templateResults property of the TriggerExecutionContext to conditionally make templateResults empty if NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES is set AND the allowed roles do not intersect with the monitor's user roles
  • Update the asTemplateArg() method for trigger execution contexts to return templateResults as the value for the results property in mustache templates
  • Adds tests for each type of execution context to ensure that the visibility of templateResults is correct for different scenarios
  • Refactors code as necessary for compatibility with changes

Related Issues

Resolves #1986

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@markdboyd markdboyd force-pushed the remove-alert-message-results branch from ffeb432 to ae99a32 Compare November 21, 2025 17:22
@markdboyd markdboyd changed the title Conditionally remove results from trigger execution context Access control for results in from trigger execution context Nov 21, 2025
@markdboyd markdboyd changed the title Access control for results in from trigger execution context Access control for results in trigger execution context Nov 21, 2025
@markdboyd markdboyd force-pushed the remove-alert-message-results branch 2 times, most recently from 2594afd to 46f5991 Compare December 2, 2025 21:50
@markdboyd markdboyd force-pushed the remove-alert-message-results branch from 46f5991 to 9cd1067 Compare December 12, 2025 19:05
@cwperks
Copy link
Copy Markdown
Member

cwperks commented Dec 16, 2025
edited
Loading

Thank you for this PR @markdboyd. I think it makes sense in the current paradigm to add a new cluster setting for this.

There is an ongoing effort to re-architect how plugins interface with security through a resource sharing framework based on ownership of a resource and access levels. This plugin has not been onboarded yet, but once targeted for onboarding I would also like to see if there is a convenient way to fit this into that model as well by provisioning different levels of access to the context to different users but that may involve introducing new transport actions.

Regardless, this change would work in both paradigms.

cwperks
cwperks reviewed Dec 16, 2025
View reviewed changes
Comment thread alerting/src/test/kotlin/org/opensearch/alerting/util/AnomalyDetectionUtilsTests.kt
@@ -103,8 +103,10 @@ class AnomalyDetectionUtilsTests : OpenSearchTestCase() {
val searchSourceBuilder = SearchSourceBuilder()
addUserBackendRolesFilter(
User(
randomAlphaOfLength(5), null, listOf(randomAlphaOfLength(5)),
listOf(randomAlphaOfLength(5))
Copy link
Copy Markdown
Member

@cwperks cwperks Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised this test did not need to be updated earlier. Has this repo been having failing tests?

Thanks for updating this!

cwperks
cwperks reviewed Dec 16, 2025
View reviewed changes
Comment thread .../src/test/kotlin/org/opensearch/alerting/script/DocumentLevelTriggerExecutionContextTests.kt
Assert.assertTrue(templateResults.isEmpty())
}

fun `test results are excluded in document-level context even when allowed roles intersect monitor roles`() {
Copy link
Copy Markdown
Member

@cwperks cwperks Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my understanding, why is DocumentLevel context different from BucketLevel and QueryLevel?

Copy link
Copy Markdown
Contributor Author

@markdboyd markdboyd Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For whatever reason, the DocumentLevelTriggerExecutionContext is coded to never pass along results when instantiating the context:

alerting/alerting/src/main/kotlin/org/opensearch/alerting/script/DocumentLevelTriggerExecutionContext.kt

Line 30 in 8a6bad3

monitor, trigger, emptyList(), Instant.now(), Instant.now(),

You can see the third parameter there for the results is an emptyList(). So this context will never have results regardless of this new setting for controlling access that we're adding.

For the QueryLevelTriggerExecutionContext, you can see that the actual monitor results are passed along when instantiating the context:

alerting/alerting/src/main/kotlin/org/opensearch/alerting/script/QueryLevelTriggerExecutionContext.kt

Line 31 in 8a6bad3

monitor, trigger, monitorRunResult.inputResults.results, monitorRunResult.periodStart, monitorRunResult.periodEnd,

This behavior is the same for the BucketLevelTriggerExecutionContext

Copy link
Copy Markdown
Member

@cwperks cwperks Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like that's because the doc level monitor fires when a doc meets certain criteria, whereas bucket level monitor and query level trigger based on query results.

Is there any sensitive info that is present on doc level monitor that ought to be excluded?

Copy link
Copy Markdown
Member

@cwperks cwperks Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to GPT-5.2 there is not:

You mostly get alert metadata and execution context, not query results or document contents.

I think it would have access to docId and index, but not _source

cwperks
cwperks approved these changes Dec 16, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AWSHurneyt Could you also please review this? Thanks!

JasonTheMain and others added 6 commits December 17, 2025 10:51
@JasonTheMain @markdboyd
adding in changes for backend roles
66c859b 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
revert formatting changes
149adb9 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@opensearch-trigger-bot @github-actions @markdboyd
changed the maven url in build.gradle (opensearch-project#1938) (open…
030cee0 
…search-project#1939)

* changed the maven url in build.gradle

* url changed

---------

(cherry picked from commit 8b6afc3)

Signed-off-by: Riya Saxena <riysaxen@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@opensearch-trigger-bot @github-actions @markdboyd
Remove aws.oss.sonatype.org reference and update bwcVersion (opensear…
037ce44 
…ch-project#1946) (opensearch-project#1947)

(cherry picked from commit b87b2dd)

Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove monitor results from trigger execution context
07a2b96 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add test to prove that monitor results are removed from query-level t…
b708b04 
…rigger context

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
refactor code to actually remove results from trigger execution conte…
41da677 
…xts, not just the template arguments

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
refactor code to user custom getter for context results field
402123f 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
refactor custom getter for results in TriggerExecutionContext & pass …
9878660 
…in cluster settings to TriggerExecutionContext constructor

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
fix test for results visibility in query level trigger execution contet
e7fb678 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
fix logic for including trigger context results to properly handle ca…
99ace27 
…se when allowed roles are empty

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove unnecessary test assertion
d3f33b6 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove build.gradle changes
a0ed338 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove unnecessary repositories.gradle changes
eac2c73 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove formatting changes
21eb300 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add test for query level context that results are not empty when moni…
3fd0951 
…tor user roles are included in allowed roles

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add tests for context results for bucket level and document level tri…
67afcdc 
…gger contexts

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
separate tests into separate files
318c1f3 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
fix TriggerService to use internal _results property on bucket level …
723a66f 
…context

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
fix tests
77ab484 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES to list of plugin sett…
9a663f4 
…ings

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
use getOrNull to access NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES se…
72fafd6 
…tting to distinguish between null for unset and an explicitly empty list

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add test case for query-level context when NOTIFICATION_CONTEXT_RESUL…
15ddea1 
…TS_ALLOWED_ROLES is not set

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
add tests for query-level and document-level context where NOTIFICATI…
39a7f98 
…ON_CONTEXT_RESULTS_ALLOWED_ROLES is not set

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
remove unnecessary change
fb2025f 
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd
refactor trigger contexts to conditionally return an empty list for r…
7e7a84e 
…esults as a template argument instead of as a context property

Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
@markdboyd markdboyd force-pushed the remove-alert-message-results branch from 9cd1067 to 7e7a84e Compare December 17, 2025 15:52
@cwperks
Copy link
Copy Markdown
Member

cwperks commented Jan 22, 2026

@AWSHurneyt Can we get another review on this? The CI checks are passing.

@AWSHurneyt AWSHurneyt merged commit 29907a3 into opensearch-project:main Jan 26, 2026
20 of 23 checks passed
@tkykenmt tkykenmt mentioned this pull request Feb 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks cwperks approved these changes

@AWSHurneyt AWSHurneyt AWSHurneyt approved these changes

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni

@bowenlan-amzn bowenlan-amzn Awaiting requested review from bowenlan-amzn bowenlan-amzn is a code owner

@rishabhmaurya rishabhmaurya Awaiting requested review from rishabhmaurya rishabhmaurya is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn riysaxen-amzn is a code owner

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@goyamegh goyamegh Awaiting requested review from goyamegh goyamegh is a code owner

@toepkerd toepkerd Awaiting requested review from toepkerd toepkerd is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Access control for using monitor results in email template

4 participants

@markdboyd @cwperks @AWSHurneyt @JasonTheMain