Skip to content

Shrink operation privileges evaluation#3716

Merged
cwperks merged 4 commits intoopensearch-project:mainfrom
MaciejMierzwa:evaluate_privileges_shrink_resize
Nov 22, 2023
Merged

Shrink operation privileges evaluation#3716
cwperks merged 4 commits intoopensearch-project:mainfrom
MaciejMierzwa:evaluate_privileges_shrink_resize

Conversation

@MaciejMierzwa
Copy link
Copy Markdown
Contributor

@MaciejMierzwa MaciejMierzwa commented Nov 14, 2023
edited
Loading

Description

Bug fix. Shrink, or resize operations weren't properly evaluated. More in the task: #2141

Issues Resolved

#2141

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@MaciejMierzwa
shrink operation fix + tests
66f9ebe 
Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
@MaciejMierzwa
spotless
7a76d1d 
Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
@MaciejMierzwa
Merge remote-tracking branch 'origin/main' into evaluate_privileges_s…
f4d5bbb 
…hrink_resize
@codecov
Copy link
Copy Markdown

codecov bot commented Nov 15, 2023
edited
Loading

Codecov Report

Merging #3716 (7a76d1d) into main (ee66199) will increase coverage by 1.32%.
Report is 1 commits behind head on main.
The diff coverage is 100.00%.

❗ Current head 7a76d1d differs from pull request most recent head 610ba7c. Consider uploading reports for the commit 610ba7c to get more accurate results

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3716      +/-   ##
==========================================
+ Coverage   64.88%   66.21%   +1.32%     
==========================================
  Files         292      292              
  Lines       20776    20779       +3     
  Branches     3409     3410       +1     
==========================================
+ Hits        13481    13759     +278     
+ Misses       5606     5322     -284     
- Partials     1689     1698       +9
Files Coverage Δ
...earch/security/resolver/IndexResolverReplacer.java 69.35% <100.00%> (+0.79%) ⬆️

... and 34 files with indirect coverage changes

@MaciejMierzwa
merge and spotless
610ba7c 
Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
@MaciejMierzwa MaciejMierzwa mentioned this pull request Nov 15, 2023
Merged
@MaciejMierzwa
Copy link
Copy Markdown
Contributor Author

MaciejMierzwa commented Nov 15, 2023

I cherry-picked changes made in this PR to not combine bug fix and test fix.

@MaciejMierzwa MaciejMierzwa mentioned this pull request Nov 15, 2023
Closed
stephen-crawford
stephen-crawford reviewed Nov 15, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @MaciejMierzwa, just one question but otherwise looks good.

Judging from this it looks like the issue was that the index replacer resolver was not filtering properly? Is that the change this implements which corrects the evaluation?

@MaciejMierzwa
Copy link
Copy Markdown
Contributor Author

MaciejMierzwa commented Nov 16, 2023

Hi @MaciejMierzwa, just one question but otherwise looks good.

Judging from this it looks like the issue was that the index replacer resolver was not filtering properly? Is that the change this implements which corrects the evaluation?

Exactly. It wasn't even analyzing incoming requests. After going through that part of the code, in PriviledgesEvaluator it assumes the most restrictive access control -> As a result only user with wildcard access could perform shrink operation.

stephen-crawford
stephen-crawford approved these changes Nov 16, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@cwperks
Copy link
Copy Markdown
Member

cwperks commented Nov 22, 2023

Thank you @MaciejMierzwa . There was another case of this recently with SearchTemplateRequests too where a SearchTemplateRequest was falling through the cracks of IndexResolverReplacer and it required a user to have permissions to search all indices in order to use Search Template: opensearch-project/OpenSearch#9122

@cwperks cwperks merged commit 3c01fde into opensearch-project:main Nov 22, 2023
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Nov 22, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 22, 2023
@github-actions
Shrink operation privileges evaluation (#3716)
0add5ec 
### Description
Bug fix. Shrink, or resize operations weren't properly evaluated. More
in the task: #2141

### Issues Resolved
#2141

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
[Please provide details of testing done: unit testing, integration
testing and manual testing]

### Check List
- [x] New functionality includes testing
- [x] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
(cherry picked from commit 3c01fde)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwperks pushed a commit that referenced this pull request Nov 27, 2023
@opensearch-trigger-bot @github-actions
[Backport 2.x] Shrink operation privileges evaluation (#3764)
4b39083 
Backport 3c01fde from #3716.

Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks cwperks approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@peternied peternied Awaiting requested review from peternied

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

+1 more reviewer

@stephen-crawford stephen-crawford stephen-crawford approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MaciejMierzwa @cwperks @stephen-crawford