Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]Introduces Resource Sharing and Access Control #16030

Closed
Changes from 1 commit
Commits
Show all changes
68 commits
Select commit Hold shift + click to select a range
909a85b
Adds a new plugin type named ResourcePlugin and relevant base classes
DarshitChanpura Aug 27, 2024
66a849c
Adds a No-op implementation of ResourcePlugin
DarshitChanpura Aug 27, 2024
08cdcb3
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Aug 30, 2024
d7169e4
Adds a way to configure security plugin for resource access-control
DarshitChanpura Aug 30, 2024
58ae851
Fixes compilation errors and changes debug log-level to info for Reso…
DarshitChanpura Aug 30, 2024
fd00243
Replace plugin count check with isEmpty
DarshitChanpura Aug 30, 2024
ef8a0b7
Adds package-info
DarshitChanpura Aug 30, 2024
e98cb61
Renames a bunch of files
DarshitChanpura Aug 30, 2024
96f09b0
Changes method signatures to be inline with their usage
DarshitChanpura Aug 30, 2024
c86dfc9
Adds new method for deleting by entity
DarshitChanpura Aug 30, 2024
7c6ec2a
Adds abstract method definitions for ResourcePlugin interface
DarshitChanpura Sep 3, 2024
c04762e
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Sep 3, 2024
f95a67f
Adds toXContent implementations
DarshitChanpura Sep 6, 2024
8b8fffd
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Sep 6, 2024
7e7cd0a
Modifies some method names and comments
DarshitChanpura Sep 10, 2024
e1a1b62
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Oct 2, 2024
23fcfba
Fixes license
DarshitChanpura Oct 2, 2024
fba48ab
Adds changelog entry
DarshitChanpura Oct 2, 2024
9cb8d0e
Adds a notion of scope
DarshitChanpura Oct 2, 2024
848234e
Modifies sharedwith to accomodate scope
DarshitChanpura Oct 4, 2024
eaf0c6e
Adds missing JavaDoc
DarshitChanpura Oct 4, 2024
6a6e6f7
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Oct 4, 2024
566913a
Adds NamedWriteable capability and removes un-needed method
DarshitChanpura Oct 4, 2024
b4f876f
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Oct 10, 2024
9baac32
Updates toXContent implementations
DarshitChanpura Oct 10, 2024
0eb47ac
Fix toString implementation
DarshitChanpura Oct 10, 2024
e313071
Allows the ability to list resource permissions
DarshitChanpura Oct 15, 2024
bd91162
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Nov 5, 2024
2327258
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Nov 20, 2024
774a4a1
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Nov 25, 2024
37cacf0
Adds NamedWriteable implementations
DarshitChanpura Nov 27, 2024
4107407
Adds TODO for Noop Implementation
DarshitChanpura Dec 3, 2024
274c64f
Adds fromValue method to EntityType
DarshitChanpura Dec 4, 2024
014be82
Refactors variables from List to Set
DarshitChanpura Dec 5, 2024
3143796
Updates revokeAccess signature to accept scopes to revoke access from
DarshitChanpura Dec 5, 2024
04a02cb
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 5, 2024
e468f91
Convert sets to lists
DarshitChanpura Dec 5, 2024
3a0b4b1
Upper-case the default scope
DarshitChanpura Dec 5, 2024
0056807
Adds concrete implementation of getResources in Noop RAC plugin
DarshitChanpura Dec 11, 2024
0548fc2
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 11, 2024
193112b
Updates the ResourceAccessControlPlugin to have noop actions, renames…
DarshitChanpura Dec 13, 2024
cbbefa6
Adds ReflectPermissions for DefaultResourceAccessControlPlugin
DarshitChanpura Dec 13, 2024
d7d1f25
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 13, 2024
a44b06a
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 17, 2024
b58308e
Adds missing package-info
DarshitChanpura Dec 17, 2024
b25a9a7
Adds unit and integration tests
DarshitChanpura Dec 18, 2024
eb43578
Adds missing experimental annotations
DarshitChanpura Dec 18, 2024
bcd0f2b
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 18, 2024
686f037
Uses jackson object-mapper to read resource class and updates the int…
DarshitChanpura Dec 18, 2024
0bf9fd1
Completes the integrations tests
DarshitChanpura Dec 18, 2024
4a073f1
Updates SHAs
DarshitChanpura Dec 18, 2024
34f160c
Comment and code cleanup
DarshitChanpura Dec 19, 2024
1df8e11
Fixes tests
DarshitChanpura Dec 19, 2024
eee5ce1
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 20, 2024
77c56be
Adds integration tests for non-default RAC plugin
DarshitChanpura Dec 20, 2024
bb584bb
Removes unused dependency licenses
DarshitChanpura Dec 20, 2024
448307b
Adds missing license headers
DarshitChanpura Dec 20, 2024
d9f5262
Adds type bounding to Resource
DarshitChanpura Dec 20, 2024
1aff350
Updates Resource to be a serializable
DarshitChanpura Dec 20, 2024
f90b165
Adds getResourceName as API contract for Resource
DarshitChanpura Dec 20, 2024
5e6b8ff
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 30, 2024
ce9d5ec
Removes notion of users, roles and backend_roles
DarshitChanpura Dec 30, 2024
7a868cb
Fixes gradle check failures
DarshitChanpura Dec 30, 2024
f1d3011
Fixes created by tests
DarshitChanpura Dec 31, 2024
00ba7a7
Adds test for recipient registry
DarshitChanpura Dec 31, 2024
6fb5055
Fixes a bug in toXContent
DarshitChanpura Dec 31, 2024
3dfc16e
Merge remote-tracking branch 'upstream/main' into resource-permissions
DarshitChanpura Dec 31, 2024
532d13a
Moves jackson dependency addition to server build.gradle
DarshitChanpura Dec 31, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Renames a bunch of files
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
  • Loading branch information
DarshitChanpura committed Aug 30, 2024
commit e98cb61b3711392ef41bc9a737f4e791c93806dc
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.OpenSearchException;
import org.opensearch.plugins.NoOpResourcePlugin;
import org.opensearch.plugins.NoOpResourceAccessControlPlugin;
import org.opensearch.plugins.ResourceAccessControlPlugin;
import org.opensearch.plugins.ResourcePlugin;

@@ -23,27 +23,37 @@
public class ResourceService {
private static final Logger log = LogManager.getLogger(ResourceService.class);

private final ResourcePlugin resourcePlugin;
private final ResourceAccessControlPlugin resourceACPlugin;
private final List<ResourcePlugin> resourcePlugins;

public ResourceService(final List<ResourceAccessControlPlugin> resourcePlugins) {
if (resourcePlugins.isEmpty()) {
log.info("Security plugin disabled: Using NoOpResourcePlugin");
resourcePlugin = new NoOpResourcePlugin();
} else if (resourcePlugins.size() == 1) {
public ResourceService(final List<ResourceAccessControlPlugin> resourceACPlugins, List<ResourcePlugin> resourcePlugins) {
this.resourcePlugins = resourcePlugins;

if (resourceACPlugins.isEmpty()) {
log.info("Security plugin disabled: Using NoOpResourceAccessControlPlugin");
resourceACPlugin = new NoOpResourceAccessControlPlugin();
} else if (resourceACPlugins.size() == 1) {
log.info("Security plugin enabled: Using OpenSearchSecurityPlugin");
resourcePlugin = resourcePlugins.get(0);
resourceACPlugin = resourceACPlugins.get(0);
} else {
throw new OpenSearchException(
"Multiple resource access control plugins are not supported, found: "
+ resourcePlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+ resourceACPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
);
}
}

/**
* Gets the current ResourcePlugin to perform authorization
*/
public ResourcePlugin getResourceAccessControlPlugin() {
return resourcePlugin;
public ResourceAccessControlPlugin getResourceAccessControlPlugin() {
return resourceACPlugin;
}

/**
* List active plugins that define resources
*/
public List<ResourcePlugin> listResourcePlugins() {
return resourcePlugins;
}
}
4 changes: 3 additions & 1 deletion server/src/main/java/org/opensearch/node/Node.java
Original file line number Diff line number Diff line change
@@ -214,6 +214,7 @@
import org.opensearch.plugins.PluginsService;
import org.opensearch.plugins.RepositoryPlugin;
import org.opensearch.plugins.ResourceAccessControlPlugin;
import org.opensearch.plugins.ResourcePlugin;
import org.opensearch.plugins.ScriptPlugin;
import org.opensearch.plugins.SearchPipelinePlugin;
import org.opensearch.plugins.SearchPlugin;
@@ -1063,7 +1064,8 @@ protected Node(
final List<ResourceAccessControlPlugin> resourceAccessControlPlugins = pluginsService.filterPlugins(
ResourceAccessControlPlugin.class
);
ResourceService resourceService = new ResourceService(resourceAccessControlPlugins);
final List<ResourcePlugin> resourcePlugins = pluginsService.filterPlugins(ResourcePlugin.class);
ResourceService resourceService = new ResourceService(resourceAccessControlPlugins, resourcePlugins);

final RestController restController = actionModule.getRestController();

Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@
*
* @opensearch.experimental
*/
public class NoOpResourcePlugin implements ResourcePlugin {
public class NoOpResourceAccessControlPlugin implements ResourceAccessControlPlugin {

/**
* Returns an empty list since security plugin is not defined.
Original file line number Diff line number Diff line change
@@ -8,10 +8,64 @@

package org.opensearch.plugins;

import org.opensearch.accesscontrol.resources.Resource;
import org.opensearch.accesscontrol.resources.ShareWith;

import java.util.List;
import java.util.Map;

/**
* Class to determine presence of security plugin in the cluster.
* This interface determines presence of security plugin in the cluster.
* If yes, security plugin will be used for resource access authorization
* User information is fetched from thread context by security plugin.
* In clusters, where security plugin is disabled these requests will be pass-through via a No-op implementation.
* There are 3 scope of sharing for a resource: Private, Restricted, Public. To learn more visit <a href="https://github.com/opensearch-project/security/issues/4500">...</a>
* If security plugin is disabled, all resources will be considered public by default.
* TODO: add documentation around "how to use"
*
* @opensearch.experimental
*/
public interface ResourceAccessControlPlugin extends ResourcePlugin {}
public interface ResourceAccessControlPlugin {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When thinking about the role of this plugin, I was thinking that its job is to initialize separate Resource(Sharing)Service per resource type and the role of the service would be the method below this one. i.e. resourceService.hasBeenSharedWith(String resourceId) - the resourceService is specific to the type of resource and would already have info necessary required to do the lookup.

These resourceServices would be assigned back to the ResourcePlugins which can be used to determine if a resource has been shared with the currently authenticated user.

When it comes to re-usable generic actions to get a resource or search for resources, we could consider adding a library that plugins can add a dependency on that has the re-usable generic actions. The ResourcePlugins could need to supply a ResourceParser so that the generic actions would know how to parse entries from the resource index. The jobParser from the job-scheduler has a model for generic parsing: https://github.com/opensearch-project/job-scheduler/blob/main/spi/src/main/java/org/opensearch/jobscheduler/spi/JobSchedulerExtension.java#L30-L33

/**
* Returns all accessible resources for current user.
*
* @return list of {@link Resource} items accessible by current user.
*/
List<Resource> listAccessibleResources();

/**
* Checks whether current user has permission to given resource.
*
*
* @param resource the resource on which access is to be checked
* @return true if current user has access, false otherwise
*/
boolean hasPermission(Resource resource);

/**
Copy link
Member

@cwperks cwperks Dec 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wdyt about implementing this and the method below as a REST API in the plugin that implements resource access control?

i.e. Security plugin could have an API

PUT /resource/{resource_type}/{id}/share_with
{
    "resource_id": "...",
    "resource_type": "...", // resource_type is 1 <-> 1 with resource index, but is a human-readable type
    "share_with": { 
         "users": ["userB"]
    }
}

Does this need to be part of the interface?

* Adds an entity to the share-with. Resource needs to be in restricted mode.
* @param type One of the {@link ShareWith} types
* @param entities List of names with whom to share this resource with
* @return a message whether sharing was successful.
*/
String shareWith(ShareWith type, List<String> entities);

/**
* Revokes given permission to a resource
*
* @param resourceId if of the resource to be updated
* @param systemIndexName index where this resource is defined
* @param revokeAccess a map that contains entries of entities whose access should be revoked
* @return true if revoke was successful, false if there was a failure
*/
boolean revoke(String resourceId, String systemIndexName, Map<ShareWith, List<String>> revokeAccess);

/**
* Deletes an entry from .resource_sharing index
* @param resource The resource to be removed from the index
* @return true if resource record was deleted, false otherwise
*/
boolean deleteResourceSharingRecord(Resource resource);

// TODO: Check whether methods for bulk updates are required
}
61 changes: 2 additions & 59 deletions server/src/main/java/org/opensearch/plugins/ResourcePlugin.java
Original file line number Diff line number Diff line change
@@ -8,66 +8,9 @@

package org.opensearch.plugins;

import org.opensearch.accesscontrol.resources.Resource;
import org.opensearch.accesscontrol.resources.ShareWith;

import java.util.List;
import java.util.Map;

/**
* This plugin class defines usage mechanisms for plugins to interact with resources.
* User information is fetched from thread context by security plugin.
* In clusters, where security plugin is disabled these requests will be pass-through via a No-op implementation.
* There are 3 scope of sharing for a resource: Private, Restricted, Public. To learn more visit <a href="https://github.com/opensearch-project/security/issues/4500">...</a>
* If security plugin is disabled, all resources will be considered public by default.
* TODO: add documentation around "how to use"
*
*
* This interface should be implemented by all the plugins that define one or more resources.
*
* @opensearch.experimental
*/
public interface ResourcePlugin {

/**
* Returns all accessible resources for current user.
*
* @return list of {@link Resource} items accessible by current user.
*/
List<Resource> listAccessibleResources();

/**
* Checks whether current user has permission to given resource.
*
*
* @param resource the resource on which access is to be checked
* @return true if current user has access, false otherwise
*/
boolean hasPermission(Resource resource);

/**
* Adds an entity to the share-with. Resource needs to be in restricted mode.
* @param type One of the {@link ShareWith} types
* @param entities List of names with whom to share this resource with
* @return a message whether sharing was successful.
*/
String shareWith(ShareWith type, List<String> entities);

/**
* Revokes given permission to a resource
*
* @param resourceId if of the resource to be updated
* @param systemIndexName index where this resource is defined
* @param revokeAccess a map that contains entries of entities whose access should be revoked
* @return true if revoke was successful, false if there was a failure
*/
boolean revoke(String resourceId, String systemIndexName, Map<ShareWith, List<String>> revokeAccess);

/**
* Deletes an entry from .resource_sharing index
* @param resource The resource to be removed from the index
* @return true if resource record was deleted, false otherwise
*/
boolean deleteResourceSharingRecord(Resource resource);

// TODO: Check whether methods for bulk updates are required
}
public interface ResourcePlugin {}