From 2403014c57ee63268e83d919db3334b676a8c992 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 10:11:40 -0700 Subject: [PATCH] tenancy access control (#992) (#993) * Check user name for private tenant access control * fix broken link --------- (cherry picked from commit 99f02f3745d7e9a88c144b3f2cba000e153bfd07) Signed-off-by: Sean Kao Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] --- README.md | 2 +- .../opensearch/reportsscheduler/security/UserAccessManager.kt | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2354c0bb..099317f4 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ OpenSearch Dashboards Reports allows ‘Report Owner’ (engineers, including bu [reports-scheduler-it-badge]: https://img.shields.io/badge/Reports%20Scheduler%20IT%20tests-in%20progress-yellow [reports-scheduler-it-link]: https://github.com/opensearch-project/opensearch-build/issues/1124 [reports-scheduler-it-code-badge]: https://img.shields.io/badge/Reports%20Scheduler%20code-blue -[reports-scheduler-it-code-link]: https://github.com/opensearch-project/dashboards-reports/blob/main/reports-scheduler/src/test/kotlin/org/opensearch/reportsscheduler/ReportsSchedulerPluginIT.kt +[reports-scheduler-it-code-link]: https://github.com/opensearch-project/reporting/blob/main/src/test/kotlin/org/opensearch/integTest/ReportsSchedulerPluginIT.kt [bwc-tests-badge]: https://img.shields.io/badge/BWC%20tests-in%20progress-yellow [bwc-tests-link]: https://github.com/opensearch-project/dashboards-reports/pull/244/files [good-first-badge]: https://img.shields.io/github/issues/opensearch-project/dashboards-reports/good%20first%20issue.svg diff --git a/src/main/kotlin/org/opensearch/reportsscheduler/security/UserAccessManager.kt b/src/main/kotlin/org/opensearch/reportsscheduler/security/UserAccessManager.kt index 9f25831f..c2f24534 100644 --- a/src/main/kotlin/org/opensearch/reportsscheduler/security/UserAccessManager.kt +++ b/src/main/kotlin/org/opensearch/reportsscheduler/security/UserAccessManager.kt @@ -118,6 +118,9 @@ internal object UserAccessManager { if (getUserTenant(user) != tenant) { return false } + if (isUserPrivateTenant(user)) { + return access.contains("$USER_TAG${user.name}") + } return if (PluginSettings.isRbacEnabled()) { user.backendRoles.map { "$BACKEND_ROLE_TAG$it" }.any { it in access } } else {