Remove whitelist settings in favor of allowlist (opensearch-project#5224)

Signed-off-by: shikharj05 <8859327+shikharj05@users.noreply.github.com>

Author: shikharj05

config/opensearch.yml.example

@@ -17,11 +17,11 @@ plugins.security.nodes_dn:
   - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"
 
 # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
-# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
+# manage the allowlisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
 # Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs
 # which provide means to update/retrieve nodesdn dynamically.
 #
-# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
+# NOTE: The overall allowlisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
 # in security index.
 # (default: false)
 # NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.

config/whitelist.yml

@@ -33,8 +33,7 @@ public static Path createConfigurationDirectory() {
                 CType.ROLES.configFileName(),
                 CType.ROLESMAPPING.configFileName(),
                 "security_tenants.yml",
-                CType.TENANTS.configFileName(),
-                CType.WHITELIST.configFileName() };
+                CType.TENANTS.configFileName() };
             for (String fileName : configurationFiles) {
                 copyResourceToFile(fileName, tempDirectory.resolve(fileName));
             }

src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java

@@ -147,8 +147,8 @@ public void noData(String id) {
                 // Since NODESDN is newly introduced data-type applying for existing clusters as well, we make it backward compatible by
                 // returning valid empty
                 // SecurityDynamicConfiguration.
-                // Same idea for new setting WHITELIST/ALLOWLIST
-                if (cType == CType.NODESDN || cType == CType.WHITELIST || cType == CType.ALLOWLIST) {
+                // Same idea for new setting ALLOWLIST
+                if (cType == CType.NODESDN || cType == CType.ALLOWLIST) {
                     try {
                         SecurityDynamicConfiguration<?> empty = ConfigHelper.createEmptySdc(
                             cType,

src/integrationTest/resources/whitelist.yml

@@ -249,14 +249,6 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
                                 DEFAULT_CONFIG_VERSION,
                                 populateEmptyIfFileMissing
                             );
-                            ConfigHelper.uploadFile(
-                                client,
-                                cd + "whitelist.yml",
-                                securityIndex,
-                                CType.WHITELIST,
-                                DEFAULT_CONFIG_VERSION,
-                                populateEmptyIfFileMissing
-                            );
                             ConfigHelper.uploadFile(
                                 client,
                                 cd + "allowlist.yml",

src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java

@@ -27,7 +27,6 @@ public enum Endpoint {
     RATELIMITERS,
     MIGRATE,
     VALIDATE,
-    WHITELIST,
     ALLOWLIST,
     NODESDN,
     SSL;

src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java

@@ -90,8 +90,6 @@ public static Collection<RestHandler> getHandler(
             new TenantsApiAction(clusterService, threadPool, securityApiDependencies),
             new AccountApiAction(clusterService, threadPool, securityApiDependencies, passwordHasher),
             new NodesDnApiAction(clusterService, threadPool, securityApiDependencies),
-            new WhitelistApiAction(clusterService, threadPool, securityApiDependencies),
-            // FIXME change it as soon as WhitelistApiAction will be removed
             new AllowlistApiAction(Endpoint.ALLOWLIST, clusterService, threadPool, securityApiDependencies),
             new AuditApiAction(clusterService, threadPool, securityApiDependencies),
             new MultiTenancyConfigApiAction(clusterService, threadPool, securityApiDependencies),

src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java

@@ -55,7 +55,6 @@
 import org.opensearch.security.privileges.PrivilegesEvaluatorResponse;
 import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
 import org.opensearch.security.securityconf.impl.AllowlistingSettings;
-import org.opensearch.security.securityconf.impl.WhitelistingSettings;
 import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
 import org.opensearch.security.ssl.util.ExceptionUtils;
@@ -86,7 +85,6 @@ public class SecurityRestFilter {
     private final Path configPath;
     private final CompatConfig compatConfig;
 
-    private WhitelistingSettings whitelistingSettings;
     private AllowlistingSettings allowlistingSettings;
 
     public static final String HEALTH_SUFFIX = "health";
@@ -114,7 +112,6 @@ public SecurityRestFilter(
         this.settings = settings;
         this.configPath = configPath;
         this.compatConfig = compatConfig;
-        this.whitelistingSettings = new WhitelistingSettings();
         this.allowlistingSettings = new AllowlistingSettings();
     }
 
@@ -179,8 +176,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
             if (user != null) {
                 auditLog.logSucceededLogin(user.getName(), false, intiatingUser, requestChannel);
             }
-            final Optional<SecurityResponse> deniedResponse = whitelistingSettings.checkRequestIsAllowed(requestChannel)
-                .or(() -> allowlistingSettings.checkRequestIsAllowed(requestChannel));
+            final Optional<SecurityResponse> deniedResponse = allowlistingSettings.checkRequestIsAllowed(requestChannel);
 
             if (deniedResponse.isPresent()) {
                 channel.sendResponse(deniedResponse.get().asRestResponse());
@@ -207,7 +203,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
      * If allowlisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are allowlisted in {@link #requests}
      * For example: if allowlisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin
      * can only access "/_cat/nodes"
-     * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_opendistro/_security/api/whitelist is only accessible by SuperAdmin.
+     * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_opendistro/_security/api/allowlist is only accessible by SuperAdmin.
      * See {@link AllowlistApiAction} for the implementation of this API.
      * SuperAdmin is identified by credentials, which can be passed in the curl request.
      */
@@ -320,11 +316,6 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
         }
     }
 
-    @Subscribe
-    public void onWhitelistingSettingChanged(WhitelistingSettings whitelistingSettings) {
-        this.whitelistingSettings = whitelistingSettings;
-    }
-
     @Subscribe
     public void onAllowlistingSettingChanged(AllowlistingSettings allowlistingSettings) {
         this.allowlistingSettings = allowlistingSettings;