InjectSecurity - inject User object in UserInfo in threadContext #396
Conversation
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #396 +/- ##
=======================================
Coverage ? 73.20%
Complexity ? 700
=======================================
Files ? 110
Lines ? 4631
Branches ? 610
=======================================
Hits ? 3390
Misses ? 985
Partials ? 256
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Petar <petar.dzepina@gmail.com>
petardz
force-pushed
the
injectsecurity-userinfo
branch
from
90f1c8f to
0053ee6
Compare
| if (user == null) { | ||
| return; | ||
| } | ||
| if (threadContext.getTransient(ConfigConstants.OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT) != null) { |
There was a problem hiding this comment.
can we log in the error message the value present in threadContext.getTransient(ConfigConstants.OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT)
There was a problem hiding this comment.
Yeah, the error message may not be that useful.
Can you add in the comment of this method that this should only be used within plugin after stash the context and injecting user permission? I think this is the only use case of this method.
There was a problem hiding this comment.
Added comments, better logging and unit test
| StringJoiner joiner = new StringJoiner("|"); | ||
| joiner.add(user.getName()); | ||
| joiner.add(java.lang.String.join(",", user.getBackendRoles())); | ||
| joiner.add(java.lang.String.join(",", user.getRoles())); |
There was a problem hiding this comment.
Is there already a method to reuse for combining these?
There was a problem hiding this comment.
I didn't find one. ISM has one in SecurityUtils (generateUserString)
There was a problem hiding this comment.
This is the source of where this ThreadContext header is populated from the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java#L197-L209
This is done in the PrivilegesEvaluator which is called from the SecurityFilter which is the first action filter that is applied before a transport request is executed on a node.
mappedRoles in this method is the set of roles that are resolved to as part of the roles resolution process which is calculating via a roles mapping like:
# mapping for role1
role1
{
"backend_roles" : [ "starfleet", "captains", "defectors" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "kirk", "spock" ],
"and_backend_roles": ["enterprise", "voyager"] // User must have all backend roles in this list to be mapped to role1
}
There was a problem hiding this comment.
@cwperks thanks for checking on this. If there's any possible regression in the future, please help track it in some issue.
There was a problem hiding this comment.
@bowenlan-amzn No regression that I can see. I saw this PR and wanted to get familiar with what it was introducing. I thought I'd leave a fly-by comment for future reference in case anyone wants to know where this threadcontext header originally comes from.
Signed-off-by: Petar <petar.dzepina@gmail.com>
petardz
force-pushed
the
injectsecurity-userinfo
branch
from
67e9728 to
98eb7f1
Compare
Signed-off-by: Petar <petar.dzepina@gmail.com>
petardz
force-pushed
the
injectsecurity-userinfo
branch
from
41890cf to
a85eba0
Compare
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
* Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa)
…nsearch-project#396) (opensearch-project#399) * Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa) Co-authored-by: Petar Dzepina <petar.dzepina@gmail.com>
…nsearch-project#396) (opensearch-project#399) * Added user_info injection of User object in InjectSecurity Signed-off-by: Petar <petar.dzepina@gmail.com> (cherry picked from commit f7639aa) Co-authored-by: Petar Dzepina <petar.dzepina@gmail.com> Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
6 participants
Description
Added user_info injection of User object in InjectSecurity
Pre-requisite for opensearch-project/alerting#852
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.