Changes to make PIT security model granular

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -66,6 +66,7 @@
 import org.opensearch.Version;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionResponse;
+import org.opensearch.action.search.PitService;
 import org.opensearch.action.search.SearchScrollAction;
 import org.opensearch.action.support.ActionFilter;
 import org.opensearch.client.Client;
@@ -1160,13 +1161,15 @@ public static class GuiceHolder implements LifecycleComponent {
         private static RepositoriesService repositoriesService;
         private static RemoteClusterService remoteClusterService;
         private static IndicesService indicesService;
+        private static PitService pitService;
 
         @Inject
         public GuiceHolder(final RepositoriesService repositoriesService,
-                final TransportService remoteClusterService, IndicesService indicesService) {
+                final TransportService remoteClusterService, IndicesService indicesService, PitService pitService) {
             GuiceHolder.repositoriesService = repositoriesService;
             GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
             GuiceHolder.indicesService = indicesService;
+            GuiceHolder.pitService = pitService;
         }
 
         public static RepositoriesService getRepositoriesService() {
@@ -1180,6 +1183,10 @@ public static RemoteClusterService getRemoteClusterService() {
         public static IndicesService getIndicesService() {
             return indicesService;
         }
+
+        public static PitService getPitService() {
+            return pitService;
+        }
 
         @Override
         public void close() {

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java

@@ -130,6 +130,7 @@ public class PrivilegesEvaluator {
     private final SecurityIndexAccessEvaluator securityIndexAccessEvaluator;
     private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
     private final TermsAggregationEvaluator termsAggregationEvaluator;
+    private final PitAccessEvaluator pitAccessEvaluator;
     private final boolean dlsFlsEnabled;
     private final boolean dfmEmptyOverwritesAll;
     private DynamicConfigModel dcm;
@@ -158,6 +159,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool
         securityIndexAccessEvaluator = new SecurityIndexAccessEvaluator(settings, auditLog, irr);
         protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
         termsAggregationEvaluator = new TermsAggregationEvaluator();
+        pitAccessEvaluator = new PitAccessEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
         this.dlsFlsEnabled = dlsFlsEnabled;
         this.dfmEmptyOverwritesAll = settings.getAsBoolean(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false);
@@ -282,6 +284,12 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
             return presponse;
         }
 
+        // check access for point in time requests
+        if(pitAccessEvaluator.evaluate(request, clusterService, user, securityRoles,
+                action0, resolver, presponse).isComplete()) {
+            return presponse;
+        }
+
         final boolean dnfofEnabled = dcm.isDnfofEnabled();
 
         final boolean isTraceEnabled = log.isTraceEnabled();

src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java

@@ -370,11 +370,11 @@ public final static class Resolved {
         private final boolean isLocalAll;
         private final IndicesOptions indicesOptions;
 
-        private Resolved(final ImmutableSet<String> aliases,
-                         final ImmutableSet<String> allIndices,
-                         final ImmutableSet<String> originalRequested,
-                         final ImmutableSet<String> remoteIndices,
-                         IndicesOptions indicesOptions) {
+        public Resolved(final ImmutableSet<String> aliases,
+                        final ImmutableSet<String> allIndices,
+                        final ImmutableSet<String> originalRequested,
+                        final ImmutableSet<String> remoteIndices,
+                        IndicesOptions indicesOptions) {
             this.aliases = aliases;
             this.allIndices = allIndices;
             this.originalRequested = originalRequested;

src/main/resources/static_config/static_action_groups.yml

@@ -233,8 +233,10 @@ manage_point_in_time:
   static: true
   allowed_actions:
     - "indices:data/read/point_in_time/create"
-    - "cluster:admin/point_in_time/delete"
-    - "cluster:admin/point_in_time/read*"
+    - "indices:data/read/point_in_time/delete"
+    - "indices:data/read/point_in_time/readall"
+    - "indices:data/read/search"
+    - "cluster:admin/point_in_time/read_from_nodes"
     - "indices:monitor/point_in_time/segments"
-  type: "cluster"
+  type: "index"
   description: "Manage point in time actions"

src/test/java/org/opensearch/security/PitIntegrationTests.java

@@ -0,0 +1,179 @@
+/*
+ * Copyright 2015-2018 _floragunn_ GmbH
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security;
+
+import org.apache.http.HttpStatus;
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.support.WriteRequest;
+import org.opensearch.client.Client;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.security.test.SingleClusterTest;
+import org.opensearch.security.test.helper.rest.RestHelper;
+
+/**
+ * Integration tests to test point in time APIs permission model
+ */
+public class PitIntegrationTests  extends SingleClusterTest {
+
+    @Test
+    public void pitCreateWithDeleteAll() throws Exception {
+        setup();
+        RestHelper rh = nonSslRestHelper();
+
+        // Create two indices
+        try (Client tc = getClient()) {
+            tc.index(new IndexRequest("pit_1").id("1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).
+                    source("{\"content\":1}", XContentType.JSON)).actionGet();
+            tc.index(new IndexRequest("pit_2").id("2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).
+                    source("{\"content\":2}", XContentType.JSON)).actionGet();
+        }
+
+        RestHelper.HttpResponse resc;
+
+        // Create point in time in index should be successful since the user has permission for index
+        resc = rh.executePostRequest("/pit_1/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Create point in time in index for which the user does not have permission
+        resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode());
+
+        // Create point in time in index for which the user has permission for
+        resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Delete all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Delete all PITs should throw error since there are no PITs for which the user has access for
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode());
+
+        // Delete all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Delete all PITs should work since there are no PITs in the cluster
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_NOT_FOUND, resc.getStatusCode());
+    }
+
+    @Test
+    public void pitCreateWithGetAll() throws Exception {
+        setup();
+        RestHelper rh = nonSslRestHelper();
+
+        // Create two indices
+        try (Client tc = getClient()) {
+            tc.index(new IndexRequest("pit_1").id("1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).
+                    source("{\"content\":1}", XContentType.JSON)).actionGet();
+            tc.index(new IndexRequest("pit_2").id("2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).
+                    source("{\"content\":2}", XContentType.JSON)).actionGet();
+        }
+
+        RestHelper.HttpResponse resc;
+
+        // Create point in time in index should be successful since the user has permission for index
+        resc = rh.executePostRequest("/pit_1/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Create point in time in index for which the user does not have permission
+        resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode());
+
+        // Create point in time in index for which the user has permission for
+        resc = rh.executePostRequest("/pit_2/_search/point_in_time?keep_alive=100m", "",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // List all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeGetRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // PIT segments should work since there is atleast one PIT for which user has access for
+        resc = rh.executeGetRequest("/_cat/pit_segments/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        Thread.sleep(500);
+
+        // Delete all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+
+        // List all PITs should throw error since there are no PITs for which the user has access for
+        resc = rh.executeGetRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode());
+
+        // PIT segments should throw error since there are PITs in system but no PIT for which user has access for
+        resc = rh.executeGetRequest("/_cat/pit_segments/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode());
+
+        // List all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeGetRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // PIT segments should work since there is atleast one PIT for which user has access for
+        resc = rh.executeGetRequest("/_cat/pit_segments/_all",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // Delete all PITs should work since there is atleast one PIT for which user has access for
+        resc = rh.executeDeleteRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+
+        // List all PITs should work since there are no PITs in the cluster
+        resc = rh.executeGetRequest("/_search/point_in_time/_all",
+                encodeBasicHeader("pit-1", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_NOT_FOUND, resc.getStatusCode());
+
+
+        // PIT segments should work since there is atleast one PIT for which user has access for
+        resc = rh.executeGetRequest("/_cat/pit_segments/_all",
+                encodeBasicHeader("pit-2", "nagilum"));
+        Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode());
+    }
+}

src/test/resources/internal_users.yml

@@ -346,6 +346,12 @@ ds2:
 ds3:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   #password is: nagilum
+pit-1:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  #password is: nagilum
+pit-2:
+  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
+  #password is: nagilum
 hidden_test:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   opendistro_security_roles:

src/test/resources/roles.yml

@@ -1128,7 +1128,37 @@ data_stream_3:
         - "*"
       allowed_actions:
         - "DATASTREAM_ALL"
+point_in_time_1:
+  reserved: true
+  hidden: false
+  description: "Migrated from v6 (all types mapped)"
+  cluster_permissions:
+    - "cluster:admin/point_in_time/read_from_nodes"
+    - "cluster_monitor"
+  index_permissions:
+    - index_patterns:
+        - "pit_1"
+      dls: null
+      fls: null
+      masked_fields: null
+      allowed_actions:
+        - "manage_point_in_time"
 
+point_in_time_2:
+  reserved: true
+  hidden: false
+  description: "Migrated from v6 (all types mapped)"
+  cluster_permissions:
+    - "cluster:admin/point_in_time/read_from_nodes"
+    - "cluster_monitor"
+  index_permissions:
+    - index_patterns:
+        - "pit_2"
+      dls: null
+      fls: null
+      masked_fields: null
+      allowed_actions:
+        - "manage_point_in_time"
 hidden_test:
   cluster_permissions:
   - SGS_CLUSTER_COMPOSITE_OPS

src/test/resources/roles_mapping.yml

@@ -413,6 +413,16 @@ data_stream_3:
   hidden: false
   users:
     - "ds3"
+point_in_time_1:
+  reserved: false
+  hidden: false
+  users:
+    - "pit-1"
+point_in_time_2:
+  reserved: false
+  hidden: false
+  users:
+    - "pit-2"
 sem-role:
   reserved: false
   hidden: false