Adds support for leveraging user custom attributes in Alerting monitors (#1917)

* update code to access custom attributes, not custom attribute names, when managing monitors

Signed-off-by: Mark Boyd <[email protected]>

* fix reference to custom attributes property

Signed-off-by: Mark Boyd <[email protected]>

* try to fix type errors

Signed-off-by: Mark Boyd <[email protected]>

* make sure to pass along user to InjectorContextElement when running query level and bucket level monitors

Signed-off-by: Mark Boyd <[email protected]>

* fix kotlin compilation errors

Signed-off-by: Mark Boyd <[email protected]>

* update randomAnomalyResult() to properly stringify custom user attributes when inserting them into test documents

Signed-off-by: Mark Boyd <[email protected]>

* add AlertingRestTestCase.createUserWithAttributes helper for creating test users with attributes

Signed-off-by: Mark Boyd <[email protected]>

* add new test to validate query-level monitors work correctly with users having custom attributes and roles using DLS with attribute substitution

Signed-off-by: Mark Boyd <[email protected]>

* add security plugin setting to enable user attribute serialization for integration tests

Signed-off-by: Mark Boyd <[email protected]>

* update test user setup for integration test of query level monitor with dynamic DLS

Signed-off-by: Mark Boyd <[email protected]>

* fix custom_attributes -> attributes when creating user using API

Signed-off-by: Mark Boyd <[email protected]>

* update alert mappping definition to support custom_attributes for a user

Signed-off-by: Mark Boyd <[email protected]>

* update more mappings to include custom_attributes

Signed-off-by: Mark Boyd <[email protected]>

* remove newlines from the end of the JSON mapping files

Signed-off-by: Mark Boyd <[email protected]>

* fix expected schema versions in test

Signed-off-by: Mark Boyd <[email protected]>

* update expected schema version of scheduled jobs mapping for another integration test

Signed-off-by: Mark Boyd <[email protected]>

* remove custom_attributes property from mappings

Signed-off-by: Mark Boyd <[email protected]>

* revert updated schema versions for mappings

Signed-off-by: Mark Boyd <[email protected]>

* update randomAnomalyResult() to use custom_attribute_names property in JSON

Signed-off-by: Mark Boyd <[email protected]>

* revert test assertions for updated schema versions

Signed-off-by: Mark Boyd <[email protected]>

* remove custom_attributes property from scheduled jobs mapping

Signed-off-by: Mark Boyd <[email protected]>

---------

Signed-off-by: Mark Boyd <[email protected]>

Author: markdboyd

alerting/build.gradle

@@ -107,7 +107,7 @@ configurations.all {
         force "commons-codec:commons-codec:1.13"
 
         force "org.slf4j:slf4j-api:${versions.slf4j}" //Needed for http5
-        
+
         // This is required because kotlin-coroutines-core 1.1.1 still requires kotlin stdlib 1.3.20 and we're using a higher kotlin version
         force "org.jetbrains.kotlin:kotlin-stdlib:${kotlin_version}"
         force "org.jetbrains.kotlin:kotlin-stdlib-common:${kotlin_version}"
@@ -286,6 +286,7 @@ testClusters.integTest.nodes.each { node ->
         node.setting("plugins.security.check_snapshot_restore_write_privileges", "true")
         node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]")
         node.setting("plugins.security.system_indices.enabled", "true")
+        node.setting("plugins.security.user_attribute_serialization.enabled", "true")
     }
 }
 

alerting/src/main/kotlin/org/opensearch/alerting/BucketLevelMonitorRunner.kt

@@ -124,7 +124,15 @@ object BucketLevelMonitorRunner : MonitorRunner() {
             //  If a setting is imposed that limits buckets that can be processed for Bucket-Level Monitors, we'd need to iterate over
             //  the buckets until we hit that threshold. In that case, we'd want to exit the execution without creating any alerts since the
             //  buckets we iterate over before hitting the limit is not deterministic. Is there a better way to fail faster in this case?
-            withClosableContext(InjectorContextElement(monitor.id, monitorCtx.settings!!, monitorCtx.threadPool!!.threadContext, roles)) {
+            withClosableContext(
+                InjectorContextElement(
+                    monitor.id,
+                    monitorCtx.settings!!,
+                    monitorCtx.threadPool!!.threadContext,
+                    roles,
+                    monitor.user
+                )
+            ) {
                 // Storing the first page of results in the case of pagination input results to prevent empty results
                 // in the final output of monitorResult which occurs when all pages have been exhausted.
                 // If it's favorable to return the last page, will need to check how to accomplish that with multiple aggregation paths

alerting/src/main/kotlin/org/opensearch/alerting/QueryLevelMonitorRunner.kt

@@ -55,7 +55,15 @@ object QueryLevelMonitorRunner : MonitorRunner() {
             return monitorResult.copy(error = e)
         }
         if (!isADMonitor(monitor)) {
-            withClosableContext(InjectorContextElement(monitor.id, monitorCtx.settings!!, monitorCtx.threadPool!!.threadContext, roles)) {
+            withClosableContext(
+                InjectorContextElement(
+                    monitor.id,
+                    monitorCtx.settings!!,
+                    monitorCtx.threadPool!!.threadContext,
+                    roles,
+                    monitor.user
+                )
+            ) {
                 monitorResult = monitorResult.copy(
                     inputResults = monitorCtx.inputService!!.collectInputResults(monitor, periodStart, periodEnd, null, workflowRunContext)
                 )

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexMonitorAction.kt

@@ -267,11 +267,11 @@ class TransportIndexMonitorAction @Inject constructor(
             if (user == null) {
                 // Security is disabled, add empty user to Monitor. user is null for older versions.
                 request.monitor = request.monitor
-                    .copy(user = User("", listOf(), listOf(), listOf()))
+                    .copy(user = User("", listOf(), listOf(), mapOf()))
                 start()
             } else {
                 request.monitor = request.monitor
-                    .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames))
+                    .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttributes))
                 start()
             }
         }
@@ -280,12 +280,12 @@ class TransportIndexMonitorAction @Inject constructor(
             if (user == null) {
                 // Security is disabled, add empty user to Monitor. user is null for older versions.
                 request.monitor = request.monitor
-                    .copy(user = User("", listOf(), listOf(), listOf()))
+                    .copy(user = User("", listOf(), listOf(), mapOf()))
                 start()
             } else {
                 try {
                     request.monitor = request.monitor
-                        .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames))
+                        .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttributes))
                     val searchSourceBuilder = SearchSourceBuilder().size(0)
                     if (getRoleFilterEnabled(clusterService, settings, "plugins.anomaly_detection.filter_by_backend_roles")) {
                         addUserBackendRolesFilter(user, searchSourceBuilder)
@@ -491,7 +491,7 @@ class TransportIndexMonitorAction @Inject constructor(
                 else request.rbacRoles
 
                 request.monitor = request.monitor.copy(
-                    user = User(user.name, rbacRoles.orEmpty().toList(), user.roles, user.customAttNames)
+                    user = User(user.name, rbacRoles.orEmpty().toList(), user.roles, user.customAttributes)
                 )
                 log.debug("Created monitor's backend roles: $rbacRoles")
             }
@@ -649,20 +649,20 @@ class TransportIndexMonitorAction @Inject constructor(
                 if (request.rbacRoles != null) {
                     if (isAdmin(user)) {
                         request.monitor = request.monitor.copy(
-                            user = User(user.name, request.rbacRoles, user.roles, user.customAttNames)
+                            user = User(user.name, request.rbacRoles, user.roles, user.customAttributes)
                         )
                     } else {
                         // rolesToRemove: these are the backend roles to remove from the monitor
                         val rolesToRemove = user.backendRoles - request.rbacRoles.orEmpty()
                         // remove the monitor's roles with rolesToRemove and add any roles passed into the request.rbacRoles
                         val updatedRbac = currentMonitor.user?.backendRoles.orEmpty() - rolesToRemove + request.rbacRoles.orEmpty()
                         request.monitor = request.monitor.copy(
-                            user = User(user.name, updatedRbac, user.roles, user.customAttNames)
+                            user = User(user.name, updatedRbac, user.roles, user.customAttributes)
                         )
                     }
                 } else {
                     request.monitor = request.monitor
-                        .copy(user = User(user.name, currentMonitor.user!!.backendRoles, user.roles, user.customAttNames))
+                        .copy(user = User(user.name, currentMonitor.user!!.backendRoles, user.roles, user.customAttributes))
                 }
                 log.debug("Update monitor backend roles to: ${request.monitor.user?.backendRoles}")
             }

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt

@@ -223,11 +223,11 @@ class TransportIndexWorkflowAction @Inject constructor(
                 if (user == null) {
                     // Security is disabled, add empty user to Workflow. user is null for older versions.
                     request.workflow = request.workflow
-                        .copy(user = User("", listOf(), listOf(), listOf()))
+                        .copy(user = User("", listOf(), listOf(), mapOf()))
                     start()
                 } else {
                     request.workflow = request.workflow
-                        .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames))
+                        .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttributes))
                     start()
                 }
             }
@@ -346,7 +346,7 @@ class TransportIndexWorkflowAction @Inject constructor(
                 else request.rbacRoles
 
                 request.workflow = request.workflow.copy(
-                    user = User(user.name, rbacRoles.orEmpty().toList(), user.roles, user.customAttNames)
+                    user = User(user.name, rbacRoles.orEmpty().toList(), user.roles, user.customAttributes)
                 )
                 log.debug("Created workflow's backend roles: $rbacRoles")
             }
@@ -484,7 +484,7 @@ class TransportIndexWorkflowAction @Inject constructor(
                 if (request.rbacRoles != null) {
                     if (isAdmin(user)) {
                         request.workflow = request.workflow.copy(
-                            user = User(user.name, request.rbacRoles, user.roles, user.customAttNames)
+                            user = User(user.name, request.rbacRoles, user.roles, user.customAttributes)
                         )
                     } else {
                         // rolesToRemove: these are the backend roles to remove from the monitor
@@ -493,7 +493,7 @@ class TransportIndexWorkflowAction @Inject constructor(
                         val updatedRbac =
                             currentWorkflow.user?.backendRoles.orEmpty() - rolesToRemove + request.rbacRoles.orEmpty()
                         request.workflow = request.workflow.copy(
-                            user = User(user.name, updatedRbac, user.roles, user.customAttNames)
+                            user = User(user.name, updatedRbac, user.roles, user.customAttributes)
                         )
                     }
                 } else {
@@ -503,7 +503,7 @@ class TransportIndexWorkflowAction @Inject constructor(
                                 user.name,
                                 currentWorkflow.user!!.backendRoles,
                                 user.roles,
-                                user.customAttNames
+                                user.customAttributes
                             )
                         )
                 }

alerting/src/test/kotlin/org/opensearch/alerting/ADTestHelpers.kt

@@ -472,7 +472,7 @@ fun maxAnomalyGradeSearchInput(
 
 fun adMonitorTrigger(): QueryLevelTrigger {
     val triggerScript = """
-            return ctx.results[0].aggregations.max_anomaly_grade.value != null && 
+            return ctx.results[0].aggregations.max_anomaly_grade.value != null &&
                    ctx.results[0].aggregations.max_anomaly_grade.value > 0.7
     """.trimIndent()
     return randomQueryLevelTrigger(condition = Script(triggerScript))
@@ -503,6 +503,6 @@ fun randomADMonitor(
 fun randomADUser(backendRole: String = OpenSearchRestTestCase.randomAlphaOfLength(10)): User {
     return User(
         OpenSearchRestTestCase.randomAlphaOfLength(10), listOf(backendRole),
-        listOf(OpenSearchRestTestCase.randomAlphaOfLength(10), ALL_ACCESS_ROLE), listOf("test_attr=test")
+        listOf(OpenSearchRestTestCase.randomAlphaOfLength(10), ALL_ACCESS_ROLE), mapOf("test_attr" to "test")
     )
 }

alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt

@@ -1504,13 +1504,20 @@ abstract class AlertingRestTestCase : ODFERestTestCase() {
     }
 
     fun createUser(name: String, backendRoles: Array<String>) {
+        this.createUserWithAttributes(name, backendRoles, mapOf())
+    }
+
+    fun createUserWithAttributes(name: String, backendRoles: Array<String>, customAttributes: Map<String, String>) {
         val request = Request("PUT", "/_plugins/_security/api/internalusers/$name")
         val broles = backendRoles.joinToString { it -> "\"$it\"" }
+        val customAttributesString = customAttributes.entries.joinToString(prefix = "{", separator = ", ", postfix = "}") {
+            "\"${it.key}\": \"${it.value}\""
+        }
         var entity = " {\n" +
             "\"password\": \"$password\",\n" +
             "\"backend_roles\": [$broles],\n" +
-            "\"attributes\": {\n" +
-            "}} "
+            "\"attributes\": $customAttributesString\n" +
+            "} "
         request.setJsonEntity(entity)
         client().performRequest(request)
     }

alerting/src/test/kotlin/org/opensearch/alerting/MonitorRunnerServiceIT.kt

@@ -1072,7 +1072,7 @@ class MonitorRunnerServiceIT : AlertingRestTestCase() {
             // for old monitor before enable FGAC, the user field is empty
             val monitor = randomADMonitor(
                 inputs = listOf(adSearchInput(detectorId)), triggers = listOf(adMonitorTrigger()),
-                user = User(user.name, listOf(), user.roles, user.customAttNames)
+                user = User(user.name, listOf(), user.roles, user.customAttributes)
             )
             val response = executeMonitor(monitor, params = DRYRUN_MONITOR)
             val output = entityAsMap(response)
@@ -2252,7 +2252,7 @@ class MonitorRunnerServiceIT : AlertingRestTestCase() {
         indexDoc(adResultIndex, "3", testResult3)
         val testResult4 = randomAnomalyResult(
             detectorId = detectorId, executionEndTime = testTime,
-            user = User(user.name, listOf(), user.roles, user.customAttNames),
+            user = User(user.name, listOf(), user.roles, user.customAttributes),
             anomalyGrade = 0.9
         )
         indexDoc(adResultIndex, "4", testResult4)

alerting/src/test/kotlin/org/opensearch/alerting/TestHelpers.kt

@@ -664,12 +664,12 @@ fun randomUser(): User {
             OpenSearchRestTestCase.randomAlphaOfLength(10)
         ),
         listOf(OpenSearchRestTestCase.randomAlphaOfLength(10), ALL_ACCESS_ROLE),
-        listOf("test_attr=test")
+        mapOf("test_attr" to "test"),
     )
 }
 
 fun randomUserEmpty(): User {
-    return User("", listOf(), listOf(), listOf())
+    return User("", listOf(), listOf(), mapOf())
 }
 
 fun EmailAccount.toJsonString(): String {

alerting/src/test/kotlin/org/opensearch/alerting/resthandler/SecureMonitorRestApiIT.kt

@@ -1401,7 +1401,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() {
     /*
     TODO: https://github.com/opensearch-project/alerting/issues/300
      */
-    fun `test execute query-level monitor with user having partial index permissions`() {
+    fun `test execute query-level monitor with user role using static DLS`() {
         createUser(user, arrayOf(TEST_HR_BACKEND_ROLE))
         createTestIndex(TEST_HR_INDEX)
         createIndexRoleWithDocLevelSecurity(
@@ -1418,7 +1418,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() {
             """
             {
               "test_field": "a",
-              "accessible": true 
+              "accessible": true
             }
             """.trimIndent()
         )
@@ -1437,7 +1437,64 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() {
         val input = SearchInput(indices = listOf(TEST_HR_INDEX), query = SearchSourceBuilder().query(QueryBuilders.matchAllQuery()))
         val triggerScript = """
             // make sure there is exactly one hit
-            return ctx.results[0].hits.hits.size() == 1 
+            return ctx.results[0].hits.hits.size() == 1
+        """.trimIndent()
+
+        val trigger = randomQueryLevelTrigger(condition = Script(triggerScript)).copy(actions = listOf())
+        val monitor = createMonitorWithClient(
+            userClient!!,
+            randomQueryLevelMonitor(inputs = listOf(input), triggers = listOf(trigger))
+        )
+
+        try {
+            executeMonitor(monitor.id)
+            val alerts = searchAlerts(monitor)
+            assertEquals("Incorrect number of alerts", 1, alerts.size)
+        } finally {
+            deleteRoleAndRoleMapping(TEST_HR_ROLE)
+        }
+    }
+
+    fun `test execute query-level monitor with user role using dynamic DLS with parameter substitution`() {
+        createUserWithAttributes(user, arrayOf(TEST_HR_BACKEND_ROLE), mapOf("team" to "red"))
+        createTestIndex(TEST_HR_INDEX)
+        // The ${'$'} is an attempt to bypass the fact that Kotlin treats ${} as string interpolation in a
+        // triple quoted string, but we need to preserve the reference as ${attr.internal.team}
+        val dlsQuery = """{\"term\": { \"team\": \"${'$'}{attr.internal.team}\"}}"""
+        createIndexRoleWithDocLevelSecurity(
+            TEST_HR_ROLE,
+            TEST_HR_INDEX,
+            dlsQuery,
+            getClusterPermissionsFromCustomRole(ALERTING_INDEX_MONITOR_ACCESS)
+        )
+        createUserRolesMapping(TEST_HR_ROLE, arrayOf(user))
+
+        // Add a doc that is accessible to the user
+        indexDoc(
+            TEST_HR_INDEX, "1",
+            """
+            {
+              "test_field": "a",
+              "team": "red"
+            }
+            """.trimIndent()
+        )
+
+        // Add a second doc that is not accessible to the user
+        indexDoc(
+            TEST_HR_INDEX, "2",
+            """
+            {
+              "test_field": "b",
+              "team": "blue"
+            }
+            """.trimIndent()
+        )
+
+        val input = SearchInput(indices = listOf(TEST_HR_INDEX), query = SearchSourceBuilder().query(QueryBuilders.matchAllQuery()))
+        val triggerScript = """
+            // make sure there is exactly one hit
+            return ctx.results[0].hits.hits.size() == 1
         """.trimIndent()
 
         val trigger = randomQueryLevelTrigger(condition = Script(triggerScript)).copy(actions = listOf())