Update user parsing to include custom attributes#827
Merged
cwperks merged 52 commits intoopensearch-project:mainfrom Aug 15, 2025
cloud-gov:update-user-parsing
Merged
Update user parsing to include custom attributes#827cwperks merged 52 commits intoopensearch-project:mainfrom cloud-gov:update-user-parsing
cwperks merged 52 commits intoopensearch-project:mainfrom
cloud-gov:update-user-parsing
Conversation
markdboyd
requested review from
AWSHurneyt,
bowenlan-amzn,
eirsep,
engechas,
getsaurabh02,
jowg-amazon,
lezzago,
rishabhmaurya,
riysaxen-amzn and
sbcd90
as code owners
cwperks
reviewed
Jul 22, 2025
cwperks
reviewed
Jul 22, 2025
Member
|
I see that this repo has customAttrNames, however, I'm not sure how its used because the security repo does not serialize it. I think its safe to change the data structure to a Map and include the values as well. I created this change on my fork cwperks#1, but haven't adequately done any e2e test with your changes on the security repo yet. |
cwperks
reviewed
Jul 23, 2025
Member
cwperks
left a comment
cwperks
left a comment
There was a problem hiding this comment.
Thank you @markboyd.
I'd like to look into 2 more things:
- Let's see about adding a test for the changes in
public static User parse(XContentParser parser) - Potentially copying over any tests from the security repo for the Base64Helper class
markdboyd
commented
Jul 24, 2025
src/test/java/org/opensearch/commons/authuser/util/Base64HelperTest.java
Show resolved
Hide resolved
markdboyd
commented
Jul 24, 2025
src/test/java/org/opensearch/commons/authuser/util/SafeSerializationUtilsTest.java
Show resolved
Hide resolved
cwperks
previously approved these changes
Jul 24, 2025
Member
cwperks
left a comment
cwperks
left a comment
There was a problem hiding this comment.
Changes LGTM! Thank you @markdboyd
For the maintainers of this repo, we need to merge this and opensearch-project/security#5491 at the same time
cwperks
previously approved these changes
Jul 24, 2025
DarshitChanpura
approved these changes
Jul 24, 2025
cwperks
changed the title
…rosoft/vscode-java-test#1740 Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…names correctly from user string Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…ibility Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…s compatibility Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
cwperks
previously approved these changes
Aug 12, 2025
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…in a custom thread context Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
This was referenced Aug 13, 2025
…hen non-empty and fall back to empty list of custom attribute names when custom attributes are empty Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
cwperks
previously approved these changes
Aug 15, 2025
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
cwperks
approved these changes
Aug 15, 2025
AWSHurneyt
approved these changes
Aug 15, 2025
5 tasks
DarshitChanpura
added a commit
to DarshitChanpura/ml-commons
that referenced
this pull request
Aug 18, 2025
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
added a commit
to DarshitChanpura/ml-commons
that referenced
this pull request
Aug 18, 2025
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
added a commit
to DarshitChanpura/ml-commons
that referenced
this pull request
Aug 18, 2025
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
5 tasks
This was referenced Sep 3, 2025
5 tasks
dhrubo-os
added a commit
to opensearch-project/ml-commons
that referenced
this pull request
Oct 1, 2025
…l-group (#3715) * Onboards to centralized resource access control mechanism for ml-model-group Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes sharing logic Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Consumes feature flag exposed by SPI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates tests and dependency visibility Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes implmentation Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Conforms to SPI changes Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Conforms to SPI changes in security plugin Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reflects changes in SPI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors to use centralized method in ModelAccessControlHelper Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Corrects search handler to match against accessible model_group_ids Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes spotless Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix missed reference Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix compilation errors Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix compileTestsJava Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds existing feature-flag in conjunction with new feature flage Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes if condition Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates default creation and update logic to support existing scenarios Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Removes left over comment Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors to conform to standalone authz framework supplied by security plugin Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Update model-group related requests to be doc requests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors verifyAccess to pass action names Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Re-add resource sharing client accessor Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors how resource-sharing client is accessed Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup 2 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup 3 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix test compilation error Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix filter for model-groups on search request Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix most of the tests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix search model transport action and tests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix test failure by passing correct listener Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors SearchModelGroupTransportActionTests to include new path and adds test for resource sharing extension Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix spotless Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix incorrect eval logic to check whether ml group index is present when search models Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adapts changes to make ResourceExtension consumed via @Inject Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix UTs broken due to opensearch-project/common-utils#827 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reverts "Adapts changes to make ResourceExtension consumed via @Inject" 8611f25 and adds setup for sec testing Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes extension over-ridden method Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes remaining broken UTs due to user object change Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds plugin client, related permissions and resource-action-groups file Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates resource-type and removes plugin client since it is not being used Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates config schema to handle all_shared_principals to be used in search Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix CI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix unit test Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates API response message and adds method doc Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates resource-action-groups and search handler sequence Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates model search handler flow Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes method call broken during latest merge from main Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Cleans up search Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reorders rsc client preference Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Handles hidden models in predict action Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds types to DocRequest Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix prediction action error handling to pass safe modelId Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Boost MLSearchHandler test coverage Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Dhrubo Saha <dhrubo@amazon.com>
PauiC
pushed a commit
to PauiC/ml-commons
that referenced
this pull request
Nov 18, 2025
…l-group (opensearch-project#3715) * Onboards to centralized resource access control mechanism for ml-model-group Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes sharing logic Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Consumes feature flag exposed by SPI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates tests and dependency visibility Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes implmentation Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Conforms to SPI changes Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Conforms to SPI changes in security plugin Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reflects changes in SPI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors to use centralized method in ModelAccessControlHelper Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Corrects search handler to match against accessible model_group_ids Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes spotless Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix missed reference Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix compilation errors Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix compileTestsJava Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds existing feature-flag in conjunction with new feature flage Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes if condition Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates default creation and update logic to support existing scenarios Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Removes left over comment Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors to conform to standalone authz framework supplied by security plugin Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Update model-group related requests to be doc requests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors verifyAccess to pass action names Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Re-add resource sharing client accessor Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors how resource-sharing client is accessed Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup 2 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Code cleanup 3 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix test compilation error Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix filter for model-groups on search request Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix most of the tests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix search model transport action and tests Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix test failure by passing correct listener Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Refactors SearchModelGroupTransportActionTests to include new path and adds test for resource sharing extension Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix spotless Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix incorrect eval logic to check whether ml group index is present when search models Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adapts changes to make ResourceExtension consumed via @Inject Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix UTs broken due to opensearch-project/common-utils#827 Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reverts "Adapts changes to make ResourceExtension consumed via @Inject" 8611f25 and adds setup for sec testing Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes extension over-ridden method Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes remaining broken UTs due to user object change Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds plugin client, related permissions and resource-action-groups file Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates resource-type and removes plugin client since it is not being used Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates config schema to handle all_shared_principals to be used in search Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix CI Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix unit test Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates API response message and adds method doc Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates resource-action-groups and search handler sequence Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates model search handler flow Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes method call broken during latest merge from main Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Cleans up search Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Reorders rsc client preference Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Handles hidden models in predict action Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds types to DocRequest Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fix prediction action error handling to pass safe modelId Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Boost MLSearchHandler test coverage Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Dhrubo Saha <dhrubo@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
As part of opensearch-project/alerting#1829, I found that the user parsing in this library, which is used by the alerting plugin, does not parse custom attribute names from a user string.
The current implementation makes sense because the security plugin does not currently include custom attribute names in the user string in the thread context: https://github.com/opensearch-project/security/blob/dfe16b004a6bb1c8d2bc50ac0c0f76780a3519cb/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java#L276-L290.
However, I plan to update the security plugin to include custom attribute names in the thread context. Ultimately, the goal of this change and other related changes is to make sure that user custom attributes are available when the alerting plugin executes monitor queries, so that DLS parameter substitution will work correctly.
Related Issues
Related to opensearch-project/alerting#1829
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.