fewer resolved indices

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/int_tests/IndexAuthorizationReadOnlyIntTests.java

@@ -657,7 +657,7 @@ public List<RestHandler> getRestHandlers(
                         settings,
                         restController,
                         Objects.requireNonNull(backendRegistry),
-                        Objects.requireNonNull(evaluator)
+                        Objects.requireNonNull(privilegesConfiguration)
                     )
                 );
                 handlers.add(

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -106,7 +106,6 @@ public ReplaceResult replaceDashboardsIndex(
         final ActionRequest request,
         final String action,
         final User user,
-        final OptionallyResolvedIndices optionallyResolvedIndices,
         final PrivilegesEvaluationContext context
     ) {
         DashboardsMultiTenancyConfiguration config = this.multiTenancyConfigurationSupplier.get();
@@ -117,6 +116,7 @@ public ReplaceResult replaceDashboardsIndex(
             return CONTINUE_EVALUATION_REPLACE_RESULT;
         }
 
+        OptionallyResolvedIndices optionallyResolvedIndices = context.getResolvedRequest();
         TenantPrivileges tenantPrivileges = this.tenantPrivilegesSupplier.get();
 
         if (!(optionallyResolvedIndices instanceof ResolvedIndices resolvedIndices)) {

src/main/java/org/opensearch/security/configuration/PrivilegesInterceptorImpl.java

@@ -264,14 +264,13 @@ void authorizeRequest(RestHandler original, SecurityRequestChannel request, User
             .findFirst();
         final boolean routeSupportsRestAuthorization = handler.isPresent() && handler.get() instanceof NamedRoute;
         if (routeSupportsRestAuthorization) {
-            PrivilegesEvaluatorResponse pres = new PrivilegesEvaluatorResponse();
             NamedRoute route = ((NamedRoute) handler.get());
             // Check both route.actionNames() and route.name(). The presence of either is sufficient.
             Set<String> actionNames = ImmutableSet.<String>builder()
                 .addAll(route.actionNames() != null ? route.actionNames() : Collections.emptySet())
                 .add(route.name())
                 .build();
-            pres = evaluator.evaluate(user, route.name(), actionNames);
+            PrivilegesEvaluatorResponse pres = evaluator.evaluate(user, route.name(), actionNames);
 
             if (log.isDebugEnabled()) {
                 log.debug(pres.toString());

src/main/java/org/opensearch/security/filter/SecurityRestFilter.java

@@ -16,6 +16,7 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.IndicesRequest;
+import org.opensearch.action.admin.indices.segments.PitSegmentsRequest;
 import org.opensearch.cluster.metadata.ResolvedIndices;
 
 /**
@@ -32,7 +33,10 @@ public boolean setLocalIndices(ActionRequest targetRequest, ResolvedIndices reso
             return setLocalIndicesToEmpty(targetRequest, resolvedIndices);
         }
 
-        if (targetRequest instanceof IndicesRequest.Replaceable) {
+        if (targetRequest instanceof PitSegmentsRequest) {
+            // PitSegmentsRequest implements IndicesRequest.Replaceable, but ignores all specified indices
+            return false;
+        } else if (targetRequest instanceof IndicesRequest.Replaceable) {
             ((IndicesRequest.Replaceable) targetRequest).indices(concat(newIndices, resolvedIndices.remote().asRawExpressions()));
             return true;
         } else {
@@ -41,7 +45,10 @@ public boolean setLocalIndices(ActionRequest targetRequest, ResolvedIndices reso
     }
 
     public boolean setLocalIndicesToEmpty(ActionRequest targetRequest, ResolvedIndices resolvedIndices) {
-        if (targetRequest instanceof IndicesRequest.Replaceable replaceable) {
+        if (targetRequest instanceof PitSegmentsRequest) {
+            // PitSegmentsRequest implements IndicesRequest.Replaceable, but ignores all specified indices
+            return false;
+        } else if (targetRequest instanceof IndicesRequest.Replaceable replaceable) {
             if (resolvedIndices.remote().isEmpty()) {
                 if (replaceable.indicesOptions().expandWildcardsOpen() || replaceable.indicesOptions().expandWildcardsClosed()) {
                     // If the request expands wildcards, we use an index expression which resolves to no indices

src/main/java/org/opensearch/security/privileges/IndicesRequestModifier.java

@@ -117,10 +117,7 @@ public PrivilegesConfiguration(
                 PrivilegesEvaluationType privilegesEvaluationType = PrivilegesEvaluationType.getFrom(
                     configurationRepository.getConfiguration(CType.CONFIG)
                 );
-                PrivilegesEvaluationType currentEvaluationType = currentPrivilegesEvaluator == null ? null
-                    : currentPrivilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.legacy.PrivilegesEvaluator
-                        ? PrivilegesEvaluationType.LEGACY
-                    : PrivilegesEvaluationType.NEXT_GEN;
+                PrivilegesEvaluationType currentEvaluationType = PrivilegesEvaluationType.typeOf(currentPrivilegesEvaluator);
 
                 if (privilegesEvaluationType != currentEvaluationType) {
                     if (privilegesEvaluationType == PrivilegesEvaluationType.LEGACY) {
@@ -147,23 +144,24 @@ public PrivilegesConfiguration(
                         }
                     } else {
                         PrivilegesEvaluator oldInstance = privilegesEvaluator.getAndSet(
-                                new org.opensearch.security.privileges.actionlevel.nextgen.PrivilegesEvaluator(
-                                        clusterService,
-                                        clusterStateSupplier,
-                                        roleMapper,
-                                        threadPool,
-                                        threadPool.getThreadContext(),
-                                        resolver,
-                                        auditLog,
-                                        settings,
-                                        privilegesInterceptor,
-                                        flattenedActionGroups,
-                                        staticActionGroups,
-                                        rolesConfiguration,
-                                        generalConfiguration,
-                                        pluginIdToRolePrivileges,
-                                        new RuntimeOptimizedActionPrivileges.SpecialIndexProtection(this.specialIndices::isUniversallyDeniedIndex, this.specialIndices::isSystemIndex)
+                            new org.opensearch.security.privileges.actionlevel.nextgen.PrivilegesEvaluator(
+                                clusterStateSupplier,
+                                roleMapper,
+                                threadPool,
+                                threadPool.getThreadContext(),
+                                resolver,
+                                settings,
+                                privilegesInterceptor,
+                                flattenedActionGroups,
+                                staticActionGroups,
+                                rolesConfiguration,
+                                generalConfiguration,
+                                pluginIdToRolePrivileges,
+                                new RuntimeOptimizedActionPrivileges.SpecialIndexProtection(
+                                    this.specialIndices::isUniversallyDeniedIndex,
+                                    this.specialIndices::isSystemIndex
                                 )
+                            )
                         );
                         if (oldInstance != null) {
                             oldInstance.shutdown();
@@ -239,6 +237,10 @@ public void updatePluginToActionPrivileges(String pluginIdentifier, RoleV7 plugi
         pluginIdToRolePrivileges.put(pluginIdentifier, pluginPermissions);
     }
 
+    public boolean isInitialized() {
+        return this.privilegesEvaluator().isInitialized();
+    }
+
     /**
      * TODO: Think about better names
      */
@@ -263,6 +265,16 @@ static PrivilegesEvaluationType getFrom(SecurityDynamicConfiguration<ConfigV7> c
                 return LEGACY;
             }
         }
+
+        static PrivilegesEvaluationType typeOf(PrivilegesEvaluator privilegesEvaluator) {
+            if (privilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.legacy.PrivilegesEvaluator) {
+                return PrivilegesEvaluationType.LEGACY;
+            } else if (privilegesEvaluator instanceof org.opensearch.security.privileges.actionlevel.nextgen.PrivilegesEvaluator) {
+                return PrivilegesEvaluationType.NEXT_GEN;
+            } else {
+                return null;
+            }
+        }
     }
 
     private static FlattenedActionGroups buildStaticActionGroups() {

src/main/java/org/opensearch/security/privileges/PrivilegesConfiguration.java

@@ -73,6 +73,8 @@ void updateConfiguration(
 
     boolean notFailOnForbiddenEnabled();
 
+    boolean isInitialized();
+
     /**
      * A PrivilegesEvaluator implementation that just throws "not initialized" exceptions.
      * Used initially by PrivilegesConfiguration.
@@ -129,6 +131,11 @@ public boolean notFailOnForbiddenEnabled() {
             return false;
         }
 
+        @Override
+        public boolean isInitialized() {
+            return false;
+        }
+
         private OpenSearchSecurityException exception() {
             StringBuilder error = new StringBuilder("OpenSearch Security is not initialized");
             String reason = this.unavailablityReasonSupplier.get();

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java

@@ -127,7 +127,24 @@ public String getPrivilegeMatrix() {
         String result = this.privilegeMatrix;
 
         if (result == null) {
-            result = this.indexToActionCheckTable.toTableString("ok", "MISSING");
+            String topLevelMatrix;
+
+            if (this.indexToActionCheckTable != null) {
+                topLevelMatrix = this.indexToActionCheckTable.toTableString("ok", "MISSING");
+            } else {
+                topLevelMatrix = "n/a";
+            }
+
+            if (subResults.isEmpty()) {
+                result = topLevelMatrix;
+            } else {
+                StringBuilder resultBuilder = new StringBuilder(topLevelMatrix);
+                for (PrivilegesEvaluatorResponse subResult : subResults) {
+                    resultBuilder.append("\n");
+                    resultBuilder.append(subResult.getPrivilegeMatrix());
+                }
+                result = resultBuilder.toString();
+            }
             this.privilegeMatrix = result;
         }
         return result;
@@ -141,8 +158,40 @@ public CreateIndexRequestBuilder getCreateIndexRequestBuilder() {
         return createIndexRequestBuilder;
     }
 
-    public PrivilegesEvaluatorResponse markComplete() {
-        this.state = PrivilegesEvaluatorResponseState.COMPLETE;
+    public PrivilegesEvaluatorResponse originalResult() {
+        return this.originalResult;
+    }
+
+    public boolean privilegesAreComplete() {
+        if (originalResult != null && !originalResult.privilegesAreComplete()) {
+            return false;
+        } else if (indexToActionCheckTable != null && !indexToActionCheckTable.isComplete()) {
+            return false;
+        } else if (!subResults.isEmpty() && subResults.stream().anyMatch(subResult -> !subResult.privilegesAreComplete())) {
+            return false;
+        } else {
+            return this.allowed;
+        }
+    }
+
+    public PrivilegesEvaluatorResponse insufficient(List<PrivilegesEvaluatorResponse> subResults) {
+        String reason = this.reason;
+        if (reason == null) {
+            reason = subResults.stream().map(result -> result.reason).filter(Objects::nonNull).findFirst().orElse(null);
+        }
+        PrivilegesEvaluatorResponse result = new PrivilegesEvaluatorResponse();
+        result.allowed = false;
+        result.indexToActionCheckTable = this.indexToActionCheckTable;
+        result.subResults = ImmutableList.copyOf(subResults);
+        result.reason = reason;
+        return result;
+    }
+
+    public PrivilegesEvaluatorResponse originalResult(PrivilegesEvaluatorResponse originalResult) {
+        if (originalResult != null && !originalResult.evaluationExceptions.isEmpty()) {
+            this.originalResult = originalResult;
+            this.evaluationExceptions.addAll(originalResult.evaluationExceptions);
+        }
         return this;
     }
 

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java

@@ -29,7 +29,6 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexRequestBuilder;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
-import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.user.User;
@@ -79,7 +78,6 @@ public ReplaceResult replaceDashboardsIndex(
         final ActionRequest request,
         final String action,
         final User user,
-        final OptionallyResolvedIndices requestedResolved,
         final PrivilegesEvaluationContext context
     ) {
         throw new RuntimeException("not implemented");

src/main/java/org/opensearch/security/privileges/PrivilegesInterceptor.java

@@ -25,6 +25,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.cluster.metadata.IndexAbstraction;
+import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.OptionallyResolvedIndices;
 import org.opensearch.security.privileges.ActionPrivileges;
 import org.opensearch.security.privileges.IndexPattern;
@@ -414,19 +415,19 @@ protected void checkPrivilegesForNonWellKnownActions(
             }
         }
 
+        /**
+         * When we have finished the "normal" privilege evaluation, which is based on index_permissions in roles.yml,
+         * we have to pass the CheckTable with the available privileges through this method in order to have specially
+         * protected indices and actions removed again from the CheckTable.
+         */
         protected PrivilegesEvaluatorResponse finalizeResult(PrivilegesEvaluationContext context, IntermediateResult intermediateResult) {
             CheckTable<String, String> checkTable = intermediateResult.indexToActionCheckTable;
             List<PrivilegesEvaluationException> exceptions = new ArrayList<>(intermediateResult.exceptions);
             if (this.universallyDeniedIndices != null) {
                 checkTable.uncheckIf(this.universallyDeniedIndices, checkTable.getColumns());
             }
             if (this.indicesNeedingSystemIndexPrivileges != null) {
-                // TODO aliases
-                checkTable.uncheckIf(
-                    index -> this.indicesNeedingSystemIndexPrivileges.test(index)
-                        && !providesExplicitPrivilege(context, index, ConfigConstants.SYSTEM_INDEX_PERMISSION, exceptions),
-                    checkTable.getColumns()
-                );
+                checkTable.uncheckIf(index -> this.isUnauthorizedSystemIndex(context, index, exceptions), checkTable.getColumns());
             }
 
             if (checkTable.isComplete()) {
@@ -451,6 +452,36 @@ protected PrivilegesEvaluatorResponse finalizeResult(PrivilegesEvaluationContext
             return PrivilegesEvaluatorResponse.insufficient(checkTable).reason(reason).evaluationExceptions(exceptions);
 
         }
+
+        /**
+         * Returns true if the given indexOrAlias is a system index or an alias containing a system index AND if
+         * the current user does not have the necessary explicit privilege to access this system index.
+         */
+        private boolean isUnauthorizedSystemIndex(
+            PrivilegesEvaluationContext context,
+            String indexOrAlias,
+            List<PrivilegesEvaluationException> exceptions
+        ) {
+            if (this.indicesNeedingSystemIndexPrivileges.test(indexOrAlias)) {
+                return !providesExplicitPrivilege(context, indexOrAlias, ConfigConstants.SYSTEM_INDEX_PERMISSION, exceptions);
+            }
+
+            IndexAbstraction indexAbstraction = context.getIndicesLookup().get(indexOrAlias);
+            if (indexAbstraction instanceof IndexAbstraction.Alias alias) {
+                for (IndexMetadata index : alias.getIndices()) {
+                    if (this.indicesNeedingSystemIndexPrivileges.test(index.getIndex().getName())) {
+                        return !providesExplicitPrivilege(
+                            context,
+                            index.getIndex().getName(),
+                            ConfigConstants.SYSTEM_INDEX_PERMISSION,
+                            exceptions
+                        );
+                    }
+                }
+            }
+
+            return false;
+        }
     }
 
     /**