Skip to content

Commit

Permalink
[2.x] Optimize privilege evaluation for index permissions across '*' …
Browse files Browse the repository at this point in the history
…index pattern (i.e. all_access role) (#4926)

Signed-off-by: Craig Perkins <[email protected]>
  • Loading branch information
cwperks authored Dec 9, 2024
1 parent bba60a4 commit ee78fe8
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ public class ConfigModelV7 extends ConfigModel {
private RoleMappingHolder roleMappingHolder;
private SecurityDynamicConfiguration<RoleV7> roles;
private SecurityDynamicConfiguration<TenantV7> tenants;
private final static Set<String> ALL_INDICES = Set.of("*");

public ConfigModelV7(
SecurityDynamicConfiguration<RoleV7> roles,
Expand Down Expand Up @@ -660,6 +661,20 @@ public String getName() {

}

public static final class IndexMatcherAndPermissions {
private WildcardMatcher matcher;
private WildcardMatcher perms;

public IndexMatcherAndPermissions(Set<String> patterns, Set<String> perms) {
this.matcher = WildcardMatcher.from(patterns);
this.perms = WildcardMatcher.from(perms);
}

public boolean matches(String index, String action) {
return matcher.test(index) && perms.test(action);
}
}

// sg roles
public static class IndexPattern {
private final String indexPattern;
Expand Down Expand Up @@ -701,6 +716,17 @@ public IndexPattern setDlsQuery(String dlsQuery) {
return this;
}

public IndexMatcherAndPermissions getIndexMatcherAndPermissions(
User user,
IndexNameExpressionResolver resolver,
ClusterService cs
) {
if ("*".equals(indexPattern)) {
return new IndexMatcherAndPermissions(ALL_INDICES, perms);
}
return new IndexMatcherAndPermissions(attemptResolveIndexNames(user, resolver, cs), perms);
}

@Override
public int hashCode() {
final int prime = 31;
Expand Down Expand Up @@ -973,20 +999,6 @@ public String toString() {
}
}

private static final class IndexMatcherAndPermissions {
private WildcardMatcher matcher;
private WildcardMatcher perms;

public IndexMatcherAndPermissions(Set<String> patterns, Set<String> perms) {
this.matcher = WildcardMatcher.from(patterns);
this.perms = WildcardMatcher.from(perms);
}

public boolean matches(String index, String action) {
return matcher.test(index) && perms.test(action);
}
}

private static boolean impliesTypePerm(
Set<IndexPattern> ipatterns,
Resolved resolved,
Expand All @@ -999,12 +1011,12 @@ private static boolean impliesTypePerm(
IndexMatcherAndPermissions[] indexMatcherAndPermissions;
if (resolved.isLocalAll()) {
indexMatcherAndPermissions = ipatterns.stream()
.filter(indexPattern -> "*".equals(indexPattern.getUnresolvedIndexPattern(user)))
.map(p -> new IndexMatcherAndPermissions(p.attemptResolveIndexNames(user, resolver, cs), p.perms))
.filter(indexPattern -> "*".equals(indexPattern.indexPattern))
.map(p -> p.getIndexMatcherAndPermissions(user, resolver, cs))
.toArray(IndexMatcherAndPermissions[]::new);
} else {
indexMatcherAndPermissions = ipatterns.stream()
.map(p -> new IndexMatcherAndPermissions(p.attemptResolveIndexNames(user, resolver, cs), p.perms))
.map(p -> p.getIndexMatcherAndPermissions(user, resolver, cs))
.toArray(IndexMatcherAndPermissions[]::new);
}
return resolvedRequestedIndices.stream()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
import org.opensearch.cluster.metadata.Metadata;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.security.securityconf.ConfigModelV7;
import org.opensearch.security.securityconf.ConfigModelV7.IndexPattern;
import org.opensearch.security.user.User;

Expand All @@ -37,6 +38,7 @@

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertThrows;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
Expand All @@ -45,6 +47,7 @@
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.withSettings;
Expand Down Expand Up @@ -76,6 +79,37 @@ public void testCtor() {
assertThrows(NullPointerException.class, () -> new IndexPattern(null));
}

@Test
public void testGetIndexMatcherAndPermissionsWithAllIndices() {
IndexPattern testIp = new IndexPattern("*");
testIp.addPerm(Set.of("indices:data/write/*"));
User user = new User("test-user");
ConfigModelV7.IndexMatcherAndPermissions matcher = testIp.getIndexMatcherAndPermissions(user, resolver, clusterService);
verifyNoInteractions(resolver);
verifyNoInteractions(clusterService);
assertThat(matcher.matches("testPattern", "indices:data/write/index"), is(true));
assertThat(matcher.matches("testPattern", "indices:data/read/index"), is(false));
assertThat(matcher.matches("otherPattern", "indices:data/write/index"), is(true));
assertThat(matcher.matches("otherPattern", "indices:data/read/index"), is(false));
}

@Test
public void testGetIndexMatcherAndPermissionsWithScopedIndex() {
IndexPattern testIp = new IndexPattern("testPattern");
testIp.addPerm(Set.of("indices:data/write/*"));
User user = new User("test-user");
when(resolver.concreteIndexNames(any(), eq(IndicesOptions.lenientExpandOpen()), eq(true), eq("testPattern"))).thenReturn(
new String[] { "testPattern" }
);
ConfigModelV7.IndexMatcherAndPermissions matcher = testIp.getIndexMatcherAndPermissions(user, resolver, clusterService);
verify(resolver, times(1)).concreteIndexNames(any(), eq(IndicesOptions.lenientExpandOpen()), eq(true), eq("testPattern"));
verify(clusterService, times(1)).state();
assertThat(matcher.matches("testPattern", "indices:data/write/index"), is(true));
assertThat(matcher.matches("testPattern", "indices:data/read/index"), is(false));
assertThat(matcher.matches("otherPattern", "indices:data/write/index"), is(false));
assertThat(matcher.matches("otherPattern", "indices:data/read/index"), is(false));
}

/** Ensure that concreteIndexNames sends correct parameters are sent to getResolvedIndexPattern */
@Test
public void testConcreteIndexNamesOverload() {
Expand Down

0 comments on commit ee78fe8

Please sign in to comment.