From a8ecd2fbfccae94e427e7a5af27f938df9330c6b Mon Sep 17 00:00:00 2001 From: Vamsi Manohar Date: Mon, 10 Jul 2023 17:36:15 -0700 Subject: [PATCH] Restrict master key reading from cluster settings API (#1825) Signed-off-by: Vamsi Manohar --- .../sql/datasource/DataSourceAPIsIT.java | 4 -- .../DatasourceClusterSettingsIT.java | 43 +++++++++++++++++++ .../setting/OpenSearchSettings.java | 3 +- 3 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java diff --git a/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java b/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java index ac6949e77e..c942962fb8 100644 --- a/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java +++ b/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java @@ -17,14 +17,10 @@ import java.util.ArrayList; import java.util.List; import lombok.SneakyThrows; -import org.apache.commons.lang3.StringUtils; import org.junit.AfterClass; import org.junit.Assert; -import org.junit.BeforeClass; import org.junit.Test; -import org.opensearch.action.update.UpdateRequest; import org.opensearch.client.Request; -import org.opensearch.client.RequestOptions; import org.opensearch.client.Response; import org.opensearch.client.ResponseException; import org.opensearch.sql.datasource.model.DataSourceMetadata; diff --git a/integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java b/integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java new file mode 100644 index 0000000000..8c4959707a --- /dev/null +++ b/integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java @@ -0,0 +1,43 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.opensearch.sql.datasource; + +import static org.hamcrest.Matchers.equalTo; + +import java.io.IOException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.json.JSONObject; +import org.junit.Test; +import org.opensearch.client.ResponseException; +import org.opensearch.sql.legacy.TestUtils; +import org.opensearch.sql.ppl.PPLIntegTestCase; + +public class DatasourceClusterSettingsIT extends PPLIntegTestCase { + + private static final Logger LOG = LogManager.getLogger(); + @Test + public void testGetDatasourceClusterSettings() throws IOException { + JSONObject clusterSettings = getAllClusterSettings(); + assertThat(clusterSettings.query("/defaults/plugins.query.datasources.encryption.masterkey"), + equalTo(null)); + } + + + @Test + public void testPutDatasourceClusterSettings() throws IOException { + final ResponseException exception = + expectThrows(ResponseException.class, () -> updateClusterSettings(new ClusterSetting(PERSISTENT, + "plugins.query.datasources.encryption.masterkey", + "masterkey"))); + JSONObject resp = new JSONObject(TestUtils.getResponseBody(exception.getResponse())); + assertThat(resp.getInt("status"), equalTo(400)); + assertThat(resp.query("/error/root_cause/0/reason"), + equalTo("final persistent setting [plugins.query.datasources.encryption.masterkey], not updateable")); + assertThat(resp.query("/error/type"), equalTo("settings_exception")); + } + +} diff --git a/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java b/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java index 671f4113be..01c3aeb30d 100644 --- a/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java +++ b/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java @@ -113,7 +113,8 @@ public class OpenSearchSettings extends Settings { ENCYRPTION_MASTER_KEY.getKeyValue(), "0000000000000000", Setting.Property.NodeScope, - Setting.Property.Final); + Setting.Property.Final, + Setting.Property.Filtered); public static final Setting DATASOURCE_URI_ALLOW_HOSTS = Setting.simpleString( Key.DATASOURCES_URI_ALLOWHOSTS.getKeyValue(),