Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new extension points for ResourcePlugin and ResourceAccessControlPlugin #233

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add new extension points for ResourcePlugin and ResourceAccessControlPlugin #233

wants to merge 8 commits into from

Conversation

cwperks
Copy link
Owner

@cwperks cwperks commented Jan 2, 2025
edited
Loading

Description

Companion Security PR which shows an implementation of the ResourceSharingService: cwperks/security#39

This PR introduces 2 new extension points:

  1. ResourceAccessControlPlugin - There can only be a single ResourceAccessControlPlugin installed (i.e. the Security plugin). The responsibility of this plugin is to supply a ResourceSharingService for each SharableResourceType that is registered by the ResourcePlugins. This ResourceSharingService can be used by the ResourcePlugins to determine if a resource has been shared with the current requester.

  2. ResourcePlugin - These Plugins define Sharable Resource Types. Take the example below:

In the default distribution of OpenSearch, there are many instances of plugins implementing custom resource access control because the security plugin does not provide a mechanism to secure resources created by plugins. For example, a simple search for filter_by_backend_roles on the documentation website shows a few plugins that implement custom resource access control. filter_by_backend_role is a very simplistic access control mechanism that plugins use that restrict what resources are listed when an authenticated user is on a page is OpenSearch Dashboards that lists that specific type of resource.

For instance, in ISM when a user navigates to the page that lists policies, the page will either list:

  1. Policies created by the logged in user
  2. Policies shared to the logged in user by backend role

Any other policies would not be displayed and cannot be interacted with by the user.

In this simple model of resource access control, what a user can do with a resource is determined by the roles that user is mapped to and not determined by the user sharing their resource with another user. For instance, if a user is mapped to the anomaly_detection_full_access role, then that user will have full access to any detector shared with the user. The user sharing the detector has no mechanism to specify that the user that they are sharing the detector with only has read access to the detector that they have ownership over.

This PR and the companion Security PR lay the foundation for providing a consistent resource access control experience across plugins in the default distribution.

These PRs provide an off ramp for the current simple resource access control prevalent across plugins and centralizes the access control to the security plugin.

Plugins can transition to using the new ResourcePlugin extension point and maintain backward compatibility with the current resource access control model filter_by_backend_role.

For Plugin Developers:

For plugin developers, add a new extension point on ResourcePlugin and define the SharableResourceTypes. A SharableResourceType needs 4 (maybe 3 minus the ResourceParser) methods implemented:

@Override
public String getResourceType() {
    return "sample_resource";
}

@Override
public String getResourceIndex() {
    return RESOURCE_INDEX_NAME;
}

@Override
public ResourceParser<? extends Resource> getResourceParser() {
    return new SampleResourceParser();
}

@SuppressWarnings("unchecked")
@Override
public void assignResourceSharingService(ResourceSharingService service) {
    ...
}

This ResourceSharingService can then be used by plugin developers to determine whether the current user has access to a resource. The interface is defined like this:

public interface ResourceSharingService<T extends Resource> {
    void isSharedWithCurrentUser(String resourceId, ActionListener<Boolean> shareListener);
}

Note: If Security is not installed, the ResourceSharingService will be a noop and always return True when interrogated.

Related Issues

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks cwperks mentioned this pull request Jan 2, 2025
Open
3 tasks
@cwperks
WIP on SampleResourcePluginIT
6a5238b 
Signed-off-by: Craig Perkins <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cwperks