-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create separate transport action for render search template action #11170
Create separate transport action for render search template action #11170
Conversation
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
|
❌ Gradle check result for 61b9dfa: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
@cwperks Can you please create an issue on the GitHub action failures reported in #11170 (comment)
|
@peternied Opened an issue: #11574 |
❕ Gradle check result for 61b9dfa: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #11170 +/- ##
============================================
+ Coverage 71.03% 71.29% +0.25%
- Complexity 58886 59141 +255
============================================
Files 4904 4906 +2
Lines 278154 278164 +10
Branches 40419 40419
============================================
+ Hits 197600 198320 +720
+ Misses 64091 63354 -737
- Partials 16463 16490 +27 ☔ View full report in Codecov by Sentry. |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-11170-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 66d4e9e0d5fca1c50b84c08dccc9f5e9164c64c1
# Push it to GitHub
git push --set-upstream origin backport/backport-11170-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
@cwperks Mind doing the backport when you get a chance? |
…pensearch-project#11170) Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 66d4e9e)
@peternied Opened manual backport: #11589 |
…11170) (#11589) Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 66d4e9e)
### Description Companion PRs in core: - opensearch-project/OpenSearch#11170 - opensearch-project/OpenSearch#11591 This PR adds render search template as a cluster perm so that its separately permissioned from a SearchTemplateRequest which needs a set of indices to authorize the request. The companion PR in core separates the transport actions that handle search template request and render search template request so that they can be authorized separately. I am opening this in Draft until the core PR is merged because this PR depends on the core PR. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix ### Issues Resolved - #3672 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <[email protected]>
…t#3689) Companion PRs in core: - opensearch-project/OpenSearch#11170 - opensearch-project/OpenSearch#11591 This PR adds render search template as a cluster perm so that its separately permissioned from a SearchTemplateRequest which needs a set of indices to authorize the request. The companion PR in core separates the transport actions that handle search template request and render search template request so that they can be authorized separately. I am opening this in Draft until the core PR is merged because this PR depends on the core PR. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix - opensearch-project#3672 - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit cc57710)
…t#3689) ### Description Companion PRs in core: - opensearch-project/OpenSearch#11170 - opensearch-project/OpenSearch#11591 This PR adds render search template as a cluster perm so that its separately permissioned from a SearchTemplateRequest which needs a set of indices to authorize the request. The companion PR in core separates the transport actions that handle search template request and render search template request so that they can be authorized separately. I am opening this in Draft until the core PR is merged because this PR depends on the core PR. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix ### Issues Resolved - opensearch-project#3672 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>
…pensearch-project#11170) Signed-off-by: Craig Perkins <[email protected]>
…pensearch-project#11170) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Shivansh Arora <[email protected]>
…t#3689) ### Description Companion PRs in core: - opensearch-project/OpenSearch#11170 - opensearch-project/OpenSearch#11591 This PR adds render search template as a cluster perm so that its separately permissioned from a SearchTemplateRequest which needs a set of indices to authorize the request. The companion PR in core separates the transport actions that handle search template request and render search template request so that they can be authorized separately. I am opening this in Draft until the core PR is merged because this PR depends on the core PR. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix ### Issues Resolved - opensearch-project#3672 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <[email protected]>
Description
Companion PR in security: opensearch-project/security#3689
Separates the transport action that handles
POST /_render/template
into a separate transport action fromGET /_search/template
to resolve an issue with permission the render template endpoint.The transport action that handles both of these requests is overloaded and it makes permissioning these endpoints a challenge in the security plugin.
GET /_search/template
orGET /<list_of_indices>/_search_template
is a form of a search request and should consider whether the user has permission to search on the list of indices provided in the request when evaluating whether the user has permission to perform the search template request.In contrast,
POST /_render/template
is a simulation and never actually queries data. See the linked issue for an example of a search template request. From the security plugin POV, this type of request does not need indices when evaluating whether the user has permission to perform the request and can be treated as a cluster permission.This PR separates the transport action that handles both so that permissions can handle both of these types of requests. There is no functionality change on this PR, the testing for this is added in the companion PR.
Related Issues
Resolves opensearch-project/security#3672
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.