From c88febe47927d99230c0128d29363c8d4c629981 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 17 Jan 2024 22:54:56 +0000 Subject: [PATCH] Read prepare for merge into OpenSearch Signed-off-by: Peter Nied --- .../opensearch/action/ResourceRequest.java | 71 ------------------- .../action/search/ViewSearchRequest.java | 5 +- .../org/opensearch/index/view/views-design.md | 60 +--------------- 3 files changed, 2 insertions(+), 134 deletions(-) delete mode 100644 server/src/main/java/org/opensearch/action/ResourceRequest.java diff --git a/server/src/main/java/org/opensearch/action/ResourceRequest.java b/server/src/main/java/org/opensearch/action/ResourceRequest.java deleted file mode 100644 index 84766aaf810f4..0000000000000 --- a/server/src/main/java/org/opensearch/action/ResourceRequest.java +++ /dev/null @@ -1,71 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - */ - -package org.opensearch.action; - -import org.opensearch.common.annotation.ExperimentalApi; - -import java.util.Map; -import java.util.regex.Pattern; - -import static org.opensearch.action.ValidateActions.addValidationError; - -/** - * TODO: This validation should be associated with REST requests to ensure the parameter is from the URL - * Note; this should work well in RestHandlers - * - * Context: If all of the resource information is in the URL, caching which can include responses or authorization are trivial - */ -@ExperimentalApi -public interface ResourceRequest { - - static final Pattern ALLOWED_RESOURCE_NAME_PATTERN = Pattern.compile("[a-zA-Z_-]+"); - /** - * Don't allow wildcard patterns - * this has large impact to perf and cachability */ - static final Pattern ALLOWED_RESOURCE_ID_PATTERN = Pattern.compile("[a-zA-Z_-]+"); - - /** Returns the resource types and ids associated with this request */ - Map getResourceTypeAndIds(); - - /** - * Validates the resource type and id pairs are in an allowed format - */ - public static ActionRequestValidationException validResourceIds( - final ResourceRequest resourceRequest, - final ActionRequestValidationException validationException - ) { - resourceRequest.getResourceTypeAndIds().entrySet().forEach(entry -> { - if (!ALLOWED_RESOURCE_NAME_PATTERN.matcher(entry.getKey()).matches()) { - addValidationError( - "Unsupported resource key is not supported; key: " - + entry.getKey() - + " value: " - + entry.getValue() - + " allowed pattern " - + ALLOWED_RESOURCE_NAME_PATTERN.pattern(), - validationException - ); - } - - if (!ALLOWED_RESOURCE_ID_PATTERN.matcher(entry.getKey()).matches()) { - addValidationError( - "Unsupported resource value is not supported; key: " - + entry.getKey() - + " value: " - + entry.getValue() - + " allowed pattern " - + ALLOWED_RESOURCE_ID_PATTERN.pattern(), - validationException - ); - } - }); - - return validationException; - } -} diff --git a/server/src/main/java/org/opensearch/action/search/ViewSearchRequest.java b/server/src/main/java/org/opensearch/action/search/ViewSearchRequest.java index 88d610fe29480..9010681362ed4 100644 --- a/server/src/main/java/org/opensearch/action/search/ViewSearchRequest.java +++ b/server/src/main/java/org/opensearch/action/search/ViewSearchRequest.java @@ -9,7 +9,6 @@ package org.opensearch.action.search; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.action.ResourceRequest; import org.opensearch.cluster.metadata.View; import org.opensearch.common.at org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.core.common.io.stream.StreamOutput; @@ -22,7 +21,7 @@ /** Wraps the functionality of search requests and tailors for what is available when searching through views */ @ExperimentalApi -public class ViewSearchRequest extends SearchRequest implements ResourceRequest { +public class ViewSearchRequest extends SearchRequest { public final View view; @@ -47,8 +46,6 @@ public ActionRequestValidationException validate() { // TODO: Filter out anything additional search features that are not supported - validationException = ResourceRequest.validResourceIds(this, validationException); - return validationException; } diff --git a/server/src/main/java/org/opensearch/index/view/views-design.md b/server/src/main/java/org/opensearch/index/view/views-design.md index 773b359cc1953..4bd5d9585c5c2 100644 --- a/server/src/main/java/org/opensearch/index/view/views-design.md +++ b/server/src/main/java/org/opensearch/index/view/views-design.md @@ -2,7 +2,6 @@ Views define how searches are performed against indices on a cluster, uniform data access that is configured separately from the queries. - ## Design ### View data @@ -67,63 +66,6 @@ sequenceDiagram Data_Store-->>HTTP_Request: Return HTTP_Request-->>Client: Return ``` - -### Resource Request - -In order to permissions views OpenSearch needs a way to consistently refer to them, this is a generic problem and views will be a first use case. Resource requests require a map of types to identifiers for the request, multiple resources could be part of a single request, but only one of each type. - -Considering the request to search a view, `POST /view/{view_id}/_search`, the path parameter 'view_id' is the type and the value from the request would be the identifier. - -```java -public interface ResourceRequest { - /** Returns the resource types and ids associated with this request */ - Map getResourceTypeAndIds(); - - /** Validates the resource type and id pairs are in an allowed format */ - public static ActionRequestValidationException validResourceIds( - final ResourceRequest resourceRequest, - final ActionRequestValidationException validationException - ) {;} -} -``` - -### Resource Permission Grants -With requests include resource type and identifiers the security plugin will need to allow for grants to these new types. Modify the security role to include this information so it can be checked and then the request can be permitted. - -```yaml -all_access: - reserved: true - hidden: false - static: true - description: "Allow full access to all indices and all cluster APIs" - cluster_permissions: - - "*" - index_permissions: - - index_patterns: - - "*" - allowed_actions: - - "*" - tenant_permissions: - - tenant_patterns: - - "*" - allowed_actions: - - "kibana_all_write" - resource_permissions: - - resource_type: "view" - resource_ids: ["songs", "albums"] -``` - -## Frequently Asked Questions - -### How do views work with fine grain access control of index data? -*To be determined...* - -### What happens with existing DLS and FLS rules and searches on views? -*To be determined...* - -### Additional Question(s) -*To be determined...* - ## Appendix ### Local Testing @@ -223,4 +165,4 @@ views: [ created: DATE, modified: DATE } -] \ No newline at end of file +]