-
Notifications
You must be signed in to change notification settings - Fork 36
change the backend role filtering to keep consistent with alerting pl… #383
change the backend role filtering to keep consistent with alerting pl… #383
Conversation
Codecov Report
@@ Coverage Diff @@
## master #383 +/- ##
============================================
- Coverage 79.16% 79.14% -0.03%
+ Complexity 2666 2663 -3
============================================
Files 247 247
Lines 11726 11717 -9
Branches 1009 1008 -1
============================================
- Hits 9283 9273 -10
+ Misses 1968 1967 -1
- Partials 475 477 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
|
NestedQueryBuilder nestedQueryBuilder = new NestedQueryBuilder(userFieldName, userRolesFilterQuery, ScoreMode.None); | ||
boolQueryBuilder.must(nestedQueryBuilder); | ||
} | ||
List<String> backendRoles = user.getBackendRoles() != null ? user.getBackendRoles() : ImmutableList.of(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently AD plugin will parse user from thread context OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT
, from the User.parse code, the backend role should be empty list is no backend roles. We recheck here in case we support other case or the user parse method changes in future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good to me.
I understand the timeline is tight for the 1.13 but can we add integration tests in https://github.com/opendistro-for-elasticsearch/anomaly-detection/blob/master/src/test/java/com/amazon/opendistroforelasticsearch/ad/rest/SecureADRestIT.java for the search API as a fast follow up?
Test cases to cover:
- Search when backend role filter is enabled and user has no backend role
- Search when backend role filter is enabled and user has a backend role
- Search when backend role filter is disabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes
…ugin
Description of changes:
Now we have two different logics for AD document level access control
1.For search APIs we will add user role filter query. When user is null, will add
user==null
filter, if user is not null, but backend role is null or empty will adduser != null and backend_roles == null or empty
query. So for user who has no backend role, they can still see their detectors after enabling backend role filtering2.For other APIs like get/update/start/stop, we will check if the detector’s user backend role can match current thread user’s backend role. If either detector’s user backend role or current thread user backend role is null, we will throw no permission exception. That means if user doesn’t configure backend role, after enabling backend role filtering, they will not see their detectors.
For alerting plugin, if user's backend role is empty, the user can't see any monitors. User has to configure backend roles before enabling alerting backend role filtering. We will change to the same way of alerting plugin (alerting plugin code link).
Test
./gradlew build
./gradlew integTest -PnumNodes=3
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.