security icon indicating copy to clipboard operation
security copied to clipboard
verified publisher icon opensearch-project

Deprecate opendistro_security_roles and add opensearch_security_roles

Open shikharj05 opened this issue 10 months ago • 1 comments

Description

Deprecate opendistro_security_roles and add opensearch_security_roles for internal-user APIs.

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Maintenance
  • Why these changes are required? https://github.com/opensearch-project/security/issues/5092
  • What is the old behavior before changes and new behavior after changes?
curl -XPUT -k -u admin:<password> "https://localhost:9200/_plugins/_security/api/internalusers/testuser" -H 'Content-Type: application/json' -d'
{
  "password": "<test-password>",
  "opensearch_security_roles": ["manage_snapshots"],
  "backend_roles": ["role 1", "role 2"],
  "attributes": {
    "attribute1": "value1",
    "attribute2": "value2"
  }
}
'

curl -k -u admin:<password> 'https://localhost:9200/_plugins/_security/api/user/testuser?pretty'                                                
{
  "testuser" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "role 1",
      "role 2"
    ],
    "attributes" : {
      "attribute1" : "value1",
      "attribute2" : "value2"
    },
    "opendistro_security_roles" : [
      "manage_snapshots"
    ],
    "opensearch_security_roles" : [
      "manage_snapshots"
    ],
    "static" : false
  }
}



curl -k -u admin:<password> 'https://localhost:9200/_plugins/_security/api/internalusers/testuser?pretty' -X PATCH -d '[{"op": "replace", "path": "/opensearch_security_roles", "value": ["notebooks_full_access","all_access"]}]' -H 'content-type: application/json'

{
  "status" : "OK",
  "message" : "'testuser' updated."
}


curl -k -u admin:<password> 'https://localhost:9200/_plugins/_security/api/user/testuser?pretty'
{
  "testuser" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "role 1",
      "role 2"
    ],
    "attributes" : {
      "attribute1" : "value1",
      "attribute2" : "value2"
    },
    "opendistro_security_roles" : [
      "notebooks_full_access",
      "all_access"
    ],
    "opensearch_security_roles" : [
      "notebooks_full_access",
      "all_access"
    ],
    "static" : false
  }
}

curl -k -u admin:<password> 'https://localhost:9200/_plugins/_security/api/internalusers/testuser?pretty' -X PATCH -d '[{"op": "replace", "path": "/opendistro_security_roles", "value": ["notebooks_full_access"]}]' -H 'content-type: application/json'     

{
  "status" : "OK",
  "message" : "'testuser' updated."
}


curl -k -u admin:<password> 'https://localhost:9200/_opendistro/_security/api/user/testuser?pretty'                                             
{
  "testuser" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "role 1",
      "role 2"
    ],
    "attributes" : {
      "attribute1" : "value1",
      "attribute2" : "value2"
    },
    "opendistro_security_roles" : [
      "manage_snapshots"
    ],
    "opensearch_security_roles" : [
      "manage_snapshots"
    ],
    "static" : false
  }
}


curl -k -u 'testuser:<test-password>' -k  'https://localhost:9200?pretty'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [cluster:monitor/main] and User [name=testuser, backend_roles=[role 1, role 2], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [cluster:monitor/main] and User [name=testuser, backend_roles=[role 1, role 2], requestedTenant=null]"
  },
  "status" : 403
}


 curl -k -u 'testuser:<test-password>' 'https://localhost:9200/_plugins/_security/api/internalusers/testuser?pretty' -X PATCH -d '[{"op": "replace", "path": "/opendistro_security_roles", "value": ["notebooks_full_access"]}]' -H 'content-type: application/json'

{
  "status" : "FORBIDDEN",
  "message" : "No permission to access REST API: User testuser with Security roles [manage_snapshots, own_index] does not have any role privileged for admin access. No client TLS certificate found in request"
}

Issues Resolved

https://github.com/opensearch-project/security/issues/5098

Testing

Manual testing results above.

Logs

[2025-02-18T15:03:11,188][WARN ][org.opensearch.security.dlic.rest.api.InternalUsersApiAction] The field 'opendistro_security_roles' is deprecated and will be removed in a future release. Please use 'opensearch_security_roles' instead.

Check List

  • [X] New functionality includes testing
  • [TODO] New functionality has been documented
  • [NA] New Roles/Permissions have a corresponding security dashboards plugin PR
  • [NA] API changes companion pull request created
  • [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

shikharj05 avatar Feb 18 '25 09:02 shikharj05

Codecov Report

Attention: Patch coverage is 71.87500% with 9 lines in your changes missing coverage. Please review.

Project coverage is 71.73%. Comparing base (ef523f8) to head (41111da). Report is 64 commits behind head on main.

Files with missing lines Patch % Lines
...ch/security/securityconf/DynamicConfigFactory.java 30.76% 5 Missing and 4 partials :warning:
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5113      +/-   ##
==========================================
- Coverage   71.73%   71.73%   -0.01%     
==========================================
  Files         384      384              
  Lines       23866    23892      +26     
  Branches     3646     3652       +6     
==========================================
+ Hits        17121    17139      +18     
- Misses       4915     4923       +8     
  Partials     1830     1830
Files with missing lines Coverage Δ
...security/dlic/rest/api/InternalUsersApiAction.java 94.02% <100.00%> (+0.48%) :arrow_up:
.../security/securityconf/impl/v7/InternalUserV7.java 66.12% <100.00%> (+3.62%) :arrow_up:
...ch/security/securityconf/DynamicConfigFactory.java 60.25% <30.76%> (-2.08%) :arrow_down:

... and 6 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Feb 19 '25 15:02 codecov[bot]

@shikharj05 Would you please resolve merge conflicts? We can also pick this back up once 4.0 is closer?

DarshitChanpura avatar Jun 09 '25 19:06 DarshitChanpura

@shikharj05 closing this PR as last update was 3 months ago. Feel free to open a new one.

DarshitChanpura avatar Jun 23 '25 16:06 DarshitChanpura