support query-based terms lookup queries in DLS#6244
Conversation
PR Code Analyzer ❗AI-powered 'Code-Diff-Analyzer' found issues on commit d84e39e.
The table above displays the top 10 most important findings. Pull Requests Author(s): Please update your Pull Request according to the report above. Repository Maintainer(s): You can Thanks. |
PR Reviewer Guide 🔍(Review updated until commit d84e39e)Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Latest suggestions up to d84e39e Explore these optional code suggestions:
Previous suggestionsSuggestions up to commit dd84988
Suggestions up to commit 55eb985
Suggestions up to commit a8dcab5
Suggestions up to commit ab9eb03
Suggestions up to commit faeba2f
|
faeba2f to
ab9eb03
Compare
|
Persistent review updated to latest commit ab9eb03 |
ab9eb03 to
a8dcab5
Compare
|
Persistent review updated to latest commit a8dcab5 |
| "indices:admin/mappings/fields/get*", | ||
| "indices:admin/shards/search_shards", | ||
| "indices:admin/resolve/index", | ||
| "indices:monitor/settings/get", |
There was a problem hiding this comment.
FYI: the presence of this is why the legacy evaluator allowed GetSettingsRequest
|
the CI failure is a false reject (can't fetch maven snapshots). i've seen this happen a lot lately! |
|
CC @srikanthpadakanti (you implemented |
|
from what i can see all CI failures are false rejects: they either failed due to not being able to fetch maven artefacts (i've seen that a lot now on PRs on this repo - what's going on here?) - or completely unrelated tests failing => probably nothing that i can help sort out here? |
a8dcab5 to
55eb985
Compare
|
Persistent review updated to latest commit 55eb985 |
55eb985 to
dd84988
Compare
|
Persistent review updated to latest commit dd84988 |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #6244 +/- ##
==========================================
+ Coverage 75.02% 75.20% +0.18%
==========================================
Files 451 451
Lines 29248 29249 +1
Branches 4407 4410 +3
==========================================
+ Hits 21942 21996 +54
+ Misses 5270 5209 -61
- Partials 2036 2044 +8
🚀 New features to boost your workflow:
|
|
Thank you for this and sorry for the late response; at the moment, I have quite a few different things going on. |
OpenSearch introduced the possibility to use a `query` rather than just an `id` in Terms Lookup Queries in OpenSearch#18195 in release 3.2.0. However, support for this was never added to the security plugin for DLS/FLS. When trying to use `query` based TLQ in a DLS this failed for two reasons: - the visible failure is an NPE because `DlsFilterLevelActionHandler` unconditionally dereferenced `termsLookup().id()`, which returns `null` for query-based lookups. - additionally, the `DocumentAllowList` privilege bypass only handled `GetRequest`, but query-based TLQ internally resolves via `SearchRequest` and additionally uses a `GetSettingsRequest`, causing the privileges evaluator to block the lookup even after the NPE is fixed. This commit adds proper support for `query` based TLQ in DLS, both for the old and the new evaluator, by allowlisting a wildcard entry for the whole index in question rather than a single document in case `query` is used. additionally, `SearchRequest` and `GetSettingsRequest` are now also supported in `DocumentAllowList#isAllowed`. Furthermore, the legacy `PrivilegesEvaluatorImpl#checkDocAllowListHeader` now delegates to `DocumentAllowList#isAllowed` since the old method body was a hand-inlined copy of the same logic (parse header, check request); delegating removes the duplication and picks up `SearchRequest` support without repeating the new code. Header parsing in `DocumentAllowList#isAllowed` is now delegated to `DocumentAllowList#get` to centralise error handling. The wildcard allowlist pattern is already established for Dashboards multi-tenancy and is scoped to the request's thread context, so it cannot grant persistent or write access beyond the TLQ resolution. Existing code with the wildcard has been migrated to use the new constant to make it easier to find it. fixes opensearch-project#6243 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Ursprung <Ralph.Ursprung@avaloq.com>
so far, the tests only used the legacy evaluator. add a new subclass to also test against V4 to ensure that this is also covered. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Ursprung <Ralph.Ursprung@avaloq.com>
|
if we can't reach an understanding of how the whitelisting for the index targeted by the subquery should work before we hit the code freeze for 3.8.0 would it also be ok if i'd split this in two: this PR would only add support for running query-based TLQs in DLS and the authorization part would be a new issue. then it'd already be possible to use query-based TLQ in DLS as long as the user is granted read access to the index targeted by the subquery (a workable workaround which could be documented as such). |
dd84988 to
d84e39e
Compare
|
Persistent review updated to latest commit d84e39e |
Description
OpenSearch introduced the possibility to use a
queryrather than justan
idin Terms Lookup Queries in opensearch-project/OpenSearch#18195 in release 3.2.0.However, support for this was never added to the security plugin for
DLS/FLS.
When trying to use
querybased TLQ in a DLS this failed for tworeasons:
DlsFilterLevelActionHandlerunconditionally dereferenced
termsLookup().id(), which returnsnullfor query-based lookups.DocumentAllowListprivilege bypass only handledGetRequest, but query-based TLQ internally resolves viaSearchRequestand additionally uses aGetSettingsRequest, causingthe privileges evaluator to block the lookup even after the NPE is
fixed.
This commit adds proper support for
querybased TLQ in DLS, both forthe old and the new evaluator, by allowlisting a wildcard entry for the
whole index in question rather than a single document in case
queryisused. additionally,
SearchRequestandGetSettingsRequestare nowalso supported in
DocumentAllowList#isAllowed.Furthermore, the legacy
PrivilegesEvaluatorImpl#checkDocAllowListHeadernow delegates toDocumentAllowList#isAllowedsince the old method body was ahand-inlined copy of the same logic (parse header, check request);
delegating removes the duplication and picks up
SearchRequestsupportwithout repeating the new code.
Header parsing in
DocumentAllowList#isAllowedis now delegated toDocumentAllowList#getto centralise error handling.The wildcard allowlist pattern is already established for Dashboards
multi-tenancy and is scoped to the request's thread context, so it
cannot grant persistent or write access beyond the TLQ resolution.
Existing code with the wildcard has been migrated to use the new
constant to make it easier to find it.
additionally,
DlsTermLookupQueryV4EvaluatorTesthas been added (in a separate commit) to run the tests fromDlsTermLookupQueryTestalso against the new evaluator (this unearthed thatGetSettingsRequesthad to be whitelisted as well; the old evaluator didn't block this!).Issues Resolved
fixes #6243
Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end?
no
Testing
unit & integration testing + manual testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.