Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSD Permission and Permission Evaluation POC 2.0.2 #2

Open
wants to merge 8 commits into
base: 2.0
Choose a base branch
from
Open

OSD Permission and Permission Evaluation POC 2.0.2 #2

wants to merge 8 commits into from

Conversation

cliu123
Copy link
Owner

@cliu123 cliu123 commented Jun 30, 2022
edited
Loading

Reference on saved object registration: multi-data-source POC

Description

The POC proves:

  1. Dashboards can have saved object permissions, access policies and privilege evaluation mechnism for functionalities stored in a single .kibana index. So the it could have granular access control on inidividual saved objects without relying on tenant. Tenant could be removed.
  2. It's Dashboards self-owned data storage(in this case still an OpenSearch index .kibana) that doesn't rely on OpenSearch security plugin that stores permissions and access policies in security configuration index and evaluate priviledges.
  3. In the same approach, Dashboards identities(a new set of identities) can also be stored in Dashboards self-owned data storage.

APIs

Create sample-permission saved object:

% curl -XPOST http://localhost:5601/api/saved_objects/sample-permission -H 'osd-xsrf:true' -H 'Content-Type: application/json' -d '{
    "attributes":{
       "name":"saved_objects_data_read_get",
       "count":1
    }
 }'
{"type":"sample-permission","id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzEsMV0="}%

Find all sample_permission saved objects:

% curl 'http://localhost:5601/api/saved_objects/_find?type=sample-permission' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"page":1,"per_page":20,"total":1,"saved_objects":[{"type":"sample-permission","id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzAsMV0=","score":0}]}%

Get a sample_permission saved object by id:

% curl 'http://localhost:5601/api/saved_objects/sample-permission/ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","type":"sample-permission","namespaces":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzAsMV0=","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[]}%

Evaluate permissions:

  • Request with a non-existent permission gets unauthorized({"authorized":"false"}):
% curl 'http://localhost:5601/api/permission_management/hasPermission/123' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"authorized":"false"}%
  • Request with an existent permission gets authorized({"authorized":"true"}):
% curl 'http://localhost:5601/api/permission_management/hasPermission/saved_objects_data_read_get' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"authorized":"true"}%

opensearch-trigger-bot bot and others added 3 commits June 13, 2022 18:44
@opensearch-trigger-bot
Fix WMS can't load when unable access maps services (opensearch-proje…
9673aa6 
…ct#1550) (opensearch-project#1707)

* Fix WMS can't load when unable access maps services

Signed-off-by: Junqiu Lei <junqiu@amazon.com>
(cherry picked from commit b2cfb6e)
@opensearch-trigger-bot
Adds v2.0.1 release notes (opensearch-project#1744) (opensearch-proje…
4ca29ac 
…ct#1750)

Signed-off-by: Tommy Markley <markleyt@amazon.com>
(cherry picked from commit 72a3424)

Co-authored-by: Tommy Markley <markleyt@amazon.com>
@zelinh
Bump the version to 2.0.2 (opensearch-project#1758)
04183b7 
Signed-off-by: Zelin Hao <zelinhao@amazon.com>
@cliu123 cliu123 force-pushed the permission_poc_2.0.2 branch 3 times, most recently from fac0719 to b7956d0 Compare July 4, 2022 08:26
cliu123 and others added 3 commits July 4, 2022 01:27
@cliu123
Create permission_management plugin and register sample_permission sa…
304125e 
…ved object.

Reference: multi-data-source POC<https://github.com/seraphjiang/OpenSearch-Dashboards/pull/1/files>

Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123
Remove UI
100dbf0 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123
Add permission evaluation logic and API
0399abf 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123 cliu123 changed the title Permission poc 2.0.2 OSD Permission and Permission Evaluation POC 2.0.2 Jul 4, 2022
seraphjiang
seraphjiang reviewed Jul 5, 2022
View reviewed changes
src/plugins/permission_management/server/routes/permission_evaluation.ts Outdated
Comment on lines 12 to 29
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we remove elastic license head~

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@cliu123
Remove license header
9dffe07 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123
Fix eslint error
8c40a87 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seraphjiang seraphjiang seraphjiang left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cliu123 @seraphjiang @zelinh