Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

change the backend role filtering to keep consistent with alerting pl… #383

Merged
merged 1 commit into from
Feb 5, 2021
Merged

change the backend role filtering to keep consistent with alerting pl… #383

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 9 additions & 23 deletions src/main/java/com/amazon/opendistroforelasticsearch/ad/util/ParseUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.ExistsQueryBuilder;
import org.elasticsearch.index.query.NestedQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
Expand Down Expand Up @@ -79,6 +78,7 @@
import com.amazon.opendistroforelasticsearch.ad.transport.GetAnomalyDetectorResponse;
import com.amazon.opendistroforelasticsearch.commons.ConfigConstants;
import com.amazon.opendistroforelasticsearch.commons.authuser.User;
import com.google.common.collect.ImmutableList;

/**
* Parsing utility functions.
Expand Down Expand Up @@ -425,31 +425,17 @@ public static List<FeatureData> getFeatureData(double[] currentFeature, AnomalyD
}

public static SearchSourceBuilder addUserBackendRolesFilter(User user, SearchSourceBuilder searchSourceBuilder) {
if (user == null) {
return searchSourceBuilder;
}
BoolQueryBuilder boolQueryBuilder = new BoolQueryBuilder();
String userFieldName = "user";
String userBackendRoleFieldName = "user.backend_roles.keyword";
if (user == null) {
// For old monitor and detector, they have no user field, user = null
ExistsQueryBuilder userRolesFilterQuery = QueryBuilders.existsQuery(userFieldName);
NestedQueryBuilder nestedQueryBuilder = new NestedQueryBuilder(userFieldName, userRolesFilterQuery, ScoreMode.None);
boolQueryBuilder.mustNot(nestedQueryBuilder);
} else if (user.getBackendRoles() == null || user.getBackendRoles().size() == 0) {
// For simple FGAC user, they may have no backend roles, these users should be able to see detectors
// of other users whose backend role is empty. user != null, user.backend_role == null
ExistsQueryBuilder userRolesFilterQuery = QueryBuilders.existsQuery(userBackendRoleFieldName);
NestedQueryBuilder nestedQueryBuilder = new NestedQueryBuilder(userFieldName, userRolesFilterQuery, ScoreMode.None);

ExistsQueryBuilder userExistsQuery = QueryBuilders.existsQuery(userFieldName);
NestedQueryBuilder userExistsNestedQueryBuilder = new NestedQueryBuilder(userFieldName, userExistsQuery, ScoreMode.None);

boolQueryBuilder.mustNot(nestedQueryBuilder);
boolQueryBuilder.must(userExistsNestedQueryBuilder);
} else {
// For normal case, user should have backend roles.
TermsQueryBuilder userRolesFilterQuery = QueryBuilders.termsQuery(userBackendRoleFieldName, user.getBackendRoles());
NestedQueryBuilder nestedQueryBuilder = new NestedQueryBuilder(userFieldName, userRolesFilterQuery, ScoreMode.None);
boolQueryBuilder.must(nestedQueryBuilder);
}
List<String> backendRoles = user.getBackendRoles() != null ? user.getBackendRoles() : ImmutableList.of();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently AD plugin will parse user from thread context OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, from the User.parse code, the backend role should be empty list is no backend roles. We recheck here in case we support other case or the user parse method changes in future.

// For normal case, user should have backend roles.
TermsQueryBuilder userRolesFilterQuery = QueryBuilders.termsQuery(userBackendRoleFieldName, backendRoles);
NestedQueryBuilder nestedQueryBuilder = new NestedQueryBuilder(userFieldName, userRolesFilterQuery, ScoreMode.None);
boolQueryBuilder.must(nestedQueryBuilder);
QueryBuilder query = searchSourceBuilder.query();
if (query == null) {
searchSourceBuilder.query(boolQueryBuilder);
Expand Down
21 changes: 7 additions & 14 deletions src/test/java/com/amazon/opendistroforelasticsearch/ad/util/ParseUtilsTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,12 +117,7 @@ public void testGenerateInternalFeatureQueryTemplate() throws IOException {
public void testAddUserRoleFilterWithNullUser() {
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
addUserBackendRolesFilter(null, searchSourceBuilder);
assertEquals(
"{\"query\":{\"bool\":{\"must_not\":[{\"nested\":{\"query\":{\"exists\":{\"field\":\"user\",\"boost\":1.0}},"
+ "\"path\":\"user\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"adjust_pure_negative\":true,"
+ "\"boost\":1.0}}}",
searchSourceBuilder.toString()
);
assertEquals("{}", searchSourceBuilder.toString());
}

public void testAddUserRoleFilterWithNullUserBackendRole() {
Expand All @@ -132,10 +127,9 @@ public void testAddUserRoleFilterWithNullUserBackendRole() {
searchSourceBuilder
);
assertEquals(
"{\"query\":{\"bool\":{\"must\":[{\"nested\":{\"query\":{\"exists\":{\"field\":\"user\",\"boost\":1.0}},"
+ "\"path\":\"user\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"must_not\":[{\"nested\":"
+ "{\"query\":{\"exists\":{\"field\":\"user.backend_roles.keyword\",\"boost\":1.0}},\"path\":\"user\",\"ignore_unmapped\""
+ ":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"adjust_pure_negative\":true,\"boost\":1.0}}}",
"{\"query\":{\"bool\":{\"must\":[{\"nested\":{\"query\":{\"terms\":{\"user.backend_roles.keyword\":[],"
+ "\"boost\":1.0}},\"path\":\"user\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],"
+ "\"adjust_pure_negative\":true,\"boost\":1.0}}}",
searchSourceBuilder.toString()
);
}
Expand All @@ -152,10 +146,9 @@ public void testAddUserRoleFilterWithEmptyUserBackendRole() {
searchSourceBuilder
);
assertEquals(
"{\"query\":{\"bool\":{\"must\":[{\"nested\":{\"query\":{\"exists\":{\"field\":\"user\",\"boost\":1.0}},"
+ "\"path\":\"user\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"must_not\":[{\"nested\":"
+ "{\"query\":{\"exists\":{\"field\":\"user.backend_roles.keyword\",\"boost\":1.0}},\"path\":\"user\",\"ignore_unmapped\""
+ ":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"adjust_pure_negative\":true,\"boost\":1.0}}}",
"{\"query\":{\"bool\":{\"must\":[{\"nested\":{\"query\":{\"terms\":{\"user.backend_roles.keyword\":[],"
+ "\"boost\":1.0}},\"path\":\"user\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],"
+ "\"adjust_pure_negative\":true,\"boost\":1.0}}}",
searchSourceBuilder.toString()
);
}
Expand Down