Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command cat/indices will filter results per the Do Not Fail On Forbidden setting #3236

Merged
merged 9 commits into from
Aug 29, 2023
Merged

Command cat/indices will filter results per the Do Not Fail On Forbidden setting #3236

merged 9 commits into from
Aug 29, 2023

Conversation

derek-ho
Copy link
Collaborator

@derek-ho derek-ho commented Aug 24, 2023
edited
Loading

Description

This change allows for DNFOF behavior on the _cat/_indices API. It adds the required index permissions into the DNFOF regex to be picked up in the DNFOF code path. Previously it was being skipped/returning 403, since the index permissions were not in the regex.

Issues Resolved

Fix: #1815

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@derek-ho
cat indices fix
ce47862 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
create new dnfof test suite
2bffbdc 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
fix teh test
e0c869e 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Merge branch 'main' of github.com:opensearch-project/security into ca…
922611c 
…t_indices
@derek-ho
code cleanup and spotlessApply
89ddca3 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho derek-ho changed the title Cat indices Enable DNFOF on cat indices API Aug 24, 2023
@derek-ho derek-ho marked this pull request as ready for review August 24, 2023 16:11
@derek-ho
move to existing test file and add unit test to test patterns
92d475b 
Signed-off-by: Derek Ho <dxho@amazon.com>
@codecov
Copy link

codecov bot commented Aug 24, 2023
edited
Loading

Codecov Report

Merging #3236 (c12333c) into main (46dfd84) will increase coverage by 0.00%.
Report is 9 commits behind head on main.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##               main    #3236    +/-   ##
==========================================
  Coverage     62.49%   62.49%            
- Complexity     3351     3400    +49     
==========================================
  Files           254      259     +5     
  Lines         19732    20056   +324     
  Branches       3334     3370    +36     
==========================================
+ Hits          12331    12534   +203     
- Misses         5773     5872    +99     
- Partials       1628     1650    +22
Files Changed Coverage Δ
...earch/security/privileges/PrivilegesEvaluator.java 73.20% <100.00%> (+0.08%) ⬆️

... and 19 files with indirect coverage changes

@derek-ho
turn regex into a function and update unit test to use it
20493d8 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
change to wildcard matcher
c12333c 
Signed-off-by: Derek Ho <dxho@amazon.com>
@peternied peternied changed the title Enable DNFOF on cat indices API Command cat/indices will filter results per the Do Not Fail On Forbidden setting Aug 28, 2023
@RyanL1997 RyanL1997 merged commit 4c095d2 into opensearch-project:main Aug 29, 2023
@stephen-crawford stephen-crawford added the backport 2.x backport to 2.x branch label Aug 29, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3236-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4c095d27fd30ec279dd4214e72a831ea9123a693
# Push it to GitHub
git push --set-upstream origin backport/backport-3236-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3236-to-2.x.

@peternied
Copy link
Member

Backport likely failed due to the integration tests not being backported

derek-ho added a commit to derek-ho/security that referenced this pull request Aug 29, 2023
@derek-ho
Command cat/indices will filter results per the Do Not Fail On Forb…
7faf072 
…idden setting (opensearch-project#3236)

This change allows for DNFOF behavior on the _cat/_indices API. It adds
the required index permissions into the DNFOF regex to be picked up in
the DNFOF code path. Previously it was being skipped/returning 403,
since the index permissions were not in the regex.

Fix: opensearch-project#1815

Is this a backport? If so, please add backport PR # and/or commits #

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Derek Ho <dxho@amazon.com>
(cherry picked from commit 4c095d2)
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho derek-ho mentioned this pull request Aug 29, 2023
Merged
3 tasks
cwperks pushed a commit that referenced this pull request Aug 29, 2023
@derek-ho
[Backport 2.x] Command cat/indices will filter results per the do n…
8197431 
…ot fail on forbidden setting (#3258)

### Description
Backport 4c095d2 of #3236 

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho derek-ho mentioned this pull request Jun 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willyborankin willyborankin willyborankin left review comments

@RyanL1997 RyanL1997 RyanL1997 approved these changes

@peternied peternied peternied approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] do_not_fail_on_forbidden_empty does not work for cat api
5 participants
@derek-ho @peternied @willyborankin @RyanL1997 @stephen-crawford