Skip to content

OSD Permission and Permission Evaluation POC 2.0.2#2

Open
cliu123 wants to merge 8 commits into2.0from
permission_poc_2.0.2
Open

OSD Permission and Permission Evaluation POC 2.0.2#2
cliu123 wants to merge 8 commits into2.0from
permission_poc_2.0.2

Conversation

@cliu123
Copy link
Copy Markdown
Owner

@cliu123 cliu123 commented Jun 30, 2022
edited
Loading

Reference on saved object registration: multi-data-source POC

Description

The POC proves:

  1. Dashboards can have saved object permissions, access policies and privilege evaluation mechnism for functionalities stored in a single .kibana index. So the it could have granular access control on inidividual saved objects without relying on tenant. Tenant could be removed.
  2. It's Dashboards self-owned data storage(in this case still an OpenSearch index .kibana) that doesn't rely on OpenSearch security plugin that stores permissions and access policies in security configuration index and evaluate priviledges.
  3. In the same approach, Dashboards identities(a new set of identities) can also be stored in Dashboards self-owned data storage.

APIs

Create sample-permission saved object:

% curl -XPOST http://localhost:5601/api/saved_objects/sample-permission -H 'osd-xsrf:true' -H 'Content-Type: application/json' -d '{
    "attributes":{
       "name":"saved_objects_data_read_get",
       "count":1
    }
 }'
{"type":"sample-permission","id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzEsMV0="}%

Find all sample_permission saved objects:

% curl 'http://localhost:5601/api/saved_objects/_find?type=sample-permission' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"page":1,"per_page":20,"total":1,"saved_objects":[{"type":"sample-permission","id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzAsMV0=","score":0}]}%

Get a sample_permission saved object by id:

% curl 'http://localhost:5601/api/saved_objects/sample-permission/ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"id":"ac9d3140-fb6e-11ec-bc8d-af0ea0fe07ba","type":"sample-permission","namespaces":[],"updated_at":"2022-07-04T07:55:30.258Z","version":"WzAsMV0=","attributes":{"name":"saved_objects_data_read_get","count":1},"references":[]}%

Evaluate permissions:

  • Request with a non-existent permission gets unauthorized({"authorized":"false"}):
% curl 'http://localhost:5601/api/permission_management/hasPermission/123' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"authorized":"false"}%
  • Request with an existent permission gets authorized({"authorized":"true"}):
% curl 'http://localhost:5601/api/permission_management/hasPermission/saved_objects_data_read_get' -H 'Content-Type: application/json' -H 'osd-xsrf:true'
{"authorized":"true"}%

opensearch-trigger-bot bot and others added 3 commits June 13, 2022 18:44
@opensearch-trigger-bot
Fix WMS can't load when unable access maps services (opensearch-proje…
9673aa6 
…ct#1550) (opensearch-project#1707)

* Fix WMS can't load when unable access maps services

Signed-off-by: Junqiu Lei <junqiu@amazon.com>
(cherry picked from commit b2cfb6e)
@opensearch-trigger-bot
Adds v2.0.1 release notes (opensearch-project#1744) (opensearch-proje…
4ca29ac 
…ct#1750)

Signed-off-by: Tommy Markley <markleyt@amazon.com>
(cherry picked from commit 72a3424)

Co-authored-by: Tommy Markley <markleyt@amazon.com>
@zelinh
Bump the version to 2.0.2 (opensearch-project#1758)
04183b7 
Signed-off-by: Zelin Hao <zelinhao@amazon.com>
@cliu123 cliu123 force-pushed the permission_poc_2.0.2 branch 3 times, most recently from fac0719 to b7956d0 Compare July 4, 2022 08:26
cliu123 and others added 3 commits July 4, 2022 01:27
@cliu123
Create permission_management plugin and register sample_permission sa…
304125e 
…ved object.

Reference: multi-data-source POC<https://github.com/seraphjiang/OpenSearch-Dashboards/pull/1/files>

Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123
Remove UI
100dbf0 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123
Add permission evaluation logic and API
0399abf 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123 cliu123 force-pushed the permission_poc_2.0.2 branch from b7956d0 to 0399abf Compare July 4, 2022 08:27
@cliu123 cliu123 changed the title Permission poc 2.0.2 OSD Permission and Permission Evaluation POC 2.0.2 Jul 4, 2022
seraphjiang
seraphjiang reviewed Jul 5, 2022
View reviewed changes
src/plugins/permission_management/server/routes/permission_evaluation.ts Outdated
Comment on lines +12 to +29
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
Copy link
Copy Markdown

@seraphjiang seraphjiang Jul 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we remove elastic license head~

Copy link
Copy Markdown
Owner Author

@cliu123 cliu123 Jul 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@cliu123
Remove license header
9dffe07 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
@cliu123 cliu123 force-pushed the permission_poc_2.0.2 branch from 414c9db to 9dffe07 Compare July 5, 2022 18:11
@cliu123
Fix eslint error
8c40a87 
Signed-off-by: Chang Liu <lc12251109@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@seraphjiang seraphjiang seraphjiang left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cliu123 @seraphjiang @zelinh