Skip to content

Commit 1a6efbf

Browse files
shikharj05shikharj05
committed
Remove hard coded action names, pull from core instead
Signed-off-by: shikharj05 <8859327+shikharj05@users.noreply.github.com>
1 parent 2f870c7 commit 1a6efbf

File tree

1 file changed

+22
-9
lines changed

1 file changed

+22
-9
lines changed

src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,12 @@
3838

3939
import org.opensearch.action.ActionRequest;
4040
import org.opensearch.action.RealtimeRequest;
41+
import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotAction;
42+
import org.opensearch.action.admin.indices.alias.IndicesAliasesAction;
43+
import org.opensearch.action.admin.indices.close.CloseIndexAction;
44+
import org.opensearch.action.admin.indices.delete.DeleteIndexAction;
45+
import org.opensearch.action.admin.indices.mapping.put.PutMappingAction;
46+
import org.opensearch.action.admin.indices.settings.put.UpdateSettingsAction;
4147
import org.opensearch.action.search.SearchRequest;
4248
import org.opensearch.common.settings.Settings;
4349
import org.opensearch.indices.SystemIndexRegistry;
@@ -71,6 +77,9 @@ public class SystemIndexAccessEvaluator {
7177
private final boolean isSystemIndexEnabled;
7278
private final boolean isSystemIndexPermissionEnabled;
7379
private final static ImmutableSet<String> SYSTEM_INDEX_PERMISSION_SET = ImmutableSet.of(ConfigConstants.SYSTEM_INDEX_PERMISSION);
80+
// Pattern for all actions like indices:data/write/index, indices:data/write/bulk, indices:data/write/delete,
81+
// indices:data/write/reindex, etc
82+
public static final String INDICES_DATA_WRITE_ALL_ACTIONS_PATTERN = "indices:data/write/*";
7483

7584
public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) {
7685
this.securityIndex = settings.get(
@@ -97,8 +106,8 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In
97106
final List<String> deniedActionPatternsList = deniedActionPatterns();
98107

99108
final List<String> deniedActionPatternsListNoSnapshot = new ArrayList<>(deniedActionPatternsList);
100-
deniedActionPatternsListNoSnapshot.add("indices:admin/close*");
101-
deniedActionPatternsListNoSnapshot.add("cluster:admin/snapshot/restore*");
109+
deniedActionPatternsListNoSnapshot.add(CloseIndexAction.NAME + "*"); // "indices:admin/close*"
110+
deniedActionPatternsListNoSnapshot.add(RestoreSnapshotAction.NAME + "*"); // "cluster:admin/snapshot/restore*"
102111

103112
deniedActionsMatcher = WildcardMatcher.from(
104113
restoreSecurityIndexEnabled ? deniedActionPatternsList : deniedActionPatternsListNoSnapshot
@@ -111,13 +120,17 @@ public SystemIndexAccessEvaluator(final Settings settings, AuditLog auditLog, In
111120

112121
private static List<String> deniedActionPatterns() {
113122
final List<String> securityIndexDeniedActionPatternsList = new ArrayList<>();
114-
securityIndexDeniedActionPatternsList.add("indices:data/write*");
115-
securityIndexDeniedActionPatternsList.add("indices:admin/delete*");
116-
securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
117-
securityIndexDeniedActionPatternsList.add("indices:admin/mapping/put*");
118-
securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
119-
securityIndexDeniedActionPatternsList.add("indices:admin/settings/update*");
120-
securityIndexDeniedActionPatternsList.add("indices:admin/aliases");
123+
securityIndexDeniedActionPatternsList.add(INDICES_DATA_WRITE_ALL_ACTIONS_PATTERN); // "indices:data/write*"
124+
securityIndexDeniedActionPatternsList.add(DeleteIndexAction.NAME + "*"); // "indices:admin/delete*"
125+
// action does not exist in OpenSearch-
126+
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices/mapping
127+
// securityIndexDeniedActionPatternsList.add("indices:admin/mapping/delete*");
128+
securityIndexDeniedActionPatternsList.add(PutMappingAction.NAME + "*"); // indices:admin/mapping/put*
129+
// action does not exist in OpenSearch-
130+
// https://github.com/opensearch-project/OpenSearch/tree/main/server/src/main/java/org/opensearch/action/admin/indices
131+
// securityIndexDeniedActionPatternsList.add("indices:admin/freeze*");
132+
securityIndexDeniedActionPatternsList.add(UpdateSettingsAction.NAME + "*"); // "indices:admin/settings/update*"
133+
securityIndexDeniedActionPatternsList.add(IndicesAliasesAction.NAME); // "indices:admin/aliases"
121134
return securityIndexDeniedActionPatternsList;
122135
}
123136

0 commit comments

Comments
 (0)