search

opensearch-project / flow-framework

OpenSearch plugin that enables builders to innovate AI apps on OpenSearch
Apache License 2.0
32 stars 36 forks source link

Added user level access control based on backend roles #838

Closed owaiskazi19 closed 2 months ago

owaiskazi19 commented 3 months ago

Description

Added user level access control based on backend roles.

  1. Created common util methods to get a workflow and then compare if requested user has backend role required to access the resource
  2. Blocked creation of workflows if user doesn’t have a backend role
  3. Changed following APIs with a check to see if user has permission to the resource using common method in task 1: update workflow, get workflow, provision workflow, get workflow status, reprovision workflow, deprovision workflow and delete workflow
  4. Created a common util method to add backend role for search requests (search workflows and search workflow state)
  5. Updated following API with additional backend role query in search request: search workflows and search workflow states [For this task, I had to change the search queries to boolean to add a nested filter query] @dbwiddis any thoughts?
  6. Added Security Integaration tests for all APIs with backend roles considered (except reprovision)
  7. Documentation PR - https://github.com/opensearch-project/documentation-website/pull/8076

Learning after working on this feature

  1. How access role filtering is done on OpenSearch?
  2. Played a lot with ThreadContext
  3. How user level permissions are defined?
  4. Writing Security integration tests

Refer https://github.com/opensearch-project/flow-framework/issues/668#issuecomment-2294020696 for step by step workflow and src/test/java/org/opensearch/flowframework/rest/FlowFrameworkSecureRestApiIT.java file for complete functionality.

Related Issues

Resolves #https://github.com/opensearch-project/flow-framework/issues/668

Check List

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

codecov[bot] commented 3 months ago

Codecov Report

Attention: Patch coverage is 71.95767% with 106 lines in your changes missing coverage. Please review.

Project coverage is 77.44%. Comparing base (3a88199) to head (9d578d9). Report is 1 commits behind head on main.

Files Patch % Lines
.../org/opensearch/flowframework/util/ParseUtils.java 58.66% 26 Missing and 5 partials :warning:
...rk/transport/ProvisionWorkflowTransportAction.java 66.66% 20 Missing and 3 partials :warning:
.../transport/ReprovisionWorkflowTransportAction.java 79.68% 12 Missing and 1 partial :warning:
...ework/transport/CreateWorkflowTransportAction.java 70.00% 8 Missing and 1 partial :warning:
...ork/transport/GetWorkflowStateTransportAction.java 78.57% 5 Missing and 1 partial :warning:
...ework/transport/DeleteWorkflowTransportAction.java 75.00% 5 Missing :warning:
...ramework/transport/GetWorkflowTransportAction.java 80.76% 4 Missing and 1 partial :warning:
.../transport/DeprovisionWorkflowTransportAction.java 83.33% 4 Missing :warning:
...flowframework/transport/handler/SearchHandler.java 84.61% 3 Missing and 1 partial :warning:
.../transport/SearchWorkflowStateTransportAction.java 40.00% 3 Missing :warning:
... and 1 more
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #838 +/- ## ============================================ - Coverage 77.47% 77.44% -0.03% - Complexity 928 963 +35 ============================================ Files 96 97 +1 Lines 4359 4536 +177 Branches 413 423 +10 ============================================ + Hits 3377 3513 +136 - Misses 810 841 +31 - Partials 172 182 +10 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

opensearch-trigger-bot[bot] commented 2 months ago

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/flow-framework/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/flow-framework/backport-2.x
# Create a new branch
git switch --create backport/backport-838-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 60458a6275a2fe358a236583bce29db821d09ddc
# Push it to GitHub
git push --set-upstream origin backport/backport-838-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/flow-framework/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-838-to-2.x.