Adds a way to configure security plugin for resource access-control

Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura · Aug 30, 2024 · d7169e4 · d7169e4
1 parent 08cdcb3
commit d7169e4
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/server/src/main/java/org/opensearch/accesscontrol/resources/ResourceService.java b/server/src/main/java/org/opensearch/accesscontrol/resources/ResourceService.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.plugins.NoOpResourcePlugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Resource access control for OpenSearch
+ *
+ * @opensearch.experimental
+ * */
+public class ResourceService {
+    private static final Logger log = LogManager.getLogger(ResourceService.class);
+
+    private final ResourcePlugin resourcePlugin;
+
+    public ResourceService(final List<ResourceAccessControlPlugin> resourcePlugins) {
+        if (resourcePlugins.size() == 0) {
+            log.debug("Security plugin disabled: Using NoopResourcePlugin");
+            resourcePlugin = new NoOpResourcePlugin();
+        } else if (resourcePlugins.size() == 1) {
+            log.debug("Security plugin enabled: Using OpenSearchSecurityPlugin");
+            resourcePlugin = resourcePlugins.get(0);
+        } else {
+            throw new OpenSearchException(
+                "Multiple resource access control plugins are not supported, found: "
+                    + resourcePlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+            );
+        }
+    }
+
+    /**
+     * Gets the current ResourcePlugin to perform authorization
+     */
+    public ResourcePlugin getResourceAccessControlPlugin() {
+        return resourcePlugin;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/node/Node.java b/server/src/main/java/org/opensearch/node/Node.java
@@ -41,6 +41,7 @@
 import org.opensearch.OpenSearchParseException;
 import org.opensearch.OpenSearchTimeoutException;
 import org.opensearch.Version;
+import org.opensearch.accesscontrol.resources.ResourceService;
 import org.opensearch.action.ActionModule;
 import org.opensearch.action.ActionModule.DynamicActionRegistry;
 import org.opensearch.action.ActionType;
@@ -212,6 +213,7 @@
 import org.opensearch.plugins.Plugin;
 import org.opensearch.plugins.PluginsService;
 import org.opensearch.plugins.RepositoryPlugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
 import org.opensearch.plugins.ScriptPlugin;
 import org.opensearch.plugins.SearchPipelinePlugin;
 import org.opensearch.plugins.SearchPlugin;
@@ -1058,6 +1060,11 @@ protected Node(
             );
             modules.add(actionModule);
 
+            final List<ResourceAccessControlPlugin> resourceAccessControlPlugins = pluginsService.filterPlugins(
+                ResourceAccessControlPlugin.class
+            );
+            ResourceService resourceService = new ResourceService(resourceAccessControlPlugins);
+
             final RestController restController = actionModule.getRestController();
 
             final NodeResourceUsageTracker nodeResourceUsageTracker = new NodeResourceUsageTracker(
@@ -1454,6 +1461,7 @@ protected Node(
                 b.bind(ResourceUsageCollectorService.class).toInstance(resourceUsageCollectorService);
                 b.bind(SystemIndices.class).toInstance(systemIndices);
                 b.bind(IdentityService.class).toInstance(identityService);
+                b.bind(ResourceService.class).toInstance(resourceService);
                 b.bind(Tracer.class).toInstance(tracer);
                 b.bind(SearchRequestStats.class).toInstance(searchRequestStats);
                 b.bind(SearchRequestSlowLog.class).toInstance(searchRequestSlowLog);

diff --git a/server/src/main/java/org/opensearch/plugins/ResourceAccessControlPlugin.java b/server/src/main/java/org/opensearch/plugins/ResourceAccessControlPlugin.java
@@ -0,0 +1,17 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.plugins;
+
+/**
+ * Class to determine presence of security plugin in the cluster.
+ * If yes, security plugin will be used for resource access authorization
+ *
+ * @opensearch.experimental
+ */
+public interface ResourceAccessControlPlugin extends ResourcePlugin {}