[Rule-based Autotagging] add security attributes to rules #19232
Conversation
ruai0511
force-pushed
the
security-attr
branch
2 times, most recently
from
7d53efb to
07a5cd4
Compare
|
❌ Gradle check result for 07a5cd4: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Ruirui Zhang <[email protected]>
ruai0511
force-pushed
the
security-attr
branch
from
07a5cd4 to
eb67fce
Compare
|
❌ Gradle check result for eb67fce: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
| /** | ||
| * Key representing the username subfield. | ||
| */ | ||
| public static final String USERNAME = "username"; |
There was a problem hiding this comment.
Can we make this more generic so that there's no reference to username or role?
I'm not sure how WLM works, but I know that a request will match to the best workload group. How does the scoring work for matching? Can we assign weights to different attributes to help with the matching problem to determine the best group?
@peternied we've been discussion an extensible <-> extending plugin relationship here, especially since you can now define optional relationships with extending -> extensible plugin. In this case, WLM needs attributes from security, but it differs from other plugins because its in the core. There's certainly prevalent usage of common-utils today but we should not introduce a dependency on common-utils in the core repo. (In general, we need to work towards removal of common-utils). IdentityPlugin is one avenue, but that extension point is quite simple and only used for username and has no notion of roles or other attributes. We could certainly entertain expanding on the notion of subject to add roles, but I know there were differing opinions on that and as a result the IdentityPlugin can only be used to get username. In this case, by making WLM extensible it can ask other plugins to define an attribute extractor to feed it back attributes (and weights to break ties) given a REST Request. For security that could be username + roles and it would give higher precedence to direct username matching to workload groups. |
| * Defines the combination style used when a request contains multiple values | ||
| * for an attribute. | ||
| */ | ||
| enum CombinationStyle { |
There was a problem hiding this comment.
Lets rename this to LogicalOperator.
| /** | ||
| * Returns the allowed subfields ordered from highest to lowest priority | ||
| */ | ||
| default List<String> getPrioritizedSubfields() { |
There was a problem hiding this comment.
If we are meaning to introduce hierarchical attributes then returning List makes sense. Since it can support the current use case and still keep the code closed for modification if we want to move to hierarchical model.
| * Parses attribute values for specific attributes | ||
| * @param parser the XContent parser | ||
| */ | ||
| default Set<String> fromXContentParseAttributeValues(XContentParser parser) throws IOException { |
There was a problem hiding this comment.
I don't see it resonating with subfield/sub attribute model. Can we add some example usage in the comments to better comprehend the new Attribute design model
| * Returns the list of attributes ordered by their processing priority. | ||
| * @return List of prioritized attributes. | ||
| */ | ||
| List<Attribute> getPrioritizedAttributesList(); |
There was a problem hiding this comment.
I think with this chances of errors are high since any modification or merge conflicts can easily mess up the supposed order. I would advise to keep the prioritization as an integer value within attribute definition and clients of the list can sort the attributes based on the priority of the attributes.
The proposed approach also can remove the need for this additional method.
There was a problem hiding this comment.
But if we keep them in attribute definition, the ordering would be the same for all feature types. But ideally for each use case the order might be different.
| for (Map.Entry<String, V> possibleMatch : trie.prefixMap(longestMatchingPrefix).entrySet()) { | ||
| if (key.startsWith(possibleMatch.getKey())) { | ||
| return Optional.of(possibleMatch.getValue()); | ||
| for (int len = key.length(); len >= 0; len--) { |
There was a problem hiding this comment.
This is tricky and the time complexity here is changing to O(n^2). Can we come up with a more optimal implementation ?
modules/autotagging-commons/common/src/main/java/org/opensearch/rule/SecurityAttribute.java
Show resolved
Hide resolved
|
❌ Gradle check result for 756409d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Ruirui Zhang <[email protected]>
ruai0511
force-pushed
the
security-attr
branch
from
756409d to
209f55d
Compare
|
❌ Gradle check result for 209f55d: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Description
This PR enhances rule-based auto-tagging functionality by introducing security-related attributes. Specifically, we aim to extract user information (username and role) from the security context of incoming requests. In many real-world environments, security context is essential for customers with multiple teams, departments, or security boundaries. By enabling the use of security attributes in auto-tagging rules, this project will provide more practical and convenient ways to define the tenants.
Related Issues
Resolves #[Issue number to be closed when this PR is merged]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.