Make configuration setting for user attribute serialization dynamic #5657
Conversation
markdboyd
requested review from
cwperks,
DarshitChanpura,
derek-ho,
nibix,
peternied,
RyanL1997,
reta,
shikharj05 and
willyborankin
as code owners
| Property.NodeScope, | ||
| Property.Filtered | ||
| Property.Filtered, | ||
| Property.Dynamic |
There was a problem hiding this comment.
Thanks, @markdboyd, for the dynamic implementation.
Quick question: Could toggling this property at runtime cause issues with in-flight requests or active scroll queries? The user context format change might lead to deserialization failures or inconsistent behavior for operations that span the configuration change.
There was a problem hiding this comment.
@kumjiten I don't think scroll would be affected. The user attributes are only needed for a subset of actions where the plugin persists these values in their system index. I suppose one enhancement could be to start collecting a list of those action names, but one problem with that is that it more tightly couples security with other plugins. Another enhancement could be to configure a list of attributes names that should be serialized and only serialize those attributes without serializing all attributes.
I think for anyone wanting to toggle this setting we should allow it. They can toggle back if they don't use DLS with user attributes substitution.
There was a problem hiding this comment.
Agreed, we should allow toggling.
If the consumer of
OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT if any, needs an update to deserialize the attributes, then toggling can result in failures. However, that is outside of the scope for this change.
There was a problem hiding this comment.
| Property.NodeScope, | ||
| Property.Filtered | ||
| Property.Filtered, | ||
| Property.Dynamic |
There was a problem hiding this comment.
Has this been tested? IMHO, it is not sufficient to add Property.Dynamic to a Setting object to make it dynamic; you also have to listen to settings updates. The way it is implemented currently, PrivilegesEvaluator will still read from the immutable Settings object that will never change.
See here for a minimal implementation:
There was a problem hiding this comment.
@nibix @kumjiten Doing manual testing, I found that I could not view or update this setting with the cluster settings API. After discussing with @cwperks, we found that:
- I needed to remove
Property.FILTEREDfor my setting: f8169f8 - There are two instances of
getSettingsFilterwhich seem to exclude all security plugin settings (plugins.security.*) from management by the cluster settings API by default. We updated these methods to change the default filters to something less restrictive: c0d8e2a, since properties can also be filtered by usingProperty.FILTERED
There was a problem hiding this comment.
Updated the default security settings filters: 1dbcbd9
There was a problem hiding this comment.
@nibix @cwperks @kumjiten I updated PrivilegesEvaluator to subscribe to updates on plugins.security.user_attribute_serialization.enabled:
With these changes, in manual testing, I can see that when the default of true for the setting is applied, then DLS/FLS user attribute substitution works as expected. But when I use the the cluster settings API to change the setting to false, then I see failures in DLS/FLS attribute substitution as expected.
Are there any tests I need to add here? It seems like I could add a test to src/integrationTest/java/org/opensearch/security/SecuritySettingsTests.java, but I'm not sure if it it necessary.
markdboyd
force-pushed
the
make-user-attribute-serialization-property-dynamic
branch
from
1dbcbd9 to
f11a3d5
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5657 +/- ##
==========================================
+ Coverage 72.97% 73.04% +0.07%
==========================================
Files 414 414
Lines 25873 25895 +22
Branches 3934 3934
==========================================
+ Hits 18881 18916 +35
+ Misses 5079 5067 -12
+ Partials 1913 1912 -1
🚀 New features to boost your workflow:
|
…ization.enabled dynamic Signed-off-by: Mark Boyd <[email protected]>
Signed-off-by: Mark Boyd <[email protected]>
Signed-off-by: Mark Boyd <[email protected]>
…er() Signed-off-by: Mark Boyd <[email protected]>
Signed-off-by: Mark Boyd <[email protected]>
…o SecuritySetting Signed-off-by: Mark Boyd <[email protected]>
…ther user attribute serialization is enabled Signed-off-by: Mark Boyd <[email protected]>
markdboyd
force-pushed
the
make-user-attribute-serialization-property-dynamic
branch
from
b7ca43b to
4c6c607
Compare
Description
This PR makes the configuration setting for
plugins.security.user_attribute_serialization.enableddynamic, so it can be updated via requests toPUT cluster/_settings.opensearch.yml. After: The setting can be dynamically updated with requests toPUT cluster/_settings.Issues Resolved
Is this a backport? If so, please add backport PR # and/or commits #, and remove
backport-failedlabel from the original PR.Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.