Removed tenant/user/role based filtering

[Tests] Updated tests Signed-off-by: @akbhatta
opensearch-project · Sep 17, 2021 · a07d77d · a07d77d
1 parent 6ba70a9
commit a07d77d
Show file tree

Hide file tree

Showing 20 changed files with 37 additions and 316 deletions.
diff --git a/notifications/notifications/src/main/config/notifications.yml b/notifications/notifications/src/main/config/notifications.yml
@@ -31,15 +31,3 @@ opensearch.notifications:
   general:
     operationTimeoutMs: 60000 # 60 seconds, Minimum 100ms
     defaultItemsQueryCount: 100 # default number of items to query
-  access:
-    adminAccess: "All"
-    # adminAccess values:
-    ## Standard -> Admin user access follows standard user
-    ## All -> Admin user with "all_access" role can see all data of all users.
-    filterBy: "NoFilter" # Applied when tenant != __user__
-    # filterBy values:
-    ## NoFilter -> everyone see each other's configurations
-    ## User -> configurations are visible to only themselves
-    ## Roles -> configurations are visible to users having any one of the role of creator
-    ## BackendRoles -> configurations are visible to users having any one of the backend role of creator
-    ignoreRoles: ["own_index", "kibana_user", "notifications_full_access", "notifications_read_access"]
diff --git a/...notifications/src/main/kotlin/org/opensearch/notifications/index/ConfigIndexingActions.kt b/...notifications/src/main/kotlin/org/opensearch/notifications/index/ConfigIndexingActions.kt
@@ -151,7 +151,7 @@ object ConfigIndexingActions {
             }
             // Validate that the user has access to underlying configurations as well.
             val currentMetadata = it.configDoc.metadata
-            if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+            if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
                 Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
                 throw OpenSearchStatusException(
                     "Permission denied for NotificationConfig ${it.docInfo.id}",
@@ -219,7 +219,6 @@ object ConfigIndexingActions {
         val metadata = DocMetadata(
             currentTime,
             currentTime,
-            userAccess.getUserTenant(user),
             userAccess.getAllAccessInfo(user)
         )
         val configDoc = NotificationConfigDoc(metadata, request.notificationConfig)
@@ -255,7 +254,7 @@ object ConfigIndexingActions {
             }
 
         val currentMetadata = currentConfigDoc.configDoc.metadata
-        if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+        if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
             Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
             throw OpenSearchStatusException(
                 "Permission denied for NotificationConfig ${request.configId}",
@@ -306,15 +305,14 @@ object ConfigIndexingActions {
                 throw OpenSearchStatusException("NotificationConfig $configId not found", RestStatus.NOT_FOUND)
             }
         val metadata = configDoc.configDoc.metadata
-        if (!userAccess.doesUserHasAccess(user, metadata.tenant, metadata.access)) {
+        if (!userAccess.doesUserHasAccess(user, metadata.access)) {
             Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
             throw OpenSearchStatusException("Permission denied for NotificationConfig $configId", RestStatus.FORBIDDEN)
         }
         val configInfo = NotificationConfigInfo(
             configId,
             metadata.lastUpdateTime,
             metadata.createdTime,
-            metadata.tenant,
             configDoc.configDoc.config
         )
         return GetNotificationConfigResponse(NotificationConfigSearchResult(configInfo))
@@ -340,7 +338,7 @@ object ConfigIndexingActions {
         }
         configDocs.forEach {
             val currentMetadata = it.configDoc.metadata
-            if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+            if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
                 Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
                 throw OpenSearchStatusException(
                     "Permission denied for NotificationConfig ${it.docInfo.id}",
@@ -353,7 +351,6 @@ object ConfigIndexingActions {
                 it.docInfo.id!!,
                 it.configDoc.metadata.lastUpdateTime,
                 it.configDoc.metadata.createdTime,
-                it.configDoc.metadata.tenant,
                 it.configDoc.config
             )
         }
@@ -369,7 +366,6 @@ object ConfigIndexingActions {
     private fun getAll(request: GetNotificationConfigRequest, user: User?): GetNotificationConfigResponse {
         log.info("$LOG_PREFIX:NotificationConfig-getAll")
         val searchResult = operations.getAllNotificationConfigs(
-            userAccess.getUserTenant(user),
             userAccess.getSearchAccessInfo(user),
             request
         )
@@ -392,7 +388,6 @@ object ConfigIndexingActions {
         )
         val getAllRequest = GetNotificationConfigRequest(filterParams = filterParams)
         val getAllResult = operations.getAllNotificationConfigs(
-            userAccess.getUserTenant(user),
             userAccess.getSearchAccessInfo(user),
             getAllRequest
         )
@@ -435,7 +430,7 @@ object ConfigIndexingActions {
             }
 
         val currentMetadata = currentConfigDoc.configDoc.metadata
-        if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+        if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
             Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
             throw OpenSearchStatusException(
                 "Permission denied for NotificationConfig $configId",
@@ -473,7 +468,7 @@ object ConfigIndexingActions {
         }
         configDocs.forEach {
             val currentMetadata = it.configDoc.metadata
-            if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+            if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
                 Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
                 throw OpenSearchStatusException(
                     "Permission denied for NotificationConfig ${it.docInfo.id}",

diff --git a/...ions/notifications/src/main/kotlin/org/opensearch/notifications/index/ConfigOperations.kt b/...ions/notifications/src/main/kotlin/org/opensearch/notifications/index/ConfigOperations.kt
@@ -61,13 +61,11 @@ interface ConfigOperations {
 
     /**
      * Query index for NotificationConfigDocs for given access details
-     * @param tenant the tenant of the user
      * @param access the list of access details to search NotificationConfigDocs for.
      * @param request [GetNotificationConfigRequest] object
      * @return search result of NotificationConfigDocs
      */
     fun getAllNotificationConfigs(
-        tenant: String,
         access: List<String>,
         request: GetNotificationConfigRequest
     ): NotificationConfigSearchResult

diff --git a/.../notifications/src/main/kotlin/org/opensearch/notifications/index/EventIndexingActions.kt b/.../notifications/src/main/kotlin/org/opensearch/notifications/index/EventIndexingActions.kt
@@ -84,15 +84,14 @@ object EventIndexingActions {
                 throw OpenSearchStatusException("NotificationEvent $eventId not found", RestStatus.NOT_FOUND)
             }
         val metadata = eventDoc.eventDoc.metadata
-        if (!userAccess.doesUserHasAccess(user, metadata.tenant, metadata.access)) {
+        if (!userAccess.doesUserHasAccess(user, metadata.access)) {
             Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
             throw OpenSearchStatusException("Permission denied for NotificationEvent $eventId", RestStatus.FORBIDDEN)
         }
         val eventInfo = NotificationEventInfo(
             eventId,
             metadata.lastUpdateTime,
             metadata.createdTime,
-            metadata.tenant,
             eventDoc.eventDoc.event
         )
         return GetNotificationEventResponse(NotificationEventSearchResult(eventInfo))
@@ -118,7 +117,7 @@ object EventIndexingActions {
         }
         eventDocs.forEach {
             val currentMetadata = it.eventDoc.metadata
-            if (!userAccess.doesUserHasAccess(user, currentMetadata.tenant, currentMetadata.access)) {
+            if (!userAccess.doesUserHasAccess(user, currentMetadata.access)) {
                 Metrics.NOTIFICATIONS_PERMISSION_USER_ERROR.counter.increment()
                 throw OpenSearchStatusException(
                     "Permission denied for NotificationEvent ${it.docInfo.id}",
@@ -131,7 +130,6 @@ object EventIndexingActions {
                 it.docInfo.id!!,
                 it.eventDoc.metadata.lastUpdateTime,
                 it.eventDoc.metadata.createdTime,
-                it.eventDoc.metadata.tenant,
                 it.eventDoc.event
             )
         }
@@ -147,7 +145,6 @@ object EventIndexingActions {
     private fun getAll(request: GetNotificationEventRequest, user: User?): GetNotificationEventResponse {
         log.info("$LOG_PREFIX:NotificationEvent-getAll")
         val searchResult = operations.getAllNotificationEvents(
-            userAccess.getUserTenant(user),
             userAccess.getSearchAccessInfo(user),
             request
         )

diff --git a/...tions/notifications/src/main/kotlin/org/opensearch/notifications/index/EventOperations.kt b/...tions/notifications/src/main/kotlin/org/opensearch/notifications/index/EventOperations.kt
@@ -61,13 +61,11 @@ interface EventOperations {
 
     /**
      * Query index for NotificationEventDocs for given access details
-     * @param tenant the tenant of the user
      * @param access the list of access details to search NotificationEventDocs for.
      * @param request [GetNotificationEventRequest] object
      * @return search result of NotificationEventDocs
      */
     fun getAllNotificationEvents(
-        tenant: String,
         access: List<String>,
         request: GetNotificationEventRequest
     ): NotificationEventSearchResult

diff --git a/...tifications/src/main/kotlin/org/opensearch/notifications/index/NotificationConfigIndex.kt b/...tifications/src/main/kotlin/org/opensearch/notifications/index/NotificationConfigIndex.kt
@@ -43,7 +43,6 @@ import org.opensearch.common.unit.TimeValue
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.NamedXContentRegistry
 import org.opensearch.common.xcontent.XContentType
-import org.opensearch.commons.notifications.NotificationConstants.TENANT_TAG
 import org.opensearch.commons.notifications.action.GetNotificationConfigRequest
 import org.opensearch.commons.notifications.model.NotificationConfigInfo
 import org.opensearch.commons.notifications.model.NotificationConfigSearchResult
@@ -92,7 +91,6 @@ internal object NotificationConfigIndex : ConfigOperations {
                 searchHit.id,
                 doc.metadata.lastUpdateTime,
                 doc.metadata.createdTime,
-                doc.metadata.tenant,
                 doc.config
             )
         }
@@ -213,7 +211,6 @@ internal object NotificationConfigIndex : ConfigOperations {
      * {@inheritDoc}
      */
     override fun getAllNotificationConfigs(
-        tenant: String,
         access: List<String>,
         request: GetNotificationConfigRequest
     ): NotificationConfigSearchResult {
@@ -224,7 +221,6 @@ internal object NotificationConfigIndex : ConfigOperations {
             .size(request.maxItems)
             .from(request.fromIndex)
         val query = QueryBuilders.boolQuery()
-        query.filter(QueryBuilders.termsQuery("$METADATA_TAG.$TENANT_TAG", tenant))
         if (access.isNotEmpty()) {
             query.filter(QueryBuilders.termsQuery("$METADATA_TAG.$ACCESS_LIST_TAG", access))
         }

diff --git a/...otifications/src/main/kotlin/org/opensearch/notifications/index/NotificationEventIndex.kt b/...otifications/src/main/kotlin/org/opensearch/notifications/index/NotificationEventIndex.kt
@@ -44,7 +44,6 @@ import org.opensearch.common.unit.TimeValue
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.NamedXContentRegistry
 import org.opensearch.common.xcontent.XContentType
-import org.opensearch.commons.notifications.NotificationConstants.TENANT_TAG
 import org.opensearch.commons.notifications.action.GetNotificationEventRequest
 import org.opensearch.commons.notifications.model.NotificationEventInfo
 import org.opensearch.commons.notifications.model.NotificationEventSearchResult
@@ -92,7 +91,6 @@ internal object NotificationEventIndex : EventOperations {
                 searchHit.id,
                 doc.metadata.lastUpdateTime,
                 doc.metadata.createdTime,
-                doc.metadata.tenant,
                 doc.event
             )
         }
@@ -213,7 +211,6 @@ internal object NotificationEventIndex : EventOperations {
      * {@inheritDoc}
      */
     override fun getAllNotificationEvents(
-        tenant: String,
         access: List<String>,
         request: GetNotificationEventRequest
     ): NotificationEventSearchResult {
@@ -224,7 +221,6 @@ internal object NotificationEventIndex : EventOperations {
             .size(request.maxItems)
             .from(request.fromIndex)
         val query = QueryBuilders.boolQuery()
-        query.filter(QueryBuilders.termsQuery("$METADATA_TAG.$TENANT_TAG", tenant))
         if (access.isNotEmpty()) {
             query.filter(QueryBuilders.termsQuery("$METADATA_TAG.$ACCESS_LIST_TAG", access))
         }

diff --git a/...fications/notifications/src/main/kotlin/org/opensearch/notifications/model/DocMetadata.kt b/...fications/notifications/src/main/kotlin/org/opensearch/notifications/model/DocMetadata.kt
@@ -31,11 +31,9 @@ import org.opensearch.common.xcontent.ToXContent
 import org.opensearch.common.xcontent.XContentBuilder
 import org.opensearch.common.xcontent.XContentParser
 import org.opensearch.common.xcontent.XContentParserUtils
-import org.opensearch.commons.notifications.NotificationConstants.TENANT_TAG
 import org.opensearch.commons.notifications.NotificationConstants.UPDATED_TIME_TAG
 import org.opensearch.commons.utils.logger
 import org.opensearch.commons.utils.stringList
-import org.opensearch.notifications.security.UserAccessManager.DEFAULT_TENANT
 import java.time.Instant
 
 /**
@@ -44,8 +42,7 @@ import java.time.Instant
 data class DocMetadata(
     val lastUpdateTime: Instant,
     val createdTime: Instant,
-    val tenant: String,
-    val access: List<String> // "User:user", "Role:sample_role", "BERole:sample_backend_role"
+    val access: List<String>
 ) : ToXContent {
     companion object {
         private val log by logger(DocMetadata::class.java)
@@ -61,7 +58,6 @@ data class DocMetadata(
         fun parse(parser: XContentParser): DocMetadata {
             var lastUpdateTime: Instant? = null
             var createdTime: Instant? = null
-            var tenant: String? = null
             var access: List<String> = listOf()
             XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.currentToken(), parser)
             while (XContentParser.Token.END_OBJECT != parser.nextToken()) {
@@ -70,7 +66,6 @@ data class DocMetadata(
                 when (fieldName) {
                     UPDATED_TIME_TAG -> lastUpdateTime = Instant.ofEpochMilli(parser.longValue())
                     CREATED_TIME_TAG -> createdTime = Instant.ofEpochMilli(parser.longValue())
-                    TENANT_TAG -> tenant = parser.text()
                     ACCESS_LIST_TAG -> access = parser.stringList()
                     else -> {
                         parser.skipChildren()
@@ -80,11 +75,9 @@ data class DocMetadata(
             }
             lastUpdateTime ?: throw IllegalArgumentException("$UPDATED_TIME_TAG field absent")
             createdTime ?: throw IllegalArgumentException("$CREATED_TIME_TAG field absent")
-            tenant = tenant ?: DEFAULT_TENANT
             return DocMetadata(
                 lastUpdateTime,
                 createdTime,
-                tenant,
                 access
             )
         }
@@ -97,7 +90,6 @@ data class DocMetadata(
         return builder!!.startObject()
             .field(UPDATED_TIME_TAG, lastUpdateTime.toEpochMilli())
             .field(CREATED_TIME_TAG, createdTime.toEpochMilli())
-            .field(TENANT_TAG, tenant)
             .field(ACCESS_LIST_TAG, access)
             .endObject()
     }

diff --git a/...cations/notifications/src/main/kotlin/org/opensearch/notifications/security/UserAccess.kt b/...cations/notifications/src/main/kotlin/org/opensearch/notifications/security/UserAccess.kt
@@ -31,22 +31,10 @@ import org.opensearch.commons.authuser.User
 interface UserAccess {
     /**
      * Validate User if eligible to do operation
-     * If filterBy == NoFilter
-     *  -> No validation
-     * If filterBy == User
-     *  -> User name should be present
-     * If filterBy == Roles
-     *  -> roles should be present
-     * If filterBy == BackendRoles
-     *  -> backend roles should be present
+     * If filter by BackendRoles is enabled then backend roles should be present
      */
     fun validateUser(user: User?)
 
-    /**
-     * Get tenant info from user object.
-     */
-    fun getUserTenant(user: User?): String
-
     /**
      * Get all user access info from user object.
      */
@@ -60,10 +48,5 @@ interface UserAccess {
     /**
      * validate if user has access based on given access list
      */
-    fun doesUserHasAccess(user: User?, tenant: String, access: List<String>): Boolean
-
-    /**
-     * Check if user has all info access.
-     */
-    fun hasAllInfoAccess(user: User?): Boolean
+    fun doesUserHasAccess(user: User?, access: List<String>): Boolean
 }