Merge branch 'main' into extension-tls

build.gradle

@@ -52,9 +52,9 @@ plugins {
     id 'idea'
     id 'jacoco'
     id 'maven-publish'
-    id 'com.diffplug.spotless' version '6.16.0'
+    id 'com.diffplug.spotless' version '6.18.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.0.0"
+    id 'com.netflix.nebula.ospackage' version "11.1.0"
     id "org.gradle.test-retry" version "1.5.2"
     id 'eclipse'
     id "com.github.spotbugs" version "5.0.14"

release-notes/opensearch-security.release-notes-2.6.0.0.md

@@ -7,6 +7,7 @@ Compatible with OpenSearch 2.6.0
 * Add actions cluster:admin/component_template/* to cluster_manage_index_templates ([#2409](https://github.com/opensearch-project/security/pull/2409))
 * Publish snapshots to maven ([#2438](https://github.com/opensearch-project/security/pull/2438))
 * Integrate k-NN functionality with security plugin ([#2274](https://github.com/opensearch-project/security/pull/2274))
+* Flatten response times ([#2471](https://github.com/opensearch-project/security/pull/2471))
 
 ### Maintenance
 

release-notes/opensearch-security.release-notes-2.7.0.0.md

@@ -0,0 +1,43 @@
+## 2023-04-25 Version 2.7.0.0
+
+Compatible with OpenSearch 2.7.0
+
+### Features
+
+* Dynamic tenancy configurations ([#2607](https://github.com/opensearch-project/security/pull/2607))
+
+### Bug Fixes
+
+* Support multitenancy for the anonymous user ([#2459](https://github.com/opensearch-project/security/pull/2459))
+* Fix error message when system index is blocked ([#2525](https://github.com/opensearch-project/security/pull/2525))
+* Fix of OpenSSLTest is not using the OpenSSL Provider ([#2301](https://github.com/opensearch-project/security/pull/2301))
+* Add chmod 0600 to install_demo_configuration bash script ([#2550](https://github.com/opensearch-project/security/pull/2550))
+* Fix SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder" ([#2564](https://github.com/opensearch-project/security/pull/2564))
+* Fix lost privileges during auto initializing of the index ([#2498](https://github.com/opensearch-project/security/pull/2498))
+* Fix NPE and add additional graceful error handling ([#2687](https://github.com/opensearch-project/security/pull/2687))
+
+### Enhancements
+
+* Clock skew tolerance for oidc token validation ([#2482](https://github.com/opensearch-project/security/pull/2482))
+* Adding index template permissions to kibana_server role ([#2503](https://github.com/opensearch-project/security/pull/2503))
+* Add a test in order to catch incorrect handling of index parsing during Snapshot Restoration ([#2384](https://github.com/opensearch-project/security/pull/2384))
+* Expand Dls Tests for easier verification of functionality ([#2634](https://github.com/opensearch-project/security/pull/2634))
+* New system index[.ql-datasources] for ppl/sql datasource configurations ([#2650](https://github.com/opensearch-project/security/pull/2650))
+* Allows for configuration of LDAP referral following ([#2135](https://github.com/opensearch-project/security/pull/2135))
+
+### Maintenance
+
+* Update kafka client to 3.4.0 ([#2484](https://github.com/opensearch-project/security/pull/2484))
+* Update to gradle 8.0.2 ([#2520](https://github.com/opensearch-project/security/pull/2520))
+* XContent Refactor ([#2598](https://github.com/opensearch-project/security/pull/2598))
+* Update json-smart to 2.4.10 and update spring-core to 5.3.26 ([#2630](https://github.com/opensearch-project/security/pull/2630))
+* Update certs for SecuritySSLReloadCertsActionTests ([#2679](https://github.com/opensearch-project/security/pull/2679))
+
+### Infrastructure
+
+* Add auto github release workflow ([#2450](https://github.com/opensearch-project/security/pull/2450))
+* Use correct format for push trigger ([#2474](https://github.com/opensearch-project/security/pull/2474))
+
+### Documentation
+
+* Fix the format of the codeowners file ([#2469](https://github.com/opensearch-project/security/pull/2469))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -45,6 +45,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 import java.util.function.Predicate;
@@ -98,7 +99,6 @@
 import org.opensearch.index.Index;
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.cache.query.QueryCache;
-import org.opensearch.index.shard.SearchOperationListener;
 import org.opensearch.indices.IndicesService;
 import org.opensearch.indices.SystemIndexDescriptor;
 import org.opensearch.indices.breaker.CircuitBreakerService;
@@ -165,6 +165,7 @@
 import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.GuardedSearchOperationWrapper;
 import org.opensearch.security.support.HeaderHelper;
 import org.opensearch.security.support.ModuleInfo;
 import org.opensearch.security.support.ReflectionHelper;
@@ -215,7 +216,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private final List<String> demoCertHashes = new ArrayList<String>(3);
     private volatile SecurityFilter sf;
     private volatile IndexResolverReplacer irr;
-    private volatile NamedXContentRegistry namedXContentRegistry = null;
+    private final AtomicReference<NamedXContentRegistry> namedXContentRegistry = new AtomicReference<>(NamedXContentRegistry.EMPTY);;
     private volatile DlsFlsRequestValve dlsFlsValve = null;
     private volatile Salt salt;
     private volatile OpensearchDynamicSetting<Boolean> transportPassiveAuthSetting;
@@ -569,11 +570,11 @@ public Weight doCache(Weight weight, QueryCachingPolicy policy) {
                 }
             });
 
-            indexModule.addSearchOperationListener(new SearchOperationListener() {
+            indexModule.addSearchOperationListener(new GuardedSearchOperationWrapper() {
 
                 @Override
                 public void onPreQueryPhase(SearchContext context) {
-                    dlsFlsValve.handleSearchContext(context, threadPool, namedXContentRegistry);
+                    dlsFlsValve.handleSearchContext(context, threadPool, namedXContentRegistry.get());
                 }
 
                 @Override
@@ -643,7 +644,7 @@ public void onQueryPhase(SearchContext searchContext, long tookInNanos) {
                         }
                     }
                 }
-            });
+            }.toListener());
         }
     }
 
@@ -798,6 +799,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
 
         final PrivilegesInterceptor privilegesInterceptor;
 
+        namedXContentRegistry.set(xContentRegistry);
         if (SSLConfig.isSslOnlyMode()) {
             dlsFlsValve = new DlsFlsRequestValve.NoopDlsFlsRequestValve();
             auditLog = new NullAuditLog();
@@ -822,7 +824,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
         // DLS-FLS is enabled if not client and not disabled and not SSL only.
         final boolean dlsFlsEnabled = !SSLConfig.isSslOnlyMode();
         evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog,
-                settings, privilegesInterceptor, cih, irr, dlsFlsEnabled, namedXContentRegistry);
+                settings, privilegesInterceptor, cih, irr, dlsFlsEnabled, namedXContentRegistry.get());
 
         sf = new SecurityFilter(settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, xffResolver);
 

src/main/java/org/opensearch/security/support/GuardedSearchOperationWrapper.java

@@ -0,0 +1,85 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.support;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.index.shard.SearchOperationListener;
+import org.opensearch.search.internal.ReaderContext;
+import org.opensearch.search.internal.SearchContext;
+import org.opensearch.transport.TransportRequest;
+
+/**
+ * Guarded version of Search Operation Listener to ensure critical request paths succeed
+ */
+public interface GuardedSearchOperationWrapper {
+
+    static final Logger log = LogManager.getLogger(GuardedSearchOperationWrapper.class);
+
+    void onPreQueryPhase(final SearchContext context);
+
+    void onNewReaderContext(final ReaderContext readerContext);
+
+    void onNewScrollContext(final ReaderContext readerContext);
+
+    void validateReaderContext(final ReaderContext readerContext, final TransportRequest transportRequest);
+
+    void onQueryPhase(final SearchContext searchContext, final long tookInNanos);
+
+    default SearchOperationListener toListener() {
+        return new InnerSearchOperationListener(this);
+    }
+
+    static class InnerSearchOperationListener implements SearchOperationListener {
+
+        private GuardedSearchOperationWrapper that;
+        InnerSearchOperationListener(GuardedSearchOperationWrapper that) {
+            this.that = that;
+        }
+
+        @Override
+        public void onPreQueryPhase(final SearchContext searchContext) {
+            try {
+                that.onPreQueryPhase(searchContext);
+            } catch (final Exception e) {
+                searchContext.setTask(null);
+                log.error("Cancelled request due to internal error", e);
+            }
+        }
+
+        @Override
+        public void onNewReaderContext(final ReaderContext readerContext) {
+            that.onNewReaderContext(readerContext);
+        }
+
+        @Override
+        public void onNewScrollContext(final ReaderContext readerContext) {
+            that.onNewScrollContext(readerContext);
+        }
+
+        @Override
+        public void validateReaderContext(final ReaderContext readerContext, final TransportRequest transportRequest) {
+            that.validateReaderContext(readerContext, transportRequest);
+        }
+
+        @Override
+        public void onQueryPhase(final SearchContext searchContext, final long tookInNanos) {
+            try {
+                that.onQueryPhase(searchContext, tookInNanos);
+            } catch (final Exception e) {
+                searchContext.setTask(null);
+                log.error("Cancelled request due to internal error", e);
+            }
+        }
+    }
+}

src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java

@@ -53,17 +53,17 @@ public class SecuritySSLReloadCertsActionTests extends SingleClusterTest {
         "issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com",
         "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san", "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
-        "not_before", "2021-04-12T00:07:08Z",
-        "not_after", "2023-04-12T00:07:08Z"
+        "not_before", "2023-04-14T13:22:53Z",
+        "not_after", "2033-04-11T13:22:53Z"
         ));
 
     private final List<Map<String, String>> NEW_NODE_CERT_DETAILS = ImmutableList.of(
         ImmutableMap.of(
             "issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com",
             "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san", "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
-            "not_before", "2021-04-12T00:09:00Z",
-            "not_after", "2023-04-12T00:09:00Z"
+            "not_before", "2023-04-14T13:23:00Z",
+            "not_after", "2033-04-11T13:23:00Z"
         )
     );
 
@@ -264,7 +264,7 @@ private void initClusterWithTestCerts() throws Exception {
     private void initTestCluster(final String transportPemCertFilePath, final String transportPemKeyFilePath, final String httpPemCertFilePath, final String httpPemKeyFilePath, final boolean sslCertReload) throws Exception {
         final Settings settings = Settings.builder()
             .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "CN=kirk,OU=client,O=client,L=Test,C=DE")
-            .putList(ConfigConstants.SECURITY_NODES_DN, "C=DE,L=Test,O=Test,OU=SSL,CN=node-1.example.com")
+            .putList(ConfigConstants.SECURITY_NODES_DN, "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE")
             .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true)
             .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true)
             .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)