Rename auth failure listeners & add permission support (#4713)

Signed-off-by: Derek Ho <[email protected]> Signed-off-by: tmanninger <[email protected]>
opensearch-project · Sep 24, 2024 · 06113e2 · 06113e2
1 parent b668f51
commit 06113e2
Show file tree

Hide file tree

Showing 8 changed files with 14 additions and 22 deletions.
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java b/src/main/java/org/opensearch/security/dlic/rest/api/Endpoint.java
@@ -24,7 +24,7 @@ public enum Endpoint {
     PERMISSIONSINFO,
     AUTHTOKEN,
     TENANTS,
-    AUTHFAILURELISTENERS,
+    RATELIMITERS,
     MIGRATE,
     VALIDATE,
     WHITELIST,

diff --git a/...st/api/AuthFailureListenersApiAction.java → .../dlic/rest/api/RateLimitersApiAction.java b/...st/api/AuthFailureListenersApiAction.java → .../dlic/rest/api/RateLimitersApiAction.java
@@ -50,7 +50,7 @@
 import static org.opensearch.security.securityconf.impl.v7.ConfigV7.MAX_TRACKED_CLIENTS_DEFAULT;
 import static org.opensearch.security.securityconf.impl.v7.ConfigV7.TIME_WINDOW_SECONDS_DEFAULT;
 
-public class AuthFailureListenersApiAction extends AbstractApiAction {
+public class RateLimitersApiAction extends AbstractApiAction {
 
     public static final String IP_TYPE = "ip";
 
@@ -75,18 +75,14 @@ public class AuthFailureListenersApiAction extends AbstractApiAction {
         )
     );
 
-    protected AuthFailureListenersApiAction(
-        ClusterService clusterService,
-        ThreadPool threadPool,
-        SecurityApiDependencies securityApiDependencies
-    ) {
-        super(Endpoint.AUTHFAILURELISTENERS, clusterService, threadPool, securityApiDependencies);
+    protected RateLimitersApiAction(ClusterService clusterService, ThreadPool threadPool, SecurityApiDependencies securityApiDependencies) {
+        super(Endpoint.RATELIMITERS, clusterService, threadPool, securityApiDependencies);
         this.requestHandlersBuilder.configureRequestHandlers(this::authFailureConfigApiRequestHandlers);
     }
 
     @Override
     public String getName() {
-        return "Auth failure listener actions to Retrieve / Update configs.";
+        return "Rate limiter actions to retrieve / update configs.";
     }
 
     @Override

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
@@ -66,6 +66,7 @@ default String build() {
         .put(Endpoint.CONFIG, action -> buildEndpointActionPermission(Endpoint.CONFIG, action))
         .put(Endpoint.INTERNALUSERS, action -> buildEndpointPermission(Endpoint.INTERNALUSERS))
         .put(Endpoint.NODESDN, action -> buildEndpointPermission(Endpoint.NODESDN))
+        .put(Endpoint.RATELIMITERS, action -> buildEndpointPermission(Endpoint.RATELIMITERS))
         .put(Endpoint.ROLES, action -> buildEndpointPermission(Endpoint.ROLES))
         .put(Endpoint.ROLESMAPPING, action -> buildEndpointPermission(Endpoint.ROLESMAPPING))
         .put(Endpoint.TENANTS, action -> buildEndpointPermission(Endpoint.TENANTS))
@@ -98,13 +99,6 @@ public boolean isCurrentUserAdminFor(final Endpoint endpoint, final String actio
             return false;
         }
         if (adminDNs.isAdmin(userAndRemoteAddress.getLeft())) {
-            if (logger.isDebugEnabled()) {
-                logger.debug(
-                    "Security admin permissions required for endpoint {} but {} is not an admin",
-                    endpoint,
-                    userAndRemoteAddress.getLeft().getName()
-                );
-            }
             return true;
         }
         if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) {

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java
@@ -97,7 +97,7 @@ public static Collection<RestHandler> getHandler(
             new AllowlistApiAction(Endpoint.ALLOWLIST, clusterService, threadPool, securityApiDependencies),
             new AuditApiAction(clusterService, threadPool, securityApiDependencies),
             new MultiTenancyConfigApiAction(clusterService, threadPool, securityApiDependencies),
-            new AuthFailureListenersApiAction(clusterService, threadPool, securityApiDependencies),
+            new RateLimitersApiAction(clusterService, threadPool, securityApiDependencies),
             new ConfigUpgradeApiAction(clusterService, threadPool, securityApiDependencies),
             new SecuritySSLCertsApiAction(clusterService, threadPool, securityKeyStore, certificatesReloadEnabled, securityApiDependencies),
             new CertificatesApiAction(clusterService, threadPool, securityApiDependencies)

diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java
@@ -145,7 +145,8 @@ protected List<String> restApiAdminPermissions() {
             "restapi:admin/rolesmapping",
             "restapi:admin/ssl/certs/info",
             "restapi:admin/ssl/certs/reload",
-            "restapi:admin/tenants"
+            "restapi:admin/tenants",
+            "restapi:admin/ratelimiters"
         );
     }
 

diff --git a/...pi/AuthFailureListenersApiActionTest.java → ...c/rest/api/RateLimitersApiActionTest.java b/...pi/AuthFailureListenersApiActionTest.java → ...c/rest/api/RateLimitersApiActionTest.java
@@ -21,7 +21,7 @@
 import static org.hamcrest.core.IsEqual.equalTo;
 import static org.hamcrest.core.StringContains.containsString;
 
-public class AuthFailureListenersApiActionTest extends AbstractRestApiUnitTest {
+public class RateLimitersApiActionTest extends AbstractRestApiUnitTest {
 
     private static final Header ADMIN_FULL_ACCESS_USER = encodeBasicHeader("admin_all_access", "admin_all_access");
     private static final Header USER_NO_REST_API_ACCESS = encodeBasicHeader("admin", "admin");

diff --git a/...lureListenersApiActionValidationTest.java → .../RateLimitersApiActionValidationTest.java b/...lureListenersApiActionValidationTest.java → .../RateLimitersApiActionValidationTest.java
@@ -27,11 +27,11 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
-public class AuthFailureListenersApiActionValidationTest extends AbstractApiActionValidationTest {
+public class RateLimitersApiActionValidationTest extends AbstractApiActionValidationTest {
 
     @Test
     public void validateAllowedFields() throws IOException {
-        final var authFailureListenerApiActionRequestContentValidator = new AuthFailureListenersApiAction(
+        final var authFailureListenerApiActionRequestContentValidator = new RateLimitersApiAction(
             clusterService,
             threadPool,
             securityApiDependencies

diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/EndpointValidatorTest.java
@@ -405,7 +405,8 @@ private List<String> restAdminPermissions() {
             "restapi:admin/rolesmapping",
             "restapi:admin/ssl/certs/info",
             "restapi:admin/ssl/certs/reload",
-            "restapi:admin/tenants"
+            "restapi:admin/tenants",
+            "restapi:admin/ratelimiters"
         );
     }