honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-04-04 06:18:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java

97 lines
4.3 KiB
Java
Raw Normal View History

Added document and field level security This commit adds document and field level security to Shield. Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file. For example: ```yaml customer_care: indices: '*': privileges: read fields: - issue_id - description - customer_handle - customer_email - customer_address - customer_phone ``` The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned. If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible. Field level security can be setup per index group. Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed. * Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime. * If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled. * For the same reason the request cache is also disabled. * The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled. Document level security can be enabled by adding the `query` option to a role in the `role.yml` file: ```yaml customer_care: indices: '*': privileges: read query: term: department_id: 12 ``` Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired) Document level security can be setup per index group. Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change. Closes elastic/elasticsearch#341 Original commit: elastic/x-pack-elasticsearch@fac085dca6c3e1957eae0cf13d86ba93d20107c1
2015-08-27 17:53:10 +02:00
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.integration;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequestBuilder;
import org.elasticsearch.action.index.IndexRequestBuilder;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.test.ShieldIntegTestCase;
import java.util.ArrayList;
import java.util.List;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.equalTo;
/**
*/
public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase {
protected static final SecuredString USERS_PASSWD = new SecuredString("change_me".toCharArray());
protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("change_me".toCharArray())));
// can't add a second test method, because each test run creates a new instance of this class and that will will result
// in a new random value:
private final int numberOfRoles = scaledRandomIntBetween(3, 99);
@Override
protected String configUsers() {
StringBuilder builder = new StringBuilder(super.configUsers());
for (int i = 1; i <= numberOfRoles; i++) {
builder.append("user").append(i).append(':').append(USERS_PASSWD_HASHED).append('\n');
}
return builder.toString();
}
@Override
protected String configUsersRoles() {
StringBuilder builder = new StringBuilder(super.configUsersRoles());
for (int i = 1; i <= numberOfRoles; i++) {
builder.append("role").append(i).append(":user").append(i).append('\n');
}
return builder.toString();
}
@Override
protected String configRoles() {
StringBuilder builder = new StringBuilder(super.configRoles());
builder.append('\n');
for (int i = 1; i <= numberOfRoles; i++) {
builder.append("role").append(i).append(":\n");
builder.append(" cluster: all\n");
builder.append(" indices:\n");
builder.append(" '*':\n");
builder.append(" privileges: ALL\n");
builder.append(" query: \n");
builder.append(" term: \n");
builder.append(" field1: value").append(i).append('\n');
}
return builder.toString();
}
public void testDuelWithAliasFilters() throws Exception {
assertAcked(client().admin().indices().prepareCreate("test")
.addMapping("type1", "field1", "type=string", "field2", "type=string")
);
List<IndexRequestBuilder> requests = new ArrayList<>(numberOfRoles);
IndicesAliasesRequestBuilder builder = client().admin().indices().prepareAliases();
for (int i = 1; i <= numberOfRoles; i++) {
String value = "value" + i;
requests.add(client().prepareIndex("test", "type1", value).setSource("field1", value));
builder.addAlias("test", "alias" + i, QueryBuilders.termQuery("field1", value));
}
indexRandom(true, requests);
builder.get();
for (int roleI = 1; roleI <= numberOfRoles; roleI++) {
SearchResponse searchResponse1 = client().prepareSearch("test")
.putHeader(BASIC_AUTH_HEADER, basicAuthHeaderValue("user" + roleI, USERS_PASSWD))
.get();
SearchResponse searchResponse2 = client().prepareSearch("alias" + roleI).get();
assertThat(searchResponse1.getHits().getTotalHits(), equalTo(searchResponse2.getHits().getTotalHits()));
for (int hitI = 0; hitI < searchResponse1.getHits().getHits().length; hitI++) {
assertThat(searchResponse1.getHits().getAt(hitI).getId(), equalTo(searchResponse2.getHits().getAt(hitI).getId()));
}
}
}
}
Reference in New Issue Copy Permalink