Merge branch 'main' into downgrade-gradle

Signed-off-by: Peter Nied <[email protected]>

Author: peternied

.github/workflows/ci.yml

@@ -47,17 +47,6 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-gradle-
 
-
-    - name: Checkstyle
-      run: ./gradlew clean checkstyleMain checkstyleTest
-
-    - name: Set up JDK for test
-      if: matrix.jdk == 17 
-      uses: actions/setup-java@v2
-      with:
-        distribution: temurin # Temurin is a distribution of adoptium
-        java-version: ${{ matrix.jdk }}
-
     - name: Run Tests
       run: ./gradlew clean build -Dbuild.snapshot=false -x test
 

build.gradle

@@ -341,8 +341,6 @@ bundle.doLast() {
 
 tasks.assemble.dependsOn(bundle)
 tasks.bundle.dependsOn(createPluginDescriptor)
-tasks.assemble.dependsOn(bundleSecurityAdminStandalone)
-tasks.assemble.dependsOn(bundleSecurityAdminStandaloneTarGz)
 
 clean {
     delete 'data/'

release-notes/opensearch-security.release-notes-1.3.0.0.md

@@ -0,0 +1,48 @@
+## 2022-03-15 Version 1.3.0.0
+
+Compatible with OpenSearch 1.3.0
+
+### Enhancements
+
+* Adds CI support for Java 8, 11 and 14 ([#1580](https://github.com/opensearch-project/security/pull/1580))
+* Updates the test retry-count to give flaky tests more chances to pass ([#1601](https://github.com/opensearch-project/security/pull/1601))
+* Adds support for OPENSEARCH_JAVA_HOME ([#1603](https://github.com/opensearch-project/security/pull/1603))
+* Adds auto delete workflow for backport branches ([#1604](https://github.com/opensearch-project/security/pull/1604))
+* Create the plugin-descriptor programmatically ([#1623](https://github.com/opensearch-project/security/pull/1623))
+* Add test to make sure exception causes aren't sent to callers ([#1639](https://github.com/opensearch-project/security/pull/1639))
+* Switch gradle to info logging for improved test debugging ([#1646](https://github.com/opensearch-project/security/pull/1646))
+* Remove artifact step from CI workflow ([#1645](https://github.com/opensearch-project/security/pull/1645))
+* Adds ssl script ([#1530](https://github.com/opensearch-project/security/pull/1530))
+* Adds Java-17 to CI matrix ([#1609](https://github.com/opensearch-project/security/pull/1609))
+* Reverts ssl script PR ([#1637](https://github.com/opensearch-project/security/pull/1637))
+* Remove java17 from 1.3 build matrix ([#1668](https://github.com/opensearch-project/security/pull/1668))
+
+### Bug fixes
+
+* Bumps JJWT version ([#1589](https://github.com/opensearch-project/security/pull/1589))
+* Updates backport workflow with custom branch and github app ([#1597](https://github.com/opensearch-project/security/pull/1597))
+* Always run checks on PRs ([#1615](https://github.com/opensearch-project/security/pull/1615))
+* Adds 'opens' command-line argument for java.io libraries to unblock build ([#1616](https://github.com/opensearch-project/security/pull/1616))
+* Adds jacoco report and pass the location to codecov ([#1617](https://github.com/opensearch-project/security/pull/1617))
+* Fixes the settings of roles_separator ([#1618](https://github.com/opensearch-project/security/pull/1618))
+* Use standard opensearch.version property ([#1622](https://github.com/opensearch-project/security/pull/1622))
+
+
+### Maintenance
+
+* Updates bug template ([#1582](https://github.com/opensearch-project/security/pull/1582))
+* Updates jackson-databind library version ([#1584](https://github.com/opensearch-project/security/pull/1584))
+* Upgrades Kafka version ([#1598](https://github.com/opensearch-project/security/pull/1598))
+* Upgrades Guava version ([#1594](https://github.com/opensearch-project/security/pull/1594))
+* Update maintainers list ([#1607](https://github.com/opensearch-project/security/pull/1607))
+* Exclude velocity 1.7 from OpenSAML dependency ([#1606](https://github.com/opensearch-project/security/pull/1606))
+* Migrate build system to gradle ([#1592](https://github.com/opensearch-project/security/pull/1592))
+* Updates documentation for practices for maintainers ([#1611](https://github.com/opensearch-project/security/pull/1611))
+* Remove jcenter repository ([#1625](https://github.com/opensearch-project/security/pull/1625))
+* Remove '-SNAPSHOT' from opensearch.version in plugin descriptor ([#1634](https://github.com/opensearch-project/security/pull/1634))
+* Add git ignore for VScode IDE settings ([#1629](https://github.com/opensearch-project/security/pull/1629))
+* Remove netty-tcnative dependency to unblock security plugin build on ARM64 ([#1649](https://github.com/opensearch-project/security/pull/1649))
+* Add plugin-descriptor.properties to .gitignore ([#1651](https://github.com/opensearch-project/security/pull/1651))
+* Removes Github DCO action as it is replaced by Github app ([1657](https://github.com/opensearch-project/security/pull/1657))
+* Configure ML reserved roles and system indices ([#1662](https://github.com/opensearch-project/security/pull/1662))
+* Release Notes for 1.3.0.0 ([#1671](https://github.com/opensearch-project/security/pull/1671))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -57,6 +57,8 @@
 import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.http.SecurityHttpServerTransport;
+import org.opensearch.security.rest.SecurityConfigUpdateAction;
+import org.opensearch.security.rest.SecurityWhoAmIAction;
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction;
 import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction;
@@ -108,6 +110,7 @@
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.cache.query.QueryCache;
 import org.opensearch.index.shard.SearchOperationListener;
+import org.opensearch.indices.IndicesService;
 import org.opensearch.indices.SystemIndexDescriptor;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.ClusterPlugin;
@@ -459,7 +462,8 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                 handlers.add(new DashboardsInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool)));
                 handlers.add(new TenantInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool),
 				Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
-
+                handlers.add(new SecurityConfigUpdateAction(settings, restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
+                handlers.add(new SecurityWhoAmIAction(settings ,restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 if (sslCertReloadEnabled) {
                     handlers.add(new SecuritySSLReloadCertsAction(settings, restController, sks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns)));
                 }
@@ -776,7 +780,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
             auditLog = new NullAuditLog();
             privilegesInterceptor = new PrivilegesInterceptor(resolver, clusterService, localClient, threadPool);
         } else {
-            dlsFlsValve = new DlsFlsValveImpl();
+            dlsFlsValve = new DlsFlsValveImpl(settings, localClient, clusterService, resolver, xContentRegistry, threadPool.getThreadContext());
             auditLog = new AuditLogImpl(settings, configPath, localClient, threadPool, resolver, clusterService, environment);
             privilegesInterceptor = new PrivilegesInterceptorImpl(resolver, clusterService, localClient, threadPool);
         }
@@ -795,10 +799,10 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
         // DLS-FLS is enabled if not client and not disabled and not SSL only.
         final boolean dlsFlsEnabled = !SSLConfig.isSslOnlyMode();
         evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog,
-                settings, privilegesInterceptor, cih, irr, dlsFlsEnabled);
-
-        sf = new SecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry);
+                settings, privilegesInterceptor, cih, irr, dlsFlsEnabled, namedXContentRegistry);
 
+        sf = new SecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry, namedXContentRegistry);
+                
         final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null);
 
         if(principalExtractorClass == null) {
@@ -1122,12 +1126,14 @@ public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;
         private static RemoteClusterService remoteClusterService;
+        private static IndicesService indicesService;
 
         @Inject
         public GuiceHolder(final RepositoriesService repositoriesService,
-                final TransportService remoteClusterService) {
+                final TransportService remoteClusterService, IndicesService indicesService) {
             GuiceHolder.repositoriesService = repositoriesService;
             GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
+            GuiceHolder.indicesService = indicesService;
         }
 
         public static RepositoriesService getRepositoriesService() {
@@ -1138,6 +1144,10 @@ public static RemoteClusterService getRemoteClusterService() {
             return remoteClusterService;
         }
 
+        public static IndicesService getIndicesService() {
+            return indicesService;
+        }
+        
         @Override
         public void close() {
         }

src/main/java/org/opensearch/security/action/configupdate/ConfigUpdateNodeResponse.java

@@ -37,8 +37,10 @@
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.io.stream.StreamInput;
 import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.common.xcontent.ToXContentObject;
+import org.opensearch.common.xcontent.XContentBuilder;
 
-public class ConfigUpdateNodeResponse extends BaseNodeResponse {
+public class ConfigUpdateNodeResponse extends BaseNodeResponse implements ToXContentObject {
 
     private String[] updatedConfigTypes;
     private String message;
@@ -78,4 +80,14 @@ public void writeTo(StreamOutput out) throws IOException {
     public String toString() {
         return "ConfigUpdateNodeResponse [updatedConfigTypes=" + Arrays.toString(updatedConfigTypes) + ", message=" + message + "]";
     }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        builder.field("updated_config_types", updatedConfigTypes);
+        builder.field("updated_config_size", updatedConfigTypes == null ? 0: updatedConfigTypes.length);
+        builder.field("message", message);
+        builder.endObject();
+        return builder;
+    }
 }

src/main/java/org/opensearch/security/action/configupdate/ConfigUpdateResponse.java

@@ -38,13 +38,15 @@
 import org.opensearch.cluster.ClusterName;
 import org.opensearch.common.io.stream.StreamInput;
 import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.common.xcontent.ToXContentObject;
+import org.opensearch.common.xcontent.XContentBuilder;
 
-public class ConfigUpdateResponse extends BaseNodesResponse<ConfigUpdateNodeResponse> {
+public class ConfigUpdateResponse extends BaseNodesResponse<ConfigUpdateNodeResponse> implements ToXContentObject {
 
     public ConfigUpdateResponse(StreamInput in) throws IOException {
         super(in);
     }
-    
+
     public ConfigUpdateResponse(final ClusterName clusterName, List<ConfigUpdateNodeResponse> nodes, List<FailedNodeException> failures) {
         super(clusterName, nodes, failures);
     }
@@ -58,4 +60,16 @@ public List<ConfigUpdateNodeResponse> readNodesFrom(final StreamInput in) throws
     public void writeNodesTo(final StreamOutput out, List<ConfigUpdateNodeResponse> nodes) throws IOException {
         out.writeList(nodes);
     }
+
+	@Override
+	public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+		builder.startObject("configupdate_response");
+		builder.field("nodes", getNodesMap());
+		builder.field("node_size", getNodes().size());
+		builder.field("has_failures", hasFailures());
+		builder.field("failures_size", failures().size());
+		builder.endObject();
+
+		return builder;
+	}
 }