WIP on Creating Kibana admin level that's different then write and allows settings to be updated

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

src/main/java/org/opensearch/security/configuration/PrivilegesInterceptorImpl.java

@@ -32,6 +32,7 @@
 import org.opensearch.action.admin.indices.refresh.RefreshRequest;
 import org.opensearch.action.bulk.BulkRequest;
 import org.opensearch.action.delete.DeleteRequest;
+import org.opensearch.action.get.GetRequest;
 import org.opensearch.action.get.MultiGetRequest;
 import org.opensearch.action.get.MultiGetRequest.Item;
 import org.opensearch.action.index.IndexRequest;
@@ -141,13 +142,19 @@ public ReplaceResult replaceDashboardsIndex(
             && resolveToDashboardsIndexOrAlias(requestedResolved, dashboardsIndexName);
         final boolean isTraceEnabled = log.isTraceEnabled();
 
+
         TenantPrivileges.ActionType actionType = getActionTypeForAction(action);
 
         if (requestedTenant == null || requestedTenant.length() == 0) {
             if (isTraceEnabled) {
                 log.trace("No tenant, will resolve to " + dashboardsIndexName);
             }
 
+            // Intercept when request is dashboards user and request is to get advanced settings. No replacement.
+            if ("osd:admin/advanced_settings".equals(action)) {
+                return ACCESS_GRANTED_REPLACE_RESULT;
+            }
+
             if (dashboardsIndexOnly && !tenantPrivileges.hasTenantPrivilege(context, "global_tenant", actionType)) {
                 return ACCESS_DENIED_REPLACE_RESULT;
             }
@@ -199,6 +206,20 @@ public ReplaceResult replaceDashboardsIndex(
 
             final String tenantIndexName = toUserIndexName(dashboardsIndexName, requestedTenant);
 
+            System.out.println("tenantIndexName: " + tenantIndexName);
+            System.out.println("user: " + user);
+            System.out.println("action: " + action);
+            System.out.println("requestResolved: " + requestedResolved.getAllIndices());
+            if (request instanceof GetRequest gr) {
+                System.out.println("GetRequest: " + gr.id());
+            } else if (request instanceof SearchRequest sr) {
+                System.out.println("SearchRequest: " + sr.source().toString());
+            }
+            // Intercept when request is dashboards user and request is to get advanced settings
+            if ("osd:admin/advanced_settings".equals(action)) {
+                return newAccessGrantedReplaceResult(replaceIndex(request, dashboardsIndexName, tenantIndexName, action));
+            }
+
             // The new DLS/FLS implementation defaults to a "deny all" pattern in case no roles are configured
             // for an index. As the PrivilegeInterceptor grants access to indices bypassing index privileges,
             // we need to allow-list these indices.
@@ -233,7 +254,9 @@ private void applyDocumentAllowList(String indexName) {
     }
 
     static TenantPrivileges.ActionType getActionTypeForAction(String action) {
-        if (READ_ONLY_ALLOWED_ACTIONS.contains(action)) {
+        if ("osd:admin/advanced_settings".equals(action)) {
+            return TenantPrivileges.ActionType.ADMIN;
+        } else if (READ_ONLY_ALLOWED_ACTIONS.contains(action)) {
             return TenantPrivileges.ActionType.READ;
         } else {
             return TenantPrivileges.ActionType.WRITE;

src/main/java/org/opensearch/security/privileges/TenantPrivileges.java

@@ -50,7 +50,8 @@ public class TenantPrivileges {
      */
     public enum ActionType {
         READ,
-        WRITE;
+        WRITE,
+        ADMIN;
     }
 
     public static final TenantPrivileges EMPTY = new TenantPrivileges(
@@ -61,6 +62,7 @@ public enum ActionType {
 
     private static final List<ActionType> READ = ImmutableList.of(ActionType.READ);
     private static final List<ActionType> READ_WRITE = ImmutableList.of(ActionType.READ, ActionType.WRITE);
+    private static final List<ActionType> READ_WRITE_ADMIN = ImmutableList.of(ActionType.READ, ActionType.WRITE, ActionType.ADMIN);
 
     private static final Logger log = LogManager.getLogger(TenantPrivileges.class);
 
@@ -245,7 +247,9 @@ public Map<String, Boolean> tenantMap(PrivilegesEvaluationContext context) {
 
     static List<ActionType> resolveActionType(Collection<String> allowedActions, FlattenedActionGroups actionGroups) {
         ImmutableSet<String> permissions = actionGroups.resolve(allowedActions);
-        if (permissions.contains("kibana:saved_objects/*/write")) {
+        if (permissions.contains("osd:admin/advanced_settings")) {
+            return READ_WRITE_ADMIN;
+        } else if (permissions.contains("kibana:saved_objects/*/write")) {
             return READ_WRITE;
         } else {
             return READ;

src/main/resources/static_config/static_action_groups.yml

@@ -8,8 +8,17 @@ kibana_all_write:
   static: true
   allowed_actions:
   - "kibana:saved_objects/*/write"
+  - "osd:admin/advanced_settings"
   type: "kibana"
-  description: "Allow writing in all OpenSearch Dashboards apps"
+  description: "Allow writing in all OpenSearch Dashboards apps including advanced settings"
+kibana_only_write:
+  reserved: true
+  hidden: false
+  static: true
+  allowed_actions:
+  - "kibana:saved_objects/*/write"
+  type: "kibana"
+  description: "Allow writing in OpenSearch Dashboards apps except config (advanced settings)"
 kibana_all_read:
   reserved: true
   hidden: false

src/main/resources/static_config/static_roles.yml

@@ -116,6 +116,11 @@ kibana_server:
         - "*"
       allowed_actions:
         - "indices:admin/aliases*"
+  tenant_permissions:
+    - tenant_patterns:
+        - "*"
+      allowed_actions:
+        - "kibana_all_write"
 
 logstash:
   reserved: true