Merge pull request #256 from palashhedau/opendistro-0.10

Allow SuperAdmin to update/delete/add read only config such as action…

Author: palashhedau

src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/AdminDNs.java

@@ -83,7 +83,7 @@ public AdminDNs(final Settings settings) {
         }
 
         log.debug("Loaded {} admin DN's {}",adminDn.size(),  adminDn);
-        
+
         final Settings impersonationDns = settings.getByPrefix(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".");
 
         for (String dnString:impersonationDns.keySet()) {

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/AbstractApiAction.java

@@ -77,6 +77,7 @@ public abstract class AbstractApiAction extends BaseRestHandler {
 	private final RestApiPrivilegesEvaluator restApiPrivilegesEvaluator;
 	protected final AuditLog auditLog;
 	protected final Settings settings;
+	private AdminDNs adminDNs;
 
 	protected AbstractApiAction(final Settings settings, final Path configPath, final RestController controller,
 								final Client client, final AdminDNs adminDNs, final IndexBaseConfigurationRepository cl,
@@ -86,6 +87,7 @@ protected AbstractApiAction(final Settings settings, final Path configPath, fina
 		this.settings = settings;
 		this.opendistrosecurityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME,
 				ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
+		this.adminDNs = adminDNs;
 		this.cl = cl;
 		this.cs = cs;
 		this.threadPool = threadPool;
@@ -147,7 +149,7 @@ protected void handleDelete(final RestChannel channel, final RestRequest request
 			return;
 		}
 
-		if (isReadOnly(existingAsSettings.v2(), name)) {
+		if (!isReadOnlyAndAccessible(existingAsSettings.v2(), name)) {
 			forbidden(channel, "Resource '"+ name +"' is read-only.");
 			return;
 		}
@@ -187,7 +189,7 @@ protected void handlePut(final RestChannel channel, final RestRequest request, f
 			return;
 		}
 
-		if (isReadOnly(existingAsSettings.v2(), name)) {
+		if (!isReadOnlyAndAccessible(existingAsSettings.v2(), name)) {
 			forbidden(channel, "Resource '"+ name +"' is read-only.");
 			return;
 		}
@@ -544,4 +546,16 @@ public String getName() {
 
 	protected abstract Endpoint getEndpoint();
 
-}
+	protected boolean isSuperAdmin() {
+		User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+		return adminDNs.isAdmin(user);
+	}
+
+	protected boolean isReadOnlyAndAccessible(Settings settings, String name) {
+		if( isReadOnly(settings, name) && !isSuperAdmin()) {
+			return false;
+		}
+		return true;
+	}
+
+}

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/AccountApiAction.java

@@ -195,7 +195,7 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
             return;
         }
 
-        if (isReadOnly(existingAsSettings.v2(), username)) {
+        if (!isReadOnlyAndAccessible(existingAsSettings.v2(), username)) {
             forbidden(channel, "Resource '"+ username +"' is read-only.");
             return;
         }

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/ActionGroupsApiAction.java

@@ -71,7 +71,7 @@ protected void registerHandlers(RestController controller, Settings settings) {
 
 	@Override
 	protected AbstractConfigurationValidator getValidator(final RestRequest request, BytesReference ref, Object... param) {
-		return new ActionGroupValidator(request, ref, this.settings, param);
+		return new ActionGroupValidator(request, isSuperAdmin(), ref, this.settings, param);
 	}
 
 	@Override

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/InternalUsersApiAction.java

@@ -115,9 +115,7 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
         }
 
         // check if resource is writeable
-        Boolean readOnly = configurationSettings.v2().getAsBoolean(username + "." + ConfigConstants.CONFIGKEY_READONLY,
-                Boolean.FALSE);
-        if (readOnly) {
+        if (!isReadOnlyAndAccessible(configurationSettings.v2(), username)) {
             forbidden(channel, "Resource '" + username + "' is read-only.");
             return;
         }
@@ -228,6 +226,6 @@ protected String getConfigName() {
 
     @Override
     protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... params) {
-        return new InternalUsersValidator(request, ref, this.settings, params);
+        return new InternalUsersValidator(request, isSuperAdmin(), ref, this.settings, params);
     }
 }

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/PatchableResourceApiAction.java

@@ -107,7 +107,8 @@ private void handleSinglePatch(RestChannel channel, RestRequest request, Client
             return;
         }
 
-        if (isReadOnly(existingAsSettings.v2(), name)) {
+
+        if (!isReadOnlyAndAccessible(existingAsSettings.v2(), name)) {
             forbidden(channel, "Resource '" + name + "' is read-only.");
             return;
         }
@@ -186,7 +187,7 @@ private void handleBulkPatch(RestChannel channel, RestRequest request, Client cl
 
             if (oldResource != null && !oldResource.equals(patchedResource)) {
 
-                if (isReadOnly(existingAsSettings.v2(), resourceName)) {
+                if (!isReadOnlyAndAccessible(existingAsSettings.v2(), resourceName)) {
                     forbidden(channel, "Resource '" + resourceName + "' is read-only.");
                     return;
                 }

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/RolesApiAction.java

@@ -61,7 +61,7 @@ protected Endpoint getEndpoint() {
 
 	@Override
 	protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... param) {
-		return new RolesValidator(request, ref, this.settings, param);
+		return new RolesValidator(request, isSuperAdmin(), ref, this.settings, param);
 	}
 
 	@Override

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/RolesMappingApiAction.java

@@ -62,7 +62,7 @@ protected Endpoint getEndpoint() {
 
 	@Override
 	protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... param) {
-		return new RolesMappingValidator(request, ref, this.settings, param);
+		return new RolesMappingValidator(request, isSuperAdmin(), ref, this.settings, param);
 	}
 
 	@Override

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/AbstractConfigurationValidator.java

@@ -146,6 +146,7 @@ public boolean validateSettings() {
         Set<String> allowed = new HashSet<>(allowedKeys.keySet());
         requested.removeAll(allowed);
         this.invalidKeys.addAll(requested);
+
         boolean valid = missingMandatoryKeys.isEmpty() && invalidKeys.isEmpty() && missingMandatoryOrKeys.isEmpty();
         if (!valid) {
             this.errorType = ErrorType.INVALID_CONFIGURATION;
@@ -264,7 +265,7 @@ private Settings.Builder toSettingsBuilder(final BytesReference ref) {
     }
 
     public static enum DataType {
-        STRING, ARRAY, OBJECT;
+        STRING, ARRAY, OBJECT, BOOLEAN;
     }
 
     public static enum ErrorType {

src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/ActionGroupValidator.java

@@ -22,10 +22,11 @@
 
 public class ActionGroupValidator extends AbstractConfigurationValidator {
 
-	public ActionGroupValidator(final RestRequest request, BytesReference ref, final Settings esSettings, Object... param) {
+	public ActionGroupValidator(final RestRequest request, boolean isSuperAdmin, BytesReference ref, final Settings esSettings, Object... param) {
 		super(request, ref, esSettings, param);
 		this.payloadMandatory = true;
 		allowedKeys.put("permissions", DataType.ARRAY);
+		if (isSuperAdmin) allowedKeys.put("readonly" , DataType.BOOLEAN);
 		mandatoryKeys.add("permissions");
 	}