Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if AD backend role is enabled #968

Merged
merged 2 commits into from
Jul 10, 2023
Merged

Check if AD backend role is enabled #968

merged 2 commits into from
Jul 10, 2023

Conversation

amitgalitz
Copy link
Member

Description of changes:
Right now the ad backend role filtering is always enabled, this is adding a check to make sure that AD backend role filtering is either disabled or enabled and apply that filtering correctly when retrieving detectors or calling on the result index in AD.

CheckList:

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@amitgalitz
check if ad filter is enabled
25df4be 
Signed-off-by: Amit Galitzky <[email protected]>
getsaurabh02
getsaurabh02 reviewed Jul 7, 2023
View reviewed changes
alerting/src/main/kotlin/org/opensearch/alerting/InputService.kt Outdated
@@ -209,7 +207,9 @@ class InputService(
// Monitor runner will send transport request to check permission first. If security plugin response
// is yes, user has permission to query AD result. If AD role filter enabled, we will add user role
// filter to protect data at user role level; otherwise, user can query any AD result.
addUserBackendRolesFilter(monitor.user, searchRequest.source())
if (getADBackendRoleFilterEnabled(clusterService, settings)) {
Copy link
Member

@getsaurabh02 getsaurabh02 Jul 7, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can getADBackendRoleFilterEnabled should be made more generic like getClientPluginRoleFilter so that we can supply the AD filter path just for that one use but the method itself can be used for other setting check?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made this change

getsaurabh02
getsaurabh02 reviewed Jul 7, 2023
View reviewed changes
Copy link
Member

@getsaurabh02 getsaurabh02 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks LGTM overall! Added a suggestion on how we can de-couple the AD setting knowledge from the Alerting execution flow.

@amitgalitz
updated integ tests
bf2c90f 
Signed-off-by: Amit Galitzky <[email protected]>
@amitgalitz
Copy link
Member Author

I made the same code changes on a 2.8 branch and everything passed: amitgalitz@00c326a
Both locally and in above github link you can go to the green check mark for that commit

@codecov
Copy link

codecov bot commented Jul 10, 2023

Codecov Report

Merging #968 (bf2c90f) into main (62d2524) will decrease coverage by 0.24%.
The diff coverage is 38.88%.

@@             Coverage Diff              @@
##               main     #968      +/-   ##
============================================
- Coverage     75.05%   74.81%   -0.24%     
+ Complexity      111      110       -1     
============================================
  Files           144      144              
  Lines          8341     8358      +17     
  Branches       1213     1223      +10     
============================================
- Hits           6260     6253       -7     
- Misses         1465     1485      +20     
- Partials        616      620       +4
Impacted Files Coverage Δ
.../alerting/transport/TransportIndexMonitorAction.kt 55.86% <0.00%> (-2.96%) ⬇️
...tlin/org/opensearch/alerting/util/AlertingUtils.kt 52.63% <22.22%> (-5.71%) ⬇️
...ain/kotlin/org/opensearch/alerting/InputService.kt 89.88% <60.00%> (-1.98%) ⬇️
...n/kotlin/org/opensearch/alerting/AlertingPlugin.kt 94.27% <100.00%> (ø)

... and 10 files with indirect coverage changes

getsaurabh02
getsaurabh02 approved these changes Jul 10, 2023
View reviewed changes
Copy link
Member

@getsaurabh02 getsaurabh02 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Can we link the test success link.

@amitgalitz
Copy link
Member Author

amitgalitz/alerting@00c326a

LGTM. Can we link the test success link.

https://github.com/amitgalitz/alerting/actions/runs/5512253293/jobs/10048841565

@lezzago lezzago merged commit 5fc607b into opensearch-project:main Jul 10, 2023
13 of 17 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-968-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 5fc607bf6f8137fd0ac7fba4522fcedd67e29cbc
# Push it to GitHub
git push --set-upstream origin backport/backport-968-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-968-to-2.x.

amitgalitz added a commit to amitgalitz/alerting that referenced this pull request Jul 10, 2023
@amitgalitz
Check if AD backend role is enabled (opensearch-project#968)
b268bef 
* check if ad filter is enabled

Signed-off-by: Amit Galitzky <[email protected]>

* updated integ tests

Signed-off-by: Amit Galitzky <[email protected]>

---------

Signed-off-by: Amit Galitzky <[email protected]>
amitgalitz added a commit to amitgalitz/alerting that referenced this pull request Jul 11, 2023
@amitgalitz
Check if AD backend role is enabled (opensearch-project#968)
b424c82 
* check if ad filter is enabled

Signed-off-by: Amit Galitzky <[email protected]>

* updated integ tests

Signed-off-by: Amit Galitzky <[email protected]>

---------

Signed-off-by: Amit Galitzky <[email protected]>
AWSHurneyt pushed a commit that referenced this pull request Jul 11, 2023
@amitgalitz
Check if AD backend role is enabled (#968) (#989)
62d3d7e 
* check if ad filter is enabled



* updated integ tests



---------

Signed-off-by: Amit Galitzky <[email protected]>
@AWSHurneyt AWSHurneyt added the backport 2.9 backports PRs to 2.9 label Jul 11, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.9 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.9 2.9
# Navigate to the new working tree
cd .worktrees/backport-2.9
# Create a new branch
git switch --create backport/backport-968-to-2.9
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 5fc607bf6f8137fd0ac7fba4522fcedd67e29cbc
# Push it to GitHub
git push --set-upstream origin backport/backport-968-to-2.9
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.9

Then, create a pull request where the base branch is 2.9 and the compare/head branch is backport/backport-968-to-2.9.

opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 11, 2023
@amitgalitz @github-actions
Check if AD backend role is enabled (#968) (#989)
b3a379d 
* check if ad filter is enabled

* updated integ tests

---------

Signed-off-by: Amit Galitzky <[email protected]>
(cherry picked from commit 62d3d7e)
lezzago pushed a commit that referenced this pull request Jul 11, 2023
@opensearch-trigger-bot @amitgalitz
Check if AD backend role is enabled (#968) (#989) (#993)
459cd99 
* check if ad filter is enabled

* updated integ tests

---------

Signed-off-by: Amit Galitzky <[email protected]>
(cherry picked from commit 62d3d7e)

Co-authored-by: Amit Galitzky <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lezzago lezzago lezzago approved these changes

@getsaurabh02 getsaurabh02 getsaurabh02 approved these changes

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90 sbcd90 is a code owner

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni praveensameneni is a code owner

@qreshi qreshi Awaiting requested review from qreshi

@bowenlan-amzn bowenlan-amzn Awaiting requested review from bowenlan-amzn bowenlan-amzn is a code owner

@rishabhmaurya rishabhmaurya Awaiting requested review from rishabhmaurya rishabhmaurya is a code owner

Assignees
No one assigned
Labels
backport 2.x backport 2.9 backports PRs to 2.9
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@amitgalitz @lezzago @getsaurabh02 @AWSHurneyt