Addressing comments

bharath-techie · bharath-techie · commit 4a8ad4ced39d · 2022-09-06T21:17:23.000+05:30
Signed-off-by: Bharathwaj G &lt;bharath78910@gmail.com&gt;
diff --git a/src/main/java/org/opensearch/security/privileges/PitPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PitPrivilegesEvaluator.java
@@ -1,18 +1,3 @@
-/*
- * Copyright 2015-2018 _floragunn_ GmbH
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 /*
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -32,18 +17,13 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.CountDownLatch;
-import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
 import com.google.common.collect.ImmutableSet;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.opensearch.OpenSearchException;
-import org.opensearch.action.ActionListener;
 import org.opensearch.action.ActionRequest;
-import org.opensearch.action.LatchedActionListener;
 import org.opensearch.action.admin.indices.segments.PitSegmentsRequest;
 import org.opensearch.action.search.DeletePitRequest;
 import org.opensearch.action.search.GetAllPitNodesRequest;
@@ -52,7 +32,6 @@
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.unit.TimeValue;
 import org.opensearch.security.OpenSearchSecurityPlugin;
 import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.SecurityRoles;
@@ -71,27 +50,22 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C
                                                 final IndexNameExpressionResolver resolver,
                                                 boolean dnfOfEmptyResultsEnabled, final PrivilegesEvaluatorResponse presponse) {
 
-        // Skip pit evaluation for "NodesGetAllPITs" action, since it fetches all PITs across the cluster
-        // for privilege evaluation
-        if(action.startsWith("cluster:admin")) {
+        // Skip custom evaluation for "NodesGetAllPITs" action, since it fetches all PITs across the cluster
+        // for privilege evaluation - still this action will be evaluated in the generic PrivilegesEvaluator flow
+        if(action.startsWith("cluster:admin/point_in_time")) {
             return presponse;
         }
-        try {
-            if (request instanceof GetAllPitNodesRequest) {
-                return handleGetAllPitsAccess(request, clusterService, user, securityRoles,
-                        action, resolver, dnfOfEmptyResultsEnabled, presponse);
-            } else if (request instanceof DeletePitRequest) {
-                DeletePitRequest deletePitRequest = (DeletePitRequest) request;
-                return handleExplicitPitsAccess(deletePitRequest.getPitIds(), clusterService, user, securityRoles,
-                        action, resolver, dnfOfEmptyResultsEnabled, presponse);
-            } else if (request instanceof PitSegmentsRequest) {
-                PitSegmentsRequest pitSegmentsRequest = (PitSegmentsRequest) request;
-                return handleExplicitPitsAccess(pitSegmentsRequest.getPitIds(), clusterService, user, securityRoles,
-                        action, resolver, dnfOfEmptyResultsEnabled, presponse);
-            }
-        } catch(InterruptedException e) {
-            Thread.currentThread().interrupt();
-            log.error(e.toString());
+        if (request instanceof GetAllPitNodesRequest) {
+            return handleGetAllPitsAccess(request, clusterService, user, securityRoles,
+                    action, resolver, dnfOfEmptyResultsEnabled, presponse);
+        } else if (request instanceof DeletePitRequest) {
+            DeletePitRequest deletePitRequest = (DeletePitRequest) request;
+            return handleExplicitPitsAccess(deletePitRequest.getPitIds(), clusterService, user, securityRoles,
+                    action, resolver, presponse);
+        } else if (request instanceof PitSegmentsRequest) {
+            PitSegmentsRequest pitSegmentsRequest = (PitSegmentsRequest) request;
+            return handleExplicitPitsAccess(pitSegmentsRequest.getPitIds(), clusterService, user, securityRoles,
+                    action, resolver, presponse);
         }
         return presponse;
     }
@@ -102,7 +76,7 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C
     private PrivilegesEvaluatorResponse handleGetAllPitsAccess(final ActionRequest request, final ClusterService clusterService,
                                                                final User user, SecurityRoles securityRoles, final String action,
                                                                IndexNameExpressionResolver resolver,
-                                                               boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
+                                                               boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) {
         List<ListPitInfo> pitInfos = ((GetAllPitNodesRequest) request).getGetAllPitNodesResponse().getPitInfos();
         // if cluster has no PITs, then allow the operation to pass with empty response if dnfOfEmptyResultsEnabled
         // config property is true, otherwise fail the operation
@@ -126,17 +100,12 @@ private PrivilegesEvaluatorResponse handleGetAllPitsAccess(final ActionRequest r
             String[] indices = pitToIndicesMap.get(pitId);
             HashSet<String> indicesSet = new HashSet<>(Arrays.asList(indices));
 
-            final ImmutableSet<String> INDICES_SET = ImmutableSet.copyOf(indicesSet);
-            final IndexResolverReplacer.Resolved pitResolved =
-                    new IndexResolverReplacer.Resolved(INDICES_SET, INDICES_SET, INDICES_SET,
-                            ImmutableSet.of(), SearchRequest.DEFAULT_INDICES_OPTIONS);
-
-            final Set<String> allPermittedIndices = securityRoles.reduce(pitResolved,
-                    user, new String[]{action}, resolver, clusterService);
+            final Set<String> allPermittedIndices = getPermittedIndices(indicesSet, clusterService, user,
+                    securityRoles, action, resolver);
             if(isDebugEnabled) {
                 log.debug("Evaluating PIT ID : " + pitId );
             }
-            if (allPermittedIndices.size() == INDICES_SET.size()) {
+            if (allPermittedIndices.size() == indicesSet.size()) {
                 if(isDebugEnabled) {
                     log.debug(" Permitting PIT ID : " + pitId);
                 }
@@ -157,8 +126,7 @@ private PrivilegesEvaluatorResponse handleGetAllPitsAccess(final ActionRequest r
      */
     private PrivilegesEvaluatorResponse handleExplicitPitsAccess(List<String> pitIds, ClusterService clusterService,
                                                                  User user, SecurityRoles securityRoles, final String action,
-                                                                 IndexNameExpressionResolver resolver,
-                                                                 boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) {
+                                                                 IndexNameExpressionResolver resolver, PrivilegesEvaluatorResponse presponse) {
         Map<String, String[]> pitToIndicesMap = OpenSearchSecurityPlugin.
                 GuiceHolder.getPitService().getIndicesForPits(pitIds);
         Set<String> pitIndices = new HashSet<>();
@@ -183,9 +151,9 @@ private PrivilegesEvaluatorResponse handleExplicitPitsAccess(List<String> pitIds
     private Set<String> getPermittedIndices(Set<String> pitIndices, ClusterService clusterService,
                                              User user, SecurityRoles securityRoles, final String action,
                                              IndexNameExpressionResolver resolver) {
-        final ImmutableSet<String> INDICES_SET = ImmutableSet.copyOf(pitIndices);
+        final ImmutableSet<String> pitImmutableIndices = ImmutableSet.copyOf(pitIndices);
         final IndexResolverReplacer.Resolved pitResolved =
-                new IndexResolverReplacer.Resolved(INDICES_SET, INDICES_SET, INDICES_SET,
+                new IndexResolverReplacer.Resolved(pitImmutableIndices, pitImmutableIndices, pitImmutableIndices,
                         ImmutableSet.of(), SearchRequest.DEFAULT_INDICES_OPTIONS);
         return securityRoles.reduce(pitResolved,
                 user, new String[]{action}, resolver, clusterService);
diff --git a/src/test/java/org/opensearch/security/PitIntegrationTests.java b/src/test/java/org/opensearch/security/PitIntegrationTests.java
@@ -1,18 +1,3 @@
-/*
- * Copyright 2015-2018 _floragunn_ GmbH
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 /*
  * SPDX-License-Identifier: Apache-2.0
  *
