-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test that confirms when Rest and Transport authorization checks overlap #3112
Comments
This case was verified via this test. This test checks for legacy vs new implementation.
This case was verified via this test
Request will never reach Transport Layer, if they are unauthorized at REST layer. This case was verified via this test
Request will never reach Transport Layer, if they are unauthorized at REST layer. And so this scenario will never exist, and a test cannot be implemented for this. Current design suggests that all new named routes have an option to support legacy action names which were originally evaluated at TransportLayer via PrivilegesEvaluator. I'll be more than happy to modify existing tests with any additional details as required. |
These scenarios are not correct , the whoami API is implemented as a Rest handler action - not a transport action. We need to be sure that overlapping functionality between different actions is still handled as expected. |
There is a corresponding WhoAmI transport action to the rest API. This request does touch the SecurityFilter class, however it is made pass-through at Transport Layer authorization: https://github.com/opensearch-project/security/blob/f299a5f9094597648fbb147e74166d48090df6c9/src/main/java/org/opensearch/security/filter/SecurityFilter.java#L207C24-L207C24. I'll look into a way to add a test to make this clearer.
Agreed. One thing to note, by design, requests which fail authorization at REST Layer will not reach Transport Layer. The idea behind this is that REST Layer authorization will only come into play in case of NamedRoutes (which support REST authorization). For all other routes (we refer to those as legacy routes), the flow remains as it was prior to REST authz introduction. (Verified via different tests in WhoAmITests file) |
Here is some pseudo code of what I think this test could look like, we will need to register some plugins that exist only during the test scenario to go through the registration process and test invariants in this scenario.
|
[Triage] Thanks for filing this issue @peternied. At this time, it looks like this issue is actionable. Going to label this as triaged. |
Coming from #2867, want to confirm that REST authorization and Transport authorization are both checked when there is an overlap which is expected during migration scenarios.
Exit Criteria
The text was updated successfully, but these errors were encountered: