Add filter by backend roles access strategy setting#1146
Add filter by backend roles access strategy setting#1146markdboyd wants to merge 14 commits intoopensearch-project:mainfrom
Conversation
markdboyd
requested review from
Hailong-am,
SuZhou-Joe,
amsiglan,
gaobinlong,
praveensameneni,
sbcd90,
toepkerd,
xluo-aws,
yuye-aws,
zhichao-aws and
zhongnansu
as code owners
markdboyd
force-pushed
the
add-filter-by-access-strategy-setting
branch
from
11e01f5 to
306f22e
Compare
| } | ||
| } | ||
|
|
||
| fun `test get smtp sender has access with filter by backend roles enabled`() { |
There was a problem hiding this comment.
I think we need the integration tests from here onwards for at least config type to prove that access controls work as expected when filter_by_backend_roles: true, including in conjunction with the filter_by_backend_roles_access_strategy setting..
I'm debating whether we need to replicate these tests for other config objects (email groups, channels, etc), or whether these tests plus the tests in UserAccessManagerTests.kt are sufficient
| /** | ||
| * Backend roles must be exactly equal to have access | ||
| */ | ||
| ALL("all") |
There was a problem hiding this comment.
For visibility to other reviewers, we're discussing adjusting the name of this strategy away from ALL in this thread.
opensearch-project/alerting#2034 (comment)
|
@markdboyd could you rebase your branch from opensearch-project:main, and resolve the conflicts? I'd like to see whether the checks pass. |
markdboyd
force-pushed
the
add-filter-by-access-strategy-setting
branch
from
306f22e to
0a0d24e
Compare
…nd role enabled Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
… roles enabled Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…alidator Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…ss strategy is all Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…strategy Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
… strategy of ALL & add tests Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
… do not contain object roles Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…r roles match object roles Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…ackend roles access strategy is being tested Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
…les access strategy is all Signed-off-by: Mark Boyd <mark.boyd@gsa.gov>
markdboyd
force-pushed
the
add-filter-by-access-strategy-setting
branch
from
0a0d24e to
998d8d3
Compare
|
@AWSHurneyt - OK, I've rebased from https://github.com/opensearch-project/notifications/tree/main |
2 participants
Description
This PR adds a new plugin setting,
plugins.notifications.general.filter_by_backend_roles_access_strategy, which allows users to control how filtering by backend roles works to determine access to notification objects (e.g. SMTP senders, email recipient groups, channels). The options for this setting are:intersect- Users have access to objects if they share at least one backend role with the user who created the objectall- Users have access to objects if they have all of the same backend roles as the user who created the objectRelated Issues
Closes #1079
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.