Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Workspace]Restrict saved objects finding when workspace enabled #7125

Merged
merged 19 commits into from
Jul 5, 2024
Merged

[Workspace]Restrict saved objects finding when workspace enabled #7125

merged 19 commits into from
Jul 5, 2024

Conversation

wanglam
Copy link
Contributor

@wanglam wanglam commented Jun 28, 2024
edited
Loading

Description

This PR is for restricting saved objects finding when workspace enabled. Non dashboard admin should only have access to saved objects in workspaces. This PR will overwrite passed arguments.

  • In options.workspaces, not permitted workspaces will be filtered out.
  • In options.ACLSearchParams, principals will be replaced to requested user.
  • Use permitted workspaces or default ACLSearchParams if no options.workspaces and options.ACLSearchParams provided.

Issues Resolved

#7127

Screenshot

No ui changes

Testing the changes

See the integration test file:
src/plugins/workspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts

Changelog

  • fix: [Workspace]Restrict saved objects finding when workspace enabled

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@wanglam
Limit data source saved objects finding and access when workspace ena…
30fab0d 
…bled

Signed-off-by: Lin Wang <wonglam@amazon.com>
opensearch-changeset-bot bot added a commit to wanglam/OpenSearch-Dashboards that referenced this pull request Jun 28, 2024
@opensearch-changeset-bot
Changeset file for PR opensearch-project#7125 created/updated
42923d3
@codecov Codecov
Copy link

codecov bot commented Jun 28, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.55%. Comparing base (e0945af) to head (185423f).
Report is 349 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7125      +/-   ##
==========================================
- Coverage   67.56%   67.55%   -0.01%     
==========================================
  Files        3469     3469              
  Lines       68508    68497      -11     
  Branches    11141    11138       -3     
==========================================
- Hits        46289    46276      -13     
- Misses      19514    19515       +1     
- Partials     2705     2706       +1
Flag Coverage Δ
Linux_1 33.15% <61.11%> (-0.02%) ⬇️
Linux_2 55.25% <100.00%> (+<0.01%) ⬆️
Linux_3 45.31% <0.00%> (-0.01%) ⬇️
Linux_4 34.73% <0.00%> (-0.01%) ⬇️
Windows_1 33.17% <61.11%> (-0.02%) ⬇️
Windows_2 55.21% <100.00%> (+<0.01%) ⬆️
Windows_3 45.32% <0.00%> (-0.01%) ⬇️
Windows_4 34.73% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@wanglam
Remove options.workspaces drop behavior in conflict client wrapper
17b36b6 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam wanglam force-pushed the limit-data-source-permission-when-workspace-enabled branch from 42923d3 to 17b36b6 Compare June 28, 2024 10:22
@wanglam wanglam marked this pull request as ready for review June 28, 2024 11:27
@wanglam wanglam changed the title [Workspace]Limit data source permission when workspace enabled [Workspace]Restrict data source permission when workspace enabled Jun 28, 2024
ruanyl
ruanyl reviewed Jul 2, 2024
View reviewed changes
...plugins/workspace/server/saved_objects/saved_objects_wrapper_for_check_workspace_conflict.ts Outdated
// TODO: The `formatFindParams` is a workaround for 2.14 to always list global data sources,
// should remove this workaround in the upcoming release once readonly share is available.
wrapperOptions.client.find(this.formatFindParams(options)),
find: wrapperOptions.client.find,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove formatFindParams since it's no longer used?

src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts Outdated Show resolved Hide resolved
wanglam and others added 9 commits July 2, 2024 22:00
@wanglam @SuZhou-Joe
Update src/plugins/workspace/server/saved_objects/workspace_saved_obj…
b54291c 
…ects_client_wrapper.ts

Co-authored-by: SuZhou-Joe <suzhou@amazon.com>
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam @ruanyl
Update src/plugins/workspace/server/saved_objects/workspace_saved_obj…
899341c 
…ects_client_wrapper.ts

Co-authored-by: Yulong Ruan <ruanyu1@gmail.com>
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Remove formatFindParams
a197688 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Fix code format
7b491fd 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Merge branch 'main' into limit-data-source-permission-when-workspace-…
ca51d01 
…enabled
@wanglam
Fix ACLSearchParams and empty workspaces
a2e6c27 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Refactor workspace client wrapper find
9bbb6a3 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Remove global saved objects validation logic
15e131e 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam
Update uts and its
eb8bc9c 
Signed-off-by: Lin Wang <wonglam@amazon.com>
@wanglam wanglam changed the title [Workspace]Restrict data source permission when workspace enabled [Workspace]Restrict saved objects finding when workspace enabled Jul 5, 2024
@SuZhou-Joe SuZhou-Joe merged commit 1cb5956 into opensearch-project:main Jul 5, 2024
67 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 5, 2024
@github-actions @opensearch-changeset-bot
@ruanyl @SuZhou-Joe
[Workspace]Restrict saved objects finding when workspace enabled (#7125)
dc08f44 
* Limit data source saved objects finding and access when workspace enabled

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Remove options.workspaces drop behavior in conflict client wrapper

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Changeset file for PR #7125 created/updated

* Update src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts

Co-authored-by: SuZhou-Joe <suzhou@amazon.com>
Signed-off-by: Lin Wang <wonglam@amazon.com>

* Update src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts

Co-authored-by: Yulong Ruan <ruanyu1@gmail.com>
Signed-off-by: Lin Wang <wonglam@amazon.com>

* Remove formatFindParams

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Fix code format

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Fix ACLSearchParams and empty workspaces

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Refactor workspace client wrapper find

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Remove global saved objects validation logic

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Update uts and its

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Changeset file for PR #7125 created/updated

* Remove no need changes and refactor

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Fix global saved objects not found

Signed-off-by: Lin Wang <wonglam@amazon.com>

* Change saved object get to assert

Signed-off-by: Lin Wang <wonglam@amazon.com>

---------

Signed-off-by: Lin Wang <wonglam@amazon.com>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>
Co-authored-by: Yulong Ruan <ruanyl@amazon.com>
Co-authored-by: SuZhou-Joe <suzhou@amazon.com>
Co-authored-by: Yulong Ruan <ruanyu1@gmail.com>
(cherry picked from commit 1cb5956)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 5, 2024
Merged
SuZhou-Joe added a commit that referenced this pull request Jul 8, 2024
@opensearch-trigger-bot @github-actions
@opensearch-changeset-bot @ruanyl @SuZhou-Joe
[Workspace]Restrict saved objects finding when workspace enabled (#7125
e93688f 
…) (#7182)

* Limit data source saved objects finding and access when workspace enabled



* Remove options.workspaces drop behavior in conflict client wrapper



* Changeset file for PR #7125 created/updated

* Update src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts




* Update src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts




* Remove formatFindParams



* Fix code format



* Fix ACLSearchParams and empty workspaces



* Refactor workspace client wrapper find



* Remove global saved objects validation logic



* Update uts and its



* Changeset file for PR #7125 created/updated

* Remove no need changes and refactor



* Fix global saved objects not found



* Change saved object get to assert



---------






(cherry picked from commit 1cb5956)

Signed-off-by: Lin Wang <wonglam@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>
Co-authored-by: Yulong Ruan <ruanyl@amazon.com>
Co-authored-by: SuZhou-Joe <suzhou@amazon.com>
Co-authored-by: Yulong Ruan <ruanyu1@gmail.com>
@wanglam wanglam mentioned this pull request Jul 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruanyl ruanyl ruanyl approved these changes

@SuZhou-Joe SuZhou-Joe SuZhou-Joe approved these changes

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@joshuarrrr joshuarrrr Awaiting requested review from joshuarrrr joshuarrrr is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@manasvinibs manasvinibs Awaiting requested review from manasvinibs manasvinibs is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@curq curq Awaiting requested review from curq curq is a code owner

@bandinib-amzn bandinib-amzn Awaiting requested review from bandinib-amzn bandinib-amzn is a code owner

@BionIT BionIT Awaiting requested review from BionIT BionIT is a code owner

@xinruiba xinruiba Awaiting requested review from xinruiba xinruiba is a code owner

@zhyuanqi zhyuanqi Awaiting requested review from zhyuanqi zhyuanqi is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@LDrago27 LDrago27 Awaiting requested review from LDrago27 LDrago27 is a code owner

Assignees
No one assigned
Labels
backport 2.x in-next v2.16.0 valued-contributor workspace
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wanglam @ruanyl @SuZhou-Joe @AMoo-Miki