-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add runAs to Subject interface and introduce IdentityAwarePlugin exte…
…nsion point (#14630) (#15477) * Create ExecutionContext and show example with ActionPluginProxy * Only allow core to set the ExecutionContext * WIP on plugin aware thread context * Plugin Aware API Handling * Add test to verify that ExecutionContext is being populated during RestHandling * Clear context in a finally block * Create switchContext method in ThreadContext and make pluginExecutionStack a stack * WIP on plugin aware stash context * Create class called PluginAwareNodeClient that provides a method called switchContext * Remove ExecutionContext class * Update javadoc * Change createComponents to take in PluginAwareNodeClient * Update all instances of createComponents * Initialize clients * Remove casting * WIP on notion of ContextSwitcher * Make stashContext package-private * Make markAsSystemContext package-private * Add javadoc on param * Remove SystemContextSwitcher * Merge with main * Cleanup * Remove SystemIndexFilter * Add notion of Forbidden Headers to the ThreadContext * Fix tests * Fix test * Add method to initialize plugins * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin * Add test * Add another test for setPluginNodeClient * Remove newline * Add another test * Subject.runAs and introduce PluginSubject * Do nothing when runAs is called for ShiroSubject and NoopSubject * Remove extraneous changes * Test all methods in PluginSubject * Pass a Callable to runAs * Update import * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin * Add final * Remove server dependency * Remove AbstractSubject * Remove unnecessary changes * Add javadoc to NoopPluginSubject * Rename to assignSubject * Add experimental label * Add getPluginSubject(plugin) to IdentityPlugin * Make runAs generic * package-private constructor * Move IdentityAwarePlugin initialization * Create separate PluginSubject interface * Remove authenticate method * Remove import * Separate UserSubject and PluginSubject * Terminate TestThreadPool * mock ThreadPool in RestSendToExtensionActionTests * Fix Thread leak * Add to CHANGELOG * Rename to getCurrentSubject * Add type check * Rename to pluginSubject * Add runAs to ActionRequest and surround doExecute in AbstractClient * Return this * Switch back to void * Revert change to ActionRequest --------- (cherry picked from commit ee17eca) Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Ankit Jain <akjain@amazon.com>
- Loading branch information
1 parent
4d0af97
commit c2574a5
Showing
32 changed files
with
423 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroPluginSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity.shiro; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
import org.opensearch.common.util.concurrent.ThreadContext; | ||
import org.opensearch.identity.NamedPrincipal; | ||
import org.opensearch.identity.PluginSubject; | ||
import org.opensearch.threadpool.ThreadPool; | ||
|
||
import java.security.Principal; | ||
import java.util.concurrent.Callable; | ||
|
||
/** | ||
* Implementation of subject that is always authenticated | ||
* <p> | ||
* This class and related classes in this package will not return nulls or fail permissions checks | ||
* | ||
* This class is used by the ShiroIdentityPlugin to initialize IdentityAwarePlugins | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public class ShiroPluginSubject implements PluginSubject { | ||
private final ThreadPool threadPool; | ||
|
||
ShiroPluginSubject(ThreadPool threadPool) { | ||
super(); | ||
this.threadPool = threadPool; | ||
} | ||
|
||
@Override | ||
public Principal getPrincipal() { | ||
return NamedPrincipal.UNAUTHENTICATED; | ||
} | ||
|
||
@Override | ||
public <T> T runAs(Callable<T> callable) throws Exception { | ||
try (ThreadContext.StoredContext ctx = threadPool.getThreadContext().stashContext()) { | ||
return callable.call(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
server/src/main/java/org/opensearch/identity/PluginSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
|
||
/** | ||
* Similar to {@link Subject}, but represents a plugin executing actions | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public interface PluginSubject extends Subject {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
server/src/main/java/org/opensearch/identity/UserSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
import org.opensearch.identity.tokens.AuthToken; | ||
|
||
/** | ||
* An instance of a subject representing a User. UserSubjects must pass credentials for authentication. | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public interface UserSubject extends Subject { | ||
/** | ||
* Authenticate via an auth token | ||
* throws UnsupportedAuthenticationMethod | ||
* throws InvalidAuthenticationToken | ||
* throws SubjectNotFound | ||
* throws SubjectDisabled | ||
*/ | ||
void authenticate(final AuthToken token); | ||
} |
Oops, something went wrong.