-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto-convert V6 configuration instances into V7 configuration instances #4546
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me @nibix. Could you please check and resolve the conflict?
|
||
return newConfig; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👏 Much cleaner!
import static org.mockito.Mockito.when; | ||
import static org.mockito.Mockito.withSettings; | ||
|
||
public class SecurityRolesPermissionsV6Test { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why delete v6 test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now we convert "behind the scenes" any V6 config into a V7 config. Thus, the business logic which operates on the V6 config is no longer in use - that's especially the classes ConfigModelV6
and DynamicConfigModelV6
. I actually forgot to delete these classes in the first commit - in a second commit, I have now deleted these classes.
As the SecurityRolesPermissionsV6Test
tests the business logic in the ConfigModelV6
class, it has now nothing to test anymore.
BTW, I felt that I should describe the idea of the change a bit more in detail. See the updated description of this PR. |
0ab5f5f
to
6bb6de4
Compare
With this change, would a user still be able to use the Migrate API to change the documents stored in the security index to the V7 format? If a user uses securityadmin to export the security index, what format will the generated yml files be in? |
In the end, it is up to us to define these behaviors. I would expect that both functionalities remain unaffected. Thus, exporting the configuratin will yield v6/v1 configuration files. Also, the migrate API and the migrate command continue to work as before. |
Sounds good. What work is remaining on this PR in order to flip it from Draft? |
Mainly reviewing test failures and reviewing the special cases, like migration and API - as mentioned above. So, I would then focus on this again? |
If its an enabler for #4380, then IMO I think we should move this forward |
Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
950c447
to
1540e23
Compare
Description
This relates to the alternative proposal "Behind the scenes conversion from V6 to V7" from #4493.
For now, this is a draft. It is to illustrate what could be done to convert the V6 config instances to V7 config instances "behind the scenes". This allows to save a bit of duplicate implementation regarding to privilege evaluation and possibly also further logic.
As an additional benefit, this makes it possible to use
SecurityDynamicConfiguration<>
instances in a generically type-safe manner. So far, one usually needs to useSecurityDynamicConfiguration<?>
instances and do unsafe casts.This only touches the runtime representation of the configuration. If there's a V6 configuration in the configuration index, it remains untouched. The possibility to update configuration in V6 format will remain.
For now, this serves for illustrating what can be done. It is mostly complete, but might require some more attention to some details and polishing to merge it.
Behind the scenes conversion
Some more detail on what is changed by this PR:
The configuration architecture consists of these levels:
ConfigurationRepository
which managesSecurityDynamicConfiguration<>
instances which contain as entry instances oforg.opensearch.security.securityconf.impl.v6.RoleV6
,org.opensearch.security.securityconf.impl.v6.RoleMappingsV6
,org.opensearch.security.securityconf.impl.v7.RoleV7
,org.opensearch.security.securityconf.impl.v7.RoleMappingsV7
, etc.DynamicConfigFactory
which consumesSecurityDynamicConfiguration<>
instances and createsConfigModel
andDynamicConfigModel
instances. If it finds V6 classes inSecurityDynamicConfiguration<>
, it createsConfigModelV6
instances, if it finds V7 classes, it createsConfigModelV7
instances.ConfigModelV6
andConfigModelV7
classes contain business logic which evaluates roles and permissions.PrivilegesEvaluator
.This PR changes the architecture at level 2:
ConfigurationRepository
is changed in this way: If it finds V6 instances likeorg.opensearch.security.securityconf.impl.v6.RoleV6
, it auto-converts these to V7 instances likeorg.opensearch.security.securityconf.impl.v7.RoleV7
. The V7 classes already have functionality for that which is already used for the securityadmin migration command.DynamicConfigFactory
does no longer need a distinction between two config versions.ConfigModelV6
becomes redundant.PrivilegeEvaluator
consumes the super interfaceConfigModel
, it does not notice anything about this change.Issues Resolved
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.