commit 845f760ddf5879e04c86147b3bc403c26c2e1507
Author: Steve McLellan <email address hidden>
Date: Tue Mar 1 14:37:08 2016 -0600
Apply rbac more consistently
Previously, all_projects meant that no RBAC was applied at all, which
in general was not dangerous but did suffer from a potential edge
condition where inactive documents in an index could be returned from
searches. More problematically, the logic for all_projects was very
different from the usual user-level flow which could lead to difficulty
debugging.
Even more problematically, the queries were much more complex than
necessary. This patch simplifies the query construction logic such that
the query is specified once, and the filters (the user/admin split plus
the rbac and type filters) are applied in a single filter. This should
mean that the score makes more sense as it is purely a result of the
actual query. This does NOT change functional behavior (and thus no
changes to tests).
The pseudo logic for search is now:
((index= AND type= AND <all_rbac_filters>) OR
(index= AND type= AND <all_rbac_filters>) OR
..... # Repeat for each eligible plugin type)
AND <user-role-field>=ADMIN/USER
AND <user-provided-query>
In addition, this patch adds the ability to enforce RBAC filtering
even for administrative all_projects queries on a per plugin basis
with a property allow_admin_ignore_rbac.
Reviewed: https:/ /review. openstack. org/286829 /git.openstack. org/cgit/ openstack/ searchlight/ commit/ ?id=845f760ddf5 879e04c86147b3b c403c26c2e1507
Committed: https:/
Submitter: Jenkins
Branch: master
commit 845f760ddf5879e 04c86147b3bc403 c26c2e1507
Author: Steve McLellan <email address hidden>
Date: Tue Mar 1 14:37:08 2016 -0600
Apply rbac more consistently
Previously, all_projects meant that no RBAC was applied at all, which
in general was not dangerous but did suffer from a potential edge
condition where inactive documents in an index could be returned from
searches. More problematically, the logic for all_projects was very
different from the usual user-level flow which could lead to difficulty
debugging.
Even more problematically, the queries were much more complex than
necessary. This patch simplifies the query construction logic such that
the query is specified once, and the filters (the user/admin split plus
the rbac and type filters) are applied in a single filter. This should
mean that the score makes more sense as it is purely a result of the
actual query. This does NOT change functional behavior (and thus no
changes to tests).
The pseudo logic for search is now:
((index= AND type= AND <all_rbac_filters>) OR field>= ADMIN/USER query>
(index= AND type= AND <all_rbac_filters>) OR
..... # Repeat for each eligible plugin type)
AND <user-role-
AND <user-provided-
In addition, this patch adds the ability to enforce RBAC filtering ignore_ rbac.
even for administrative all_projects queries on a per plugin basis
with a property allow_admin_
Change-Id: Idef1ef000b7c14 fb5bd4810b034b4 26ba48872fb
Closes-Bug: #1541115