OpenStack Searchlight

  1. Bug #1541115
  2. Comment #3

Comment 3 for bug 1541115

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to searchlight (master)

Reviewed: https://review.openstack.org/286829
Committed: https://git.openstack.org/cgit/openstack/searchlight/commit/?id=845f760ddf5879e04c86147b3bc403c26c2e1507
Submitter: Jenkins
Branch: master

commit 845f760ddf5879e04c86147b3bc403c26c2e1507
Author: Steve McLellan <email address hidden>
Date: Tue Mar 1 14:37:08 2016 -0600

    Apply rbac more consistently

    Previously, all_projects meant that no RBAC was applied at all, which
    in general was not dangerous but did suffer from a potential edge
    condition where inactive documents in an index could be returned from
    searches. More problematically, the logic for all_projects was very
    different from the usual user-level flow which could lead to difficulty
    debugging.

    Even more problematically, the queries were much more complex than
    necessary. This patch simplifies the query construction logic such that
    the query is specified once, and the filters (the user/admin split plus
    the rbac and type filters) are applied in a single filter. This should
    mean that the score makes more sense as it is purely a result of the
    actual query. This does NOT change functional behavior (and thus no
    changes to tests).

    The pseudo logic for search is now:

      ((index= AND type= AND <all_rbac_filters>) OR
       (index= AND type= AND <all_rbac_filters>) OR
       ..... # Repeat for each eligible plugin type)
      AND <user-role-field>=ADMIN/USER
      AND <user-provided-query>

    In addition, this patch adds the ability to enforce RBAC filtering
    even for administrative all_projects queries on a per plugin basis
    with a property allow_admin_ignore_rbac.

    Change-Id: Idef1ef000b7c14fb5bd4810b034b426ba48872fb
    Closes-Bug: #1541115