rollup security (#394)

* rollup security

* change getRollups action name to search

* change runBlocking to withContext

* ISM security comments

* self review

* show roles from explain API but not get API in rollup

* ktlint

* address comments

* address comments

* modify explain and get output

* address comments

Author: bowenlan-amzn

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/elasticapi/ElasticExtensions.kt

@@ -13,20 +13,21 @@
  * permissions and limitations under the License.
  */
 
-@file:Suppress("TooManyFunctions")
+@file:Suppress("TooManyFunctions", "MatchingDeclarationName")
 
 package com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi
 
-import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.ISMTemplate
-import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.Policy
 import com.amazon.opendistroforelasticsearch.commons.InjectSecurity
 import com.amazon.opendistroforelasticsearch.commons.authuser.User
+import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.ISMTemplate
+import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.Policy
 import com.amazon.opendistroforelasticsearch.indexmanagement.util.NO_ID
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.utils.LockService
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ThreadContextElement
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.withContext
+import org.apache.logging.log4j.LogManager
 import org.apache.logging.log4j.Logger
 import org.elasticsearch.ElasticsearchException
 import org.elasticsearch.ExceptionsHelper
@@ -38,6 +39,8 @@ import org.elasticsearch.common.bytes.BytesReference
 import org.elasticsearch.common.settings.Settings
 import org.elasticsearch.common.unit.TimeValue
 import org.elasticsearch.common.util.concurrent.ThreadContext
+import org.elasticsearch.common.xcontent.LoggingDeprecationHandler
+import org.elasticsearch.common.xcontent.NamedXContentRegistry
 import org.elasticsearch.common.xcontent.ToXContent
 import org.elasticsearch.common.xcontent.XContentBuilder
 import org.elasticsearch.common.xcontent.XContentHelper
@@ -56,6 +59,12 @@ import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 import kotlin.coroutines.suspendCoroutine
 
+fun contentParser(bytesReference: BytesReference): XContentParser {
+    return XContentHelper.createParser(
+        NamedXContentRegistry.EMPTY,
+        LoggingDeprecationHandler.INSTANCE, bytesReference, XContentType.JSON)
+}
+
 /** Convert an object to maps and lists representation */
 fun ToXContent.convertToMap(): Map<String, Any> {
     val bytesReference = XContentHelper.toXContent(this, XContentType.JSON, false)
@@ -195,11 +204,19 @@ fun <T> XContentParser.parseWithType(
     return parsed
 }
 
+val log = LogManager.getLogger("IndexManagementElasticExtention")
+const val INDEX_MANAGEMENT_PLUGIN_INTERNAL = "index_management_plugin_internal"
+/**
+ * @param internalReq: used as flag to indicate if the request is from
+ * outside user or plugin runner. if the value of this element is true
+ * then we will not update user object.
+ */
 class InjectorContextElement(
-    id: String,
+    private val id: String,
     settings: Settings,
-    threadContext: ThreadContext,
-    private val roles: List<String>?
+    private val threadContext: ThreadContext,
+    private val roles: List<String>?,
+    private val internalReq: Boolean = false
 ) : ThreadContextElement<Unit> {
 
     companion object Key : CoroutineContext.Key<InjectorContextElement>
@@ -210,10 +227,21 @@ class InjectorContextElement(
 
     override fun updateThreadContext(context: CoroutineContext) {
         rolesInjectorHelper.injectRoles(roles)
+        if (threadContext.getTransient<Boolean>(INDEX_MANAGEMENT_PLUGIN_INTERNAL) != internalReq) {
+            threadContext.putTransient(INDEX_MANAGEMENT_PLUGIN_INTERNAL, internalReq)
+            log.debug("Job [$id], rollup internal request: $internalReq;" +
+                " Thread: ${Thread.currentThread().name}")
+        } else {
+            log.error("Job [$id], rollup internal request [$internalReq] not cleaned up;" +
+                " Thread: ${Thread.currentThread().name}")
+        }
     }
 
     override fun restoreThreadContext(context: CoroutineContext, oldState: Unit) {
         rolesInjectorHelper.close()
+        log.debug("Job [$id], rollup internal request cleaned: " +
+            "${threadContext.getTransient<Boolean>(INDEX_MANAGEMENT_PLUGIN_INTERNAL)};" +
+            " Thread: ${Thread.currentThread().name}")
     }
 }
 

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/indexstatemanagement/ManagedIndexCoordinator.kt

@@ -18,14 +18,13 @@ package com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanageme
 import com.amazon.opendistroforelasticsearch.indexmanagement.IndexManagementIndices
 import com.amazon.opendistroforelasticsearch.indexmanagement.IndexManagementPlugin
 import com.amazon.opendistroforelasticsearch.indexmanagement.IndexManagementPlugin.Companion.INDEX_MANAGEMENT_INDEX
+import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.contentParser
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.parseWithType
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.elasticapi.getManagedIndexMetaData
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.retry
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.elasticapi.filterNotNullValues
-import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.elasticapi.getManagedIndexMetaData
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.elasticapi.getPolicyToTemplateMap
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.suspendUntil
-import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.elasticapi.contentParser
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.ISMTemplate
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.ManagedIndexConfig
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.model.ManagedIndexMetaData

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/indexstatemanagement/ManagedIndexRunner.kt

@@ -209,17 +209,12 @@ object ManagedIndexRunner : ScheduledJobRunner,
         /*
          * We need to handle 3 cases:
          * 1. ISM jobs that are created by older versions and never updated wont have User details in the
-         * job object. `managedIndexConfig.user` will be null. Insert `all_access, AmazonES_all_access` role.
+         * job object. `managedIndexConfig.user` will be null. Insert `all_access` role.
          * 2. ISM jobs that are created when security plugin is disabled will have empty User object.
          * (`managedIndexConfig.user.name`, `managedIndexConfig.user.roles` are empty )
          * 3. ISM jobs that are created when security plugin is enabled will have an User object.
          */
-        val roles = if (managedIndexConfig.user == null) {
-            // fixme: discuss and remove hardcoded to settings?
-            settings.getAsList("", listOf("all_access", "AmazonES_all_access"))
-        } else {
-            managedIndexConfig.user.roles
-        }
+        val roles = managedIndexConfig.getRoles()
         logger.debug("Running ISM job: ${managedIndexConfig.name} with roles: $roles Thread: ${Thread.currentThread().name}")
 
         // Get current IndexMetaData and ManagedIndexMetaData

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/indexstatemanagement/elasticapi/ElasticExtensions.kt

@@ -25,12 +25,9 @@ import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagemen
 import org.elasticsearch.cluster.ClusterState
 import org.elasticsearch.action.search.SearchResponse
 import org.elasticsearch.cluster.metadata.IndexMetadata
-import org.elasticsearch.common.bytes.BytesReference
 import org.elasticsearch.common.xcontent.LoggingDeprecationHandler
 import org.elasticsearch.common.xcontent.NamedXContentRegistry
 import org.elasticsearch.common.xcontent.XContentFactory
-import org.elasticsearch.common.xcontent.XContentHelper
-import org.elasticsearch.common.xcontent.XContentParser
 import org.elasticsearch.common.xcontent.XContentType
 
 /**
@@ -87,8 +84,3 @@ fun getPolicyToTemplateMap(response: SearchResponse, xContentRegistry: NamedXCon
 @Suppress("UNCHECKED_CAST")
 fun <K, V> Map<K, V?>.filterNotNullValues(): Map<K, V> =
     filterValues { it != null } as Map<K, V>
-
-fun contentParser(bytesReference: BytesReference): XContentParser {
-    return XContentHelper.createParser(NamedXContentRegistry.EMPTY,
-        LoggingDeprecationHandler.INSTANCE, bytesReference, XContentType.JSON)
-}

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/indexstatemanagement/model/ManagedIndexConfig.kt

@@ -20,6 +20,7 @@ import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.instant
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.optionalTimeField
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.optionalUserField
 import com.amazon.opendistroforelasticsearch.indexmanagement.indexstatemanagement.util.XCONTENT_WITHOUT_TYPE
+import com.amazon.opendistroforelasticsearch.indexmanagement.util.ALL_ACCESS_ROLE
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.ScheduledJobParameter
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.schedule.Schedule
 import com.amazon.opendistroforelasticsearch.jobscheduler.spi.schedule.ScheduleParser
@@ -93,6 +94,12 @@ data class ManagedIndexConfig(
         return builder
     }
 
+    fun getRoles(): List<String> {
+        return if (user == null) {
+            ALL_ACCESS_ROLE
+        } else user.roles
+    }
+
     companion object {
         const val MANAGED_INDEX_TYPE = "managed_index"
         const val NO_ID = ""

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/indexstatemanagement/util/RestHandlerUtils.kt

@@ -31,6 +31,12 @@ import java.time.Instant
 
 const val WITH_TYPE = "with_type"
 val XCONTENT_WITHOUT_TYPE = ToXContent.MapParams(mapOf(WITH_TYPE to "false"))
+const val HAS_USER = "has_user"
+val XCONTENT_HAS_USER = ToXContent.MapParams(mapOf(HAS_USER to "true"))
+val XCONTENT_WITHOUT_TYPE_HAS_USER = ToXContent.MapParams(
+    mapOf(WITH_TYPE to "false",
+        HAS_USER to "true")
+)
 
 const val FAILURES = "failures"
 const val FAILED_INDICES = "failed_indices"

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/rollup/RollupRunner.kt

@@ -15,8 +15,10 @@
 
 package com.amazon.opendistroforelasticsearch.indexmanagement.rollup
 
+import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.InjectorContextElement
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.retry
 import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.suspendUntil
+import com.amazon.opendistroforelasticsearch.indexmanagement.elasticapi.withCloseableContext
 import com.amazon.opendistroforelasticsearch.indexmanagement.rollup.action.get.GetRollupAction
 import com.amazon.opendistroforelasticsearch.indexmanagement.rollup.action.get.GetRollupRequest
 import com.amazon.opendistroforelasticsearch.indexmanagement.rollup.action.get.GetRollupResponse
@@ -277,19 +279,32 @@ object RollupRunner : ScheduledJobRunner,
             while (rollupSearchService.shouldProcessRollup(updatableJob, metadata)) {
                 do {
                     try {
-                        val rollupResult = when (val rollupSearchResult = rollupSearchService.executeCompositeSearch(updatableJob, metadata)) {
-                            is RollupSearchResult.Success -> {
-                                val compositeRes: InternalComposite = rollupSearchResult.searchResponse.aggregations.get(updatableJob.id)
-                                metadata = metadata.incrementStats(rollupSearchResult.searchResponse, compositeRes)
-                                when (val rollupIndexResult = rollupIndexer.indexRollups(updatableJob, compositeRes)) {
-                                    is RollupIndexResult.Success -> RollupResult.Success(compositeRes, rollupIndexResult.stats)
-                                    is RollupIndexResult.Failure -> RollupResult.Failure(rollupIndexResult.message, rollupIndexResult.cause)
+                        val roles = job.getRoles()
+                        val rollupResult = withCloseableContext(InjectorContextElement(job.id, settings, threadPool.threadContext, roles)) {
+                            when (val rollupSearchResult =
+                                rollupSearchService.executeCompositeSearch(updatableJob, metadata)) {
+                                is RollupSearchResult.Success -> {
+                                    val compositeRes: InternalComposite =
+                                        rollupSearchResult.searchResponse.aggregations.get(updatableJob.id)
+                                    metadata = metadata.incrementStats(rollupSearchResult.searchResponse, compositeRes)
+                                    return@withCloseableContext when (val rollupIndexResult =
+                                        rollupIndexer.indexRollups(updatableJob, compositeRes)) {
+                                        is RollupIndexResult.Success -> RollupResult.Success(
+                                            compositeRes,
+                                            rollupIndexResult.stats
+                                        )
+                                        is RollupIndexResult.Failure -> RollupResult.Failure(
+                                            rollupIndexResult.message,
+                                            rollupIndexResult.cause
+                                        )
+                                    }
+                                }
+                                is RollupSearchResult.Failure -> {
+                                    return@withCloseableContext RollupResult.Failure(rollupSearchResult.message, rollupSearchResult.cause)
                                 }
-                            }
-                            is RollupSearchResult.Failure -> {
-                                RollupResult.Failure(rollupSearchResult.message, rollupSearchResult.cause)
                             }
                         }
+
                         when (rollupResult) {
                             is RollupResult.Success -> {
                                 metadata = rollupMetadataService.updateMetadata(updatableJob,
@@ -362,7 +377,12 @@ object RollupRunner : ScheduledJobRunner,
     private suspend fun updateRollupJob(job: Rollup, metadata: RollupMetadata): RollupJobResult {
         try {
             val req = IndexRollupRequest(rollup = job, refreshPolicy = WriteRequest.RefreshPolicy.IMMEDIATE)
-            val res: IndexRollupResponse = client.suspendUntil { execute(IndexRollupAction.INSTANCE, req, it) }
+            val roles = job.getRoles()
+            val res = withCloseableContext(InjectorContextElement(job.id, settings, threadPool.threadContext, roles, true)) {
+                return@withCloseableContext client.suspendUntil<Client, IndexRollupResponse> {
+                    execute(IndexRollupAction.INSTANCE, req, it)
+                }
+            }
             // TODO: Verify the seqNo/primterm got updated
             return RollupJobResult.Success(res.rollup)
         } catch (e: Exception) {

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/rollup/action/delete/TransportDeleteRollupAction.kt

@@ -16,7 +16,9 @@
 package com.amazon.opendistroforelasticsearch.indexmanagement.rollup.action.delete
 
 import com.amazon.opendistroforelasticsearch.indexmanagement.IndexManagementPlugin.Companion.INDEX_MANAGEMENT_INDEX
+import com.amazon.opendistroforelasticsearch.indexmanagement.util.use
 import org.elasticsearch.action.ActionListener
+import org.elasticsearch.action.delete.DeleteRequest
 import org.elasticsearch.action.delete.DeleteResponse
 import org.elasticsearch.action.support.ActionFilters
 import org.elasticsearch.action.support.HandledTransportAction
@@ -34,15 +36,11 @@ class TransportDeleteRollupAction @Inject constructor(
 ) {
 
     override fun doExecute(task: Task, request: DeleteRollupRequest, actionListener: ActionListener<DeleteResponse>) {
-        request.index(INDEX_MANAGEMENT_INDEX)
-        client.delete(request, object : ActionListener<DeleteResponse> {
-            override fun onResponse(response: DeleteResponse) {
-                actionListener.onResponse(response)
-            }
+        val deleteRequest = DeleteRequest(INDEX_MANAGEMENT_INDEX, request.id())
+            .setRefreshPolicy(request.refreshPolicy)
 
-            override fun onFailure(t: Exception) {
-                actionListener.onFailure(t)
-            }
-        })
+        client.threadPool().threadContext.stashContext().use {
+            client.delete(deleteRequest, actionListener)
+        }
     }
 }

src/main/kotlin/com/amazon/opendistroforelasticsearch/indexmanagement/rollup/action/explain/ExplainRollupResponse.kt

@@ -15,6 +15,7 @@
 
 package com.amazon.opendistroforelasticsearch.indexmanagement.rollup.action.explain
 
+import com.amazon.opendistroforelasticsearch.commons.authuser.User.ROLES_FIELD
 import com.amazon.opendistroforelasticsearch.indexmanagement.rollup.model.ExplainRollup
 import org.elasticsearch.action.ActionResponse
 import org.elasticsearch.common.io.stream.StreamInput
@@ -26,9 +27,14 @@ import java.io.IOException
 
 class ExplainRollupResponse : ActionResponse, ToXContentObject {
     val idsToExplain: Map<String, ExplainRollup?>
+    val rolesMap: Map<String, List<String>?>
 
-    constructor(idsToExplain: Map<String, ExplainRollup?>) : super() {
+    constructor(
+        idsToExplain: Map<String, ExplainRollup?>,
+        rolesMap: Map<String, List<String>?>
+    ) : super() {
         this.idsToExplain = idsToExplain
+        this.rolesMap = rolesMap
     }
 
     internal fun getIdsToExplain(): Map<String, ExplainRollup?> {
@@ -44,7 +50,8 @@ class ExplainRollupResponse : ActionResponse, ToXContentObject {
                 idsToExplain[it.readString()] = if (sin.readBoolean()) ExplainRollup(it) else null
             }
             idsToExplain.toMap()
-        }
+        },
+        rolesMap = sin.readMap() as Map<String, List<String>?>
     )
 
     @Throws(IOException::class)
@@ -55,13 +62,22 @@ class ExplainRollupResponse : ActionResponse, ToXContentObject {
             out.writeBoolean(metadata != null)
             metadata?.writeTo(out)
         }
+        out.writeMap(rolesMap)
     }
 
     @Throws(IOException::class)
     override fun toXContent(builder: XContentBuilder, params: ToXContent.Params): XContentBuilder {
         builder.startObject()
         idsToExplain.entries.forEach { (id, explain) ->
-            builder.field(id, explain)
+            if (explain != null) {
+                builder.startObject(id)
+                explain.toXContent(builder, ToXContent.EMPTY_PARAMS)
+                val roles = rolesMap[id]
+                if (roles != null && roles.isNotEmpty()) {
+                    builder.field(ROLES_FIELD, roles)
+                }
+                builder.endObject()
+            } else builder.nullField(id)
         }
         return builder.endObject()
     }