Onboards flow-framework plugin to resource-sharing and access control framework #1251
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… framework Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
|
CI will resolve once: opensearch-project/security#5677 is merged. |
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
requested review from
amitgalitz,
dbwiddis,
jackiehanyang,
joshpalis,
junweid62,
ohltyler and
owaiskazi19
as code owners
…e-sharing tests Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
resource-permissions
branch
from
8f62909 to
6937e06
Compare
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
resource-permissions
branch
from
dace39b to
69009e6
Compare
|
CI blocked by #1252 |
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
owaiskazi19
reviewed
Oct 21, 2025
src/main/java/org/opensearch/flowframework/util/ParseUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/PluginClient.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/PluginClient.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/PluginClient.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/ResourceSharingClientAccessor.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
owaiskazi19
reviewed
Oct 27, 2025
| strategy: | ||
| matrix: | ||
| java: [21] | ||
| resource_sharing_flag: [ "", "-Dresource_sharing.enabled=true" ] |
There was a problem hiding this comment.
Can be replaced with
Suggested change
| resource_sharing_flag: [ "", "-Dresource_sharing.enabled=true" ] | |
| resource_sharing_flag: [ false, true ] |
and later can be used -Dresource_sharing.enabled=${{ matrix.resource_sharing_flag }}.
| */ | ||
| public static void verifyResourceAccessAndProcessRequest(String resourceType, Runnable onSuccess, Runnable fallBackIfDisabled) { | ||
| // Resource access will be auto-evaluated | ||
| if (shouldUseResourceAuthz(resourceType)) { |
There was a problem hiding this comment.
Should be under a try/catch block here
| if (subject == null) { | ||
| throw new IllegalStateException("PluginClient is not initialized."); | ||
| } | ||
| try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().newStoredContext(false)) { |
There was a problem hiding this comment.
Suggested change
| try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().newStoredContext(false)) { | |
| try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().stashContext) { |
newStoredContext(false) might unintentionally preserve or lose headers
| try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().newStoredContext(false)) { | ||
| subject.runAs(() -> { | ||
| logger.info("Running transport action with subject: {}", subject.getPrincipal().getName()); | ||
| super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore)); |
There was a problem hiding this comment.
Here, doExecute would still be running since it runs in async manner. Since the context is created in the try block, it would be restored once the try block finishes. So the doExecute request would still be running and can cause thread context leak or premature restoration.
Better way would be just
ThreadContext.StoredContext ctx = threadPool().getThreadContext().stashContext();
subject.runAs(() -> {
super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore));
});this would ensure context is restored back only when listener returns either a response or a failure
| * Set the resource sharing client | ||
| */ | ||
| public void setResourceSharingClient(ResourceSharingClient client) { | ||
| resourceSharingClientAccessor.client.set(client); |
There was a problem hiding this comment.
no need to reference static field here
Suggested change
| resourceSharingClientAccessor.client.set(client); | |
| this.client.set(client); |
| * Get the resource sharing client | ||
| */ | ||
| public ResourceSharingClient getResourceSharingClient() { | ||
| return resourceSharingClientAccessor.client.get(); |
There was a problem hiding this comment.
Suggested change
| return resourceSharingClientAccessor.client.get(); | |
| return this.client.get(); |
Also, can we add a null check here and return IllegalStateException
| public class ResourceSharingClientAccessor { | ||
| private final AtomicReference<ResourceSharingClient> client = new AtomicReference<>(); | ||
|
|
||
| private static ResourceSharingClientAccessor resourceSharingClientAccessor; |
There was a problem hiding this comment.
For thread safety
Suggested change
| private static ResourceSharingClientAccessor resourceSharingClientAccessor; | |
| private static final ResourceSharingClientAccessor INSTANCE = new ResourceSharingClientAccessor(); |
Comment on lines
+26
to
+30
| if (resourceSharingClientAccessor == null) { | ||
| resourceSharingClientAccessor = new ResourceSharingClientAccessor(); | ||
| } | ||
|
|
||
| return resourceSharingClientAccessor; |
There was a problem hiding this comment.
Now we can just return
Suggested change
| if (resourceSharingClientAccessor == null) { | |
| resourceSharingClientAccessor = new ResourceSharingClientAccessor(); | |
| } | |
| return resourceSharingClientAccessor; | |
| return INSTANCE; |
owaiskazi19
reviewed
Oct 27, 2025
| testImplementation("org.junit.jupiter:junit-jupiter:${junitJupiterVersion}") | ||
| testImplementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${versions.jackson_databind}") | ||
|
|
||
| testImplementation "org.awaitility:awaitility:${awaitlityVersion}" |
There was a problem hiding this comment.
Suggested change
| testImplementation "org.awaitility:awaitility:${awaitlityVersion}" | |
| testImplementation "org.awaitility:awaitility:${awaitilityVersion}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implements resource-access-control for workflow and workflow_state.
Related Issues
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.