Is your feature request related to a problem?
currently DLS/FLS variables need to be present and there is no way to define a fallback.
e.g. if a DLS query contains ${attr.jwt.foo} then the claim foo must be present in the JWT, otherwise the request fails.
What solution would you like?
it should be possible to define fallback values (which themselves can be variables again), e.g. ${attr.jwt.foo:-baz} (replacing it with "baz" if the foo claim is not present) or $attr.jwt.foo:-${attr.jwt.bar}} (replacing it with the value of the bar claim if the foo claim is not present; if both are not present it'll still fail; otherwise it'd need ${attr.jwt.foo:-${attr.jwt.bar:-}} to default to an empty string)
What alternatives have you considered?
assigning different roles with different DLS/FLS queries
Do you have any additional context?
in 2.x undefined attributes were silently ignored.
see also #1310 & #5975
the current implementation is in UserAttributes#replaceProperties:
|
public static String replaceProperties(String orig, PrivilegesEvaluationContext context) { |
|
User user = context.getUser(); |
|
|
|
orig = orig.replace("${user.name}", user.getName()).replace("${user_name}", user.getName()); |
|
orig = replaceRoles(orig, user); |
|
orig = replaceSecurityRoles(orig, context); |
|
for (Map.Entry<String, String> entry : user.getCustomAttributesMap().entrySet()) { |
|
if (entry.getKey() == null || entry.getValue() == null) { |
|
continue; |
|
} |
|
orig = orig.replace("${" + entry.getKey() + "}", entry.getValue()); |
|
orig = orig.replace("${" + entry.getKey().replace('.', '_') + "}", entry.getValue()); |
|
} |
|
return orig; |
|
} |
apache commons text provides StringSubstitutor which does exactly what we want.
Is your feature request related to a problem?
currently DLS/FLS variables need to be present and there is no way to define a fallback.
e.g. if a DLS query contains
${attr.jwt.foo}then the claimfoomust be present in the JWT, otherwise the request fails.What solution would you like?
it should be possible to define fallback values (which themselves can be variables again), e.g.
${attr.jwt.foo:-baz}(replacing it with "baz" if thefooclaim is not present) or$attr.jwt.foo:-${attr.jwt.bar}}(replacing it with the value of thebarclaim if thefooclaim is not present; if both are not present it'll still fail; otherwise it'd need${attr.jwt.foo:-${attr.jwt.bar:-}}to default to an empty string)What alternatives have you considered?
assigning different roles with different DLS/FLS queries
Do you have any additional context?
in 2.x undefined attributes were silently ignored.
see also #1310 & #5975
the current implementation is in
UserAttributes#replaceProperties:security/src/main/java/org/opensearch/security/privileges/UserAttributes.java
Lines 52 to 66 in dc82fb7
apache commons text provides
StringSubstitutorwhich does exactly what we want.