From 5e5339d39b80297ca2e9411854fbca4440d5d51c Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 16 Jan 2025 10:40:28 -0500 Subject: [PATCH] Cleanup SystemIndexTests with RunAsSubjectClient (#5027) Signed-off-by: Craig Perkins --- .../systemindex/SystemIndexTests.java | 2 +- .../IndexDocumentIntoSystemIndexAction.java | 7 +- .../IndexDocumentIntoSystemIndexResponse.java | 48 ------------ .../sampleplugin/PluginContextSwitcher.java | 35 --------- ...dexDocumentIntoMixOfSystemIndexAction.java | 27 +++---- ...ulkIndexDocumentIntoSystemIndexAction.java | 31 ++++---- .../RestRunClusterHealthAction.java | 4 +- .../sampleplugin/RunAsSubjectClient.java | 62 +++++++++++++++ .../sampleplugin/RunClusterHealthAction.java | 7 +- .../RunClusterHealthResponse.java | 42 ----------- .../sampleplugin/SystemIndexPlugin1.java | 16 ++-- ...ortIndexDocumentIntoSystemIndexAction.java | 75 +++++++------------ .../TransportRunClusterHealthAction.java | 54 ++++--------- 13 files changed, 150 insertions(+), 260 deletions(-) delete mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexResponse.java delete mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/PluginContextSwitcher.java create mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunAsSubjectClient.java delete mode 100644 src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthResponse.java diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java b/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java index 3435e6dbdc..13325b3029 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/SystemIndexTests.java @@ -100,7 +100,7 @@ public void testPluginShouldBeAbleToIndexDocumentIntoItsSystemIndex() { HttpResponse response = client.put("try-create-and-index/" + SYSTEM_INDEX_1); assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus())); - assertThat(response.getBody(), containsString(SystemIndexPlugin1.class.getCanonicalName())); + assertThat(response.getBody(), containsString("{\"acknowledged\":true}")); } } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexAction.java index a78c57e1d1..3be83b39b2 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexAction.java @@ -10,13 +10,16 @@ package org.opensearch.security.systemindex.sampleplugin; +// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here import org.opensearch.action.ActionType; +import org.opensearch.action.support.master.AcknowledgedResponse; +// CS-ENFORCE-SINGLE -public class IndexDocumentIntoSystemIndexAction extends ActionType { +public class IndexDocumentIntoSystemIndexAction extends ActionType { public static final IndexDocumentIntoSystemIndexAction INSTANCE = new IndexDocumentIntoSystemIndexAction(); public static final String NAME = "cluster:mock/systemindex/index"; private IndexDocumentIntoSystemIndexAction() { - super(NAME, IndexDocumentIntoSystemIndexResponse::new); + super(NAME, AcknowledgedResponse::new); } } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexResponse.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexResponse.java deleted file mode 100644 index e154742fe2..0000000000 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/IndexDocumentIntoSystemIndexResponse.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright OpenSearch Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - */ - -package org.opensearch.security.systemindex.sampleplugin; - -// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here -import java.io.IOException; - -import org.opensearch.action.support.master.AcknowledgedResponse; -import org.opensearch.core.common.io.stream.StreamInput; -import org.opensearch.core.common.io.stream.StreamOutput; -import org.opensearch.core.xcontent.ToXContent; -import org.opensearch.core.xcontent.ToXContentObject; -import org.opensearch.core.xcontent.XContentBuilder; -// CS-ENFORCE-SINGLE - -public class IndexDocumentIntoSystemIndexResponse extends AcknowledgedResponse implements ToXContentObject { - - private String plugin; - - public IndexDocumentIntoSystemIndexResponse(boolean status, String plugin) { - super(status); - this.plugin = plugin; - } - - public IndexDocumentIntoSystemIndexResponse(StreamInput in) throws IOException { - super(in); - } - - @Override - public void writeTo(StreamOutput out) throws IOException { - super.writeTo(out); - out.writeString(plugin); - } - - @Override - public void addCustomFields(XContentBuilder builder, ToXContent.Params params) throws IOException { - super.addCustomFields(builder, params); - builder.field("plugin", plugin); - } -} diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/PluginContextSwitcher.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/PluginContextSwitcher.java deleted file mode 100644 index 4ef420efdb..0000000000 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/PluginContextSwitcher.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ -package org.opensearch.security.systemindex.sampleplugin; - -import java.util.Objects; -import java.util.concurrent.Callable; - -import org.opensearch.identity.PluginSubject; - -public class PluginContextSwitcher { - private PluginSubject pluginSubject; - - public PluginContextSwitcher() {} - - public void initialize(PluginSubject pluginSubject) { - Objects.requireNonNull(pluginSubject); - this.pluginSubject = pluginSubject; - } - - public T runAs(Callable callable) { - try { - return pluginSubject.runAs(callable); - } catch (Exception e) { - throw new RuntimeException(e); - } - } -} diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoMixOfSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoMixOfSystemIndexAction.java index e9b569a263..7a9f930c2a 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoMixOfSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoMixOfSystemIndexAction.java @@ -34,11 +34,11 @@ public class RestBulkIndexDocumentIntoMixOfSystemIndexAction extends BaseRestHandler { private final Client client; - private final PluginContextSwitcher contextSwitcher; + private final RunAsSubjectClient pluginClient; - public RestBulkIndexDocumentIntoMixOfSystemIndexAction(Client client, PluginContextSwitcher contextSwitcher) { + public RestBulkIndexDocumentIntoMixOfSystemIndexAction(Client client, RunAsSubjectClient pluginClient) { this.client = client; - this.contextSwitcher = contextSwitcher; + this.pluginClient = pluginClient; } @Override @@ -57,19 +57,14 @@ public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client @Override public void accept(RestChannel channel) throws Exception { - contextSwitcher.runAs(() -> { - BulkRequestBuilder builder = client.prepareBulk(); - builder.add(new IndexRequest(SYSTEM_INDEX_1).source("content", 1)); - builder.add(new IndexRequest(SYSTEM_INDEX_2).source("content", 1)); - builder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE); - BulkRequest bulkRequest = builder.request(); - client.bulk(bulkRequest, ActionListener.wrap(r -> { - channel.sendResponse( - new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS)) - ); - }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); - return null; - }); + BulkRequestBuilder builder = client.prepareBulk(); + builder.add(new IndexRequest(SYSTEM_INDEX_1).source("content", 1)); + builder.add(new IndexRequest(SYSTEM_INDEX_2).source("content", 1)); + builder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE); + BulkRequest bulkRequest = builder.request(); + pluginClient.bulk(bulkRequest, ActionListener.wrap(r -> { + channel.sendResponse(new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS))); + }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); } }; } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoSystemIndexAction.java index 8b37e54164..a6d729aca4 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestBulkIndexDocumentIntoSystemIndexAction.java @@ -34,11 +34,11 @@ public class RestBulkIndexDocumentIntoSystemIndexAction extends BaseRestHandler { private final Client client; - private final PluginContextSwitcher contextSwitcher; + private final RunAsSubjectClient pluginClient; - public RestBulkIndexDocumentIntoSystemIndexAction(Client client, PluginContextSwitcher contextSwitcher) { + public RestBulkIndexDocumentIntoSystemIndexAction(Client client, RunAsSubjectClient pluginClient) { this.client = client; - this.contextSwitcher = contextSwitcher; + this.pluginClient = pluginClient; } @Override @@ -58,21 +58,18 @@ public RestChannelConsumer prepareRequest(RestRequest request, NodeClient client @Override public void accept(RestChannel channel) throws Exception { - contextSwitcher.runAs(() -> { - client.admin().indices().create(new CreateIndexRequest(indexName), ActionListener.wrap(r -> { - BulkRequestBuilder builder = client.prepareBulk(); - builder.add(new IndexRequest(indexName).source("{\"content\":1}", XContentType.JSON)); - builder.add(new IndexRequest(indexName).source("{\"content\":2}", XContentType.JSON)); - builder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE); - BulkRequest bulkRequest = builder.request(); - client.bulk(bulkRequest, ActionListener.wrap(r2 -> { - channel.sendResponse( - new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS)) - ); - }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); + pluginClient.admin().indices().create(new CreateIndexRequest(indexName), ActionListener.wrap(r -> { + BulkRequestBuilder builder = client.prepareBulk(); + builder.add(new IndexRequest(indexName).source("{\"content\":1}", XContentType.JSON)); + builder.add(new IndexRequest(indexName).source("{\"content\":2}", XContentType.JSON)); + builder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE); + BulkRequest bulkRequest = builder.request(); + pluginClient.bulk(bulkRequest, ActionListener.wrap(r2 -> { + channel.sendResponse( + new BytesRestResponse(RestStatus.OK, r.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS)) + ); }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); - return null; - }); + }, fr -> { channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, String.valueOf(fr))); })); } }; } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestRunClusterHealthAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestRunClusterHealthAction.java index f4674b4377..232f462072 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestRunClusterHealthAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RestRunClusterHealthAction.java @@ -24,11 +24,9 @@ public class RestRunClusterHealthAction extends BaseRestHandler { private final Client client; - private final PluginContextSwitcher contextSwitcher; - public RestRunClusterHealthAction(Client client, PluginContextSwitcher contextSwitcher) { + public RestRunClusterHealthAction(Client client) { this.client = client; - this.contextSwitcher = contextSwitcher; } @Override diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunAsSubjectClient.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunAsSubjectClient.java new file mode 100644 index 0000000000..39540841cb --- /dev/null +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunAsSubjectClient.java @@ -0,0 +1,62 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.security.systemindex.sampleplugin; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import org.opensearch.action.ActionRequest; +import org.opensearch.action.ActionType; +import org.opensearch.client.Client; +import org.opensearch.client.FilterClient; +import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.core.action.ActionListener; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.identity.Subject; + +/** + * Implementation of client that will run transport actions in a stashed context and inject the name of the provided + * subject into the context. + */ +public class RunAsSubjectClient extends FilterClient { + + private static final Logger logger = LogManager.getLogger(RunAsSubjectClient.class); + + private Subject subject; + + public RunAsSubjectClient(Client delegate) { + super(delegate); + } + + public RunAsSubjectClient(Client delegate, Subject subject) { + super(delegate); + this.subject = subject; + } + + public void setSubject(Subject subject) { + this.subject = subject; + } + + @Override + protected void doExecute( + ActionType action, + Request request, + ActionListener listener + ) { + try (ThreadContext.StoredContext ctx = threadPool().getThreadContext().newStoredContext(false)) { + subject.runAs(() -> { + logger.info("Running transport action with subject: {}", subject.getPrincipal().getName()); + super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore)); + return null; + }); + } catch (Exception e) { + throw new RuntimeException(e); + } + } +} diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthAction.java index dca6b8d2b7..e197362254 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthAction.java @@ -10,13 +10,16 @@ package org.opensearch.security.systemindex.sampleplugin; +// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here import org.opensearch.action.ActionType; +import org.opensearch.action.support.master.AcknowledgedResponse; +// CS-ENFORCE-SINGLE -public class RunClusterHealthAction extends ActionType { +public class RunClusterHealthAction extends ActionType { public static final RunClusterHealthAction INSTANCE = new RunClusterHealthAction(); public static final String NAME = "cluster:mock/monitor/health"; private RunClusterHealthAction() { - super(NAME, RunClusterHealthResponse::new); + super(NAME, AcknowledgedResponse::new); } } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthResponse.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthResponse.java deleted file mode 100644 index a500755e22..0000000000 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/RunClusterHealthResponse.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright OpenSearch Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - */ - -package org.opensearch.security.systemindex.sampleplugin; - -// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here -import java.io.IOException; - -import org.opensearch.action.support.master.AcknowledgedResponse; -import org.opensearch.core.common.io.stream.StreamInput; -import org.opensearch.core.common.io.stream.StreamOutput; -import org.opensearch.core.xcontent.ToXContentObject; -import org.opensearch.core.xcontent.XContentBuilder; -// CS-ENFORCE-SINGLE - -public class RunClusterHealthResponse extends AcknowledgedResponse implements ToXContentObject { - - public RunClusterHealthResponse(boolean status) { - super(status); - } - - public RunClusterHealthResponse(StreamInput in) throws IOException { - super(in); - } - - @Override - public void writeTo(StreamOutput out) throws IOException { - super.writeTo(out); - } - - @Override - public void addCustomFields(XContentBuilder builder, Params params) throws IOException { - super.addCustomFields(builder, params); - } -} diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java index 9805619965..9113a50a5f 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/SystemIndexPlugin1.java @@ -45,7 +45,7 @@ public class SystemIndexPlugin1 extends Plugin implements SystemIndexPlugin, IdentityAwarePlugin { public static final String SYSTEM_INDEX_1 = ".system-index1"; - private PluginContextSwitcher contextSwitcher; + private RunAsSubjectClient pluginClient; private Client client; @@ -64,8 +64,8 @@ public Collection createComponents( Supplier repositoriesServiceSupplier ) { this.client = client; - this.contextSwitcher = new PluginContextSwitcher(); - return List.of(contextSwitcher); + this.pluginClient = new RunAsSubjectClient(client); + return List.of(pluginClient); } @Override @@ -86,9 +86,9 @@ public List getRestHandlers( ) { return List.of( new RestIndexDocumentIntoSystemIndexAction(client), - new RestRunClusterHealthAction(client, contextSwitcher), - new RestBulkIndexDocumentIntoSystemIndexAction(client, contextSwitcher), - new RestBulkIndexDocumentIntoMixOfSystemIndexAction(client, contextSwitcher) + new RestRunClusterHealthAction(client), + new RestBulkIndexDocumentIntoSystemIndexAction(client, pluginClient), + new RestBulkIndexDocumentIntoMixOfSystemIndexAction(client, pluginClient) ); } @@ -102,8 +102,8 @@ public List getRestHandlers( @Override public void assignSubject(PluginSubject pluginSystemSubject) { - if (contextSwitcher != null) { - this.contextSwitcher.initialize(pluginSystemSubject); + if (pluginClient != null) { + this.pluginClient.setSubject(pluginSystemSubject); } } } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportIndexDocumentIntoSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportIndexDocumentIntoSystemIndexAction.java index 6138cfbb54..26ae100c89 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportIndexDocumentIntoSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportIndexDocumentIntoSystemIndexAction.java @@ -10,85 +10,64 @@ package org.opensearch.security.systemindex.sampleplugin; +// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.index.IndexRequest; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.action.support.WriteRequest; +import org.opensearch.action.support.master.AcknowledgedResponse; import org.opensearch.client.Client; import org.opensearch.common.inject.Inject; import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.action.ActionListener; -import org.opensearch.identity.IdentityService; -import org.opensearch.identity.Subject; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.user.User; import org.opensearch.tasks.Task; -import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.TransportService; +// CS-ENFORCE-SINGLE public class TransportIndexDocumentIntoSystemIndexAction extends HandledTransportAction< IndexDocumentIntoSystemIndexRequest, - IndexDocumentIntoSystemIndexResponse> { + AcknowledgedResponse> { private final Client client; - private final ThreadPool threadPool; - private final PluginContextSwitcher contextSwitcher; - private final IdentityService identityService; + private final RunAsSubjectClient pluginClient; @Inject public TransportIndexDocumentIntoSystemIndexAction( final TransportService transportService, final ActionFilters actionFilters, final Client client, - final ThreadPool threadPool, - final PluginContextSwitcher contextSwitcher, - final IdentityService identityService + final RunAsSubjectClient pluginClient ) { super(IndexDocumentIntoSystemIndexAction.NAME, transportService, actionFilters, IndexDocumentIntoSystemIndexRequest::new); this.client = client; - this.threadPool = threadPool; - this.contextSwitcher = contextSwitcher; - this.identityService = identityService; + this.pluginClient = pluginClient; } @Override - protected void doExecute( - Task task, - IndexDocumentIntoSystemIndexRequest request, - ActionListener actionListener - ) { + protected void doExecute(Task task, IndexDocumentIntoSystemIndexRequest request, ActionListener actionListener) { String indexName = request.getIndexName(); String runAs = request.getRunAs(); - Subject userSubject = identityService.getCurrentSubject(); try { - contextSwitcher.runAs(() -> { - client.admin().indices().create(new CreateIndexRequest(indexName), ActionListener.wrap(r -> { - if ("user".equalsIgnoreCase(runAs)) { - userSubject.runAs(() -> { - client.index( - new IndexRequest(indexName).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) - .source("{\"content\":1}", XContentType.JSON), - ActionListener.wrap(r2 -> { - User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - actionListener.onResponse(new IndexDocumentIntoSystemIndexResponse(true, user.getName())); - }, actionListener::onFailure) - ); - return null; - }); - } else { - client.index( - new IndexRequest(indexName).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) - .source("{\"content\":1}", XContentType.JSON), - ActionListener.wrap(r2 -> { - User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - actionListener.onResponse(new IndexDocumentIntoSystemIndexResponse(true, user.getName())); - }, actionListener::onFailure) - ); - } - }, actionListener::onFailure)); - return null; - }); + pluginClient.admin().indices().create(new CreateIndexRequest(indexName), ActionListener.wrap(r -> { + if ("user".equalsIgnoreCase(runAs)) { + client.index( + new IndexRequest(indexName).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON), + ActionListener.wrap(r2 -> { + actionListener.onResponse(new AcknowledgedResponse(true)); + }, actionListener::onFailure) + ); + } else { + pluginClient.index( + new IndexRequest(indexName).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE) + .source("{\"content\":1}", XContentType.JSON), + ActionListener.wrap(r2 -> { + actionListener.onResponse(new AcknowledgedResponse(true)); + }, actionListener::onFailure) + ); + } + }, actionListener::onFailure)); } catch (Exception ex) { throw new RuntimeException("Unexpected error: " + ex.getMessage()); } diff --git a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportRunClusterHealthAction.java b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportRunClusterHealthAction.java index 310262c947..12e17ae998 100644 --- a/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportRunClusterHealthAction.java +++ b/src/integrationTest/java/org/opensearch/security/systemindex/sampleplugin/TransportRunClusterHealthAction.java @@ -10,71 +10,49 @@ package org.opensearch.security.systemindex.sampleplugin; +// CS-SUPPRESS-SINGLE: RegexpSingleline It is not possible to use phrase "cluster manager" instead of master here import org.opensearch.action.admin.cluster.health.ClusterHealthRequest; import org.opensearch.action.admin.cluster.health.ClusterHealthResponse; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; +import org.opensearch.action.support.master.AcknowledgedResponse; import org.opensearch.client.Client; import org.opensearch.common.inject.Inject; import org.opensearch.core.action.ActionListener; -import org.opensearch.identity.IdentityService; -import org.opensearch.identity.Subject; import org.opensearch.tasks.Task; -import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.TransportService; +// CS-ENFORCE-SINGLE -public class TransportRunClusterHealthAction extends HandledTransportAction { +public class TransportRunClusterHealthAction extends HandledTransportAction { private final Client client; - private final ThreadPool threadPool; - private final PluginContextSwitcher contextSwitcher; - private final IdentityService identityService; + private final RunAsSubjectClient pluginClient; @Inject public TransportRunClusterHealthAction( final TransportService transportService, final ActionFilters actionFilters, final Client client, - final ThreadPool threadPool, - final PluginContextSwitcher contextSwitcher, - final IdentityService identityService + final RunAsSubjectClient pluginClient ) { super(RunClusterHealthAction.NAME, transportService, actionFilters, RunClusterHealthRequest::new); this.client = client; - this.threadPool = threadPool; - this.contextSwitcher = contextSwitcher; - this.identityService = identityService; + this.pluginClient = pluginClient; } @Override - protected void doExecute(Task task, RunClusterHealthRequest request, ActionListener actionListener) { + protected void doExecute(Task task, RunClusterHealthRequest request, ActionListener actionListener) { String runAs = request.getRunAs(); - if ("user".equalsIgnoreCase(runAs)) { - Subject user = identityService.getCurrentSubject(); - try { - user.runAs(() -> { - ActionListener chr = ActionListener.wrap( - r -> { actionListener.onResponse(new RunClusterHealthResponse(true)); }, - actionListener::onFailure - ); - client.admin().cluster().health(new ClusterHealthRequest(), chr); - return null; - }); - } catch (Exception e) { - throw new RuntimeException(e); - } - } else if ("plugin".equalsIgnoreCase(runAs)) { - contextSwitcher.runAs(() -> { - ActionListener chr = ActionListener.wrap( - r -> { actionListener.onResponse(new RunClusterHealthResponse(true)); }, - actionListener::onFailure - ); - client.admin().cluster().health(new ClusterHealthRequest(), chr); - return null; - }); + if ("plugin".equalsIgnoreCase(runAs)) { + ActionListener chr = ActionListener.wrap( + r -> { actionListener.onResponse(new AcknowledgedResponse(true)); }, + actionListener::onFailure + ); + pluginClient.admin().cluster().health(new ClusterHealthRequest(), chr); } else { + // run in the authenticated user context ActionListener chr = ActionListener.wrap( - r -> { actionListener.onResponse(new RunClusterHealthResponse(true)); }, + r -> { actionListener.onResponse(new AcknowledgedResponse(true)); }, actionListener::onFailure ); client.admin().cluster().health(new ClusterHealthRequest(), chr);