Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add denylist ip config for datasource endpoint #573

Merged
merged 1 commit into from
Oct 27, 2023
Merged

Add denylist ip config for datasource endpoint #573

merged 1 commit into from
Oct 27, 2023

Conversation

heemin32
Copy link
Collaborator

@heemin32 heemin32 commented Oct 27, 2023
edited
Loading

Description

Add a denylist ip config for datasource endpoint so that admin can block certain ip addresses from being used in datasource endpoint
This PR mimicked opensearch-project/sql#2042

When IP address is in the deny list, following message will be returned.

{
	"error": {
		"root_cause": [
			{
				"type": "illegal_argument_exception",
				"reason": "Given endpoint is blocked by deny list in cluster setting plugins.geospatial.ip2geo.datasource.endpoint.denylist"
			}
		],
		"type": "illegal_argument_exception",
		"reason": "Given endpoint is blocked by deny list in cluster setting plugins.geospatial.ip2geo.datasource.endpoint.denylist"
	},
	"status": 400
}

Issues Resolved

N/A

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@heemin32 heemin32 added backport 2.x Backport PR to 2.x branch backport 2.11 Backport to 2.11 branch labels Oct 27, 2023
@heemin32 heemin32 force-pushed the denylist branch 3 times, most recently from 3ec949f to a2b5c47 Compare October 27, 2023 05:00
@codecov
Copy link

codecov bot commented Oct 27, 2023
edited
Loading

Codecov Report

Merging #573 (726837f) into main (059b10d) will increase coverage by 0.44%.
The diff coverage is 83.78%.

@@             Coverage Diff              @@
##               main     #573      +/-   ##
============================================
+ Coverage     88.59%   89.03%   +0.44%     
- Complexity      753      767      +14     
============================================
  Files            92       93       +1     
  Lines          2717     2746      +29     
  Branches        221      223       +2     
============================================
+ Hits           2407     2445      +38     
+ Misses          230      221       -9     
  Partials         80       80
Files Coverage Δ
...patial/ip2geo/action/RestPutDatasourceHandler.java 94.11% <100.00%> (+0.78%) ⬆️
...ial/ip2geo/action/RestUpdateDatasourceHandler.java 92.30% <100.00%> (+3.41%) ⬆️
...earch/geospatial/ip2geo/common/Ip2GeoSettings.java 94.44% <100.00%> (+1.11%) ⬆️
...opensearch/geospatial/ip2geo/dao/GeoIpDataDao.java 87.50% <100.00%> (+0.09%) ⬆️
...l/ip2geo/jobscheduler/DatasourceUpdateService.java 91.42% <100.00%> (+0.08%) ⬆️
...opensearch/geospatial/plugin/GeospatialPlugin.java 90.90% <100.00%> (+0.21%) ⬆️
...h/geospatial/ip2geo/common/URLDenyListChecker.java 64.70% <64.70%> (ø)

... and 5 files with indirect coverage changes

@heemin32 heemin32 force-pushed the denylist branch 2 times, most recently from 85ecc6e to f5a7664 Compare October 27, 2023 05:45
@navneet1v
Copy link
Collaborator

navneet1v commented Oct 27, 2023
edited
Loading

@heemin32 what is the value of the denylist urls? Not able to find anything in this PR?

@heemin32
Copy link
Collaborator Author

@heemin32 what is the value of the denylist urls? Not able to find anything in this PR?

For example, in cloud provider, they can maintain denylist so that customer cannot make request to internal services with escalated privilege because cluster is running in service account but not customer account.

@heemin32 heemin32 mentioned this pull request Oct 27, 2023
Open
@heemin32 heemin32 force-pushed the denylist branch 2 times, most recently from d81aa65 to 4a108ec Compare October 27, 2023 16:42
@naveentatikonda
Copy link
Member

@heemin32 Build is failing with the latest changes. Pls fix it

@heemin32
Add denylist ip config for datasource endpoint
726837f 
Signed-off-by: Heemin Kim <heemin@amazon.com>
vamshin
vamshin approved these changes Oct 27, 2023
View reviewed changes
Copy link
Member

@vamshin vamshin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks

@vibrantvarun
Copy link
Member

Just reviewed the PR to understand the use-case.

@heemin32 heemin32 merged commit 35edec1 into opensearch-project:main Oct 27, 2023
13 of 15 checks passed
@heemin32 heemin32 deleted the denylist branch October 27, 2023 17:45
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 27, 2023
@heemin32 @github-actions
Add denylist ip config for datasource endpoint (#573)
b531938 
Signed-off-by: Heemin Kim <heemin@amazon.com>
(cherry picked from commit 35edec1)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 27, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 27, 2023
@heemin32 @github-actions
Add denylist ip config for datasource endpoint (#573)
3b8ee71 
Signed-off-by: Heemin Kim <heemin@amazon.com>
(cherry picked from commit 35edec1)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 27, 2023
Merged
heemin32 added a commit that referenced this pull request Oct 27, 2023
@opensearch-trigger-bot @heemin32
Add denylist ip config for datasource endpoint (#573) (#576)
07fd490 
Signed-off-by: Heemin Kim <heemin@amazon.com>
(cherry picked from commit 35edec1)

Co-authored-by: Heemin Kim <heemin@amazon.com>
heemin32 added a commit that referenced this pull request Oct 27, 2023
@opensearch-trigger-bot @heemin32
Add denylist ip config for datasource endpoint (#573) (#575)
9f1f4d6 
Signed-off-by: Heemin Kim <heemin@amazon.com>
(cherry picked from commit 35edec1)

Co-authored-by: Heemin Kim <heemin@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vibrantvarun vibrantvarun vibrantvarun approved these changes

@vamshin vamshin vamshin approved these changes

@naveentatikonda naveentatikonda naveentatikonda approved these changes

@VijayanB VijayanB Awaiting requested review from VijayanB VijayanB is a code owner

@jmazanec15 jmazanec15 Awaiting requested review from jmazanec15 jmazanec15 is a code owner

@junqiu-lei junqiu-lei Awaiting requested review from junqiu-lei junqiu-lei is a code owner

@martin-gaievski martin-gaievski Awaiting requested review from martin-gaievski martin-gaievski is a code owner

@navneet1v navneet1v Awaiting requested review from navneet1v navneet1v is a code owner

Assignees
No one assigned
Labels
backport 2.x Backport PR to 2.x branch backport 2.11 Backport to 2.11 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@heemin32 @navneet1v @naveentatikonda @vibrantvarun @vamshin