Add support for CIDR ranges in ignore_hosts setting. #5099
Conversation
Signed-off-by: shikharj05 <[email protected]>
Signed-off-by: shikharj05 <[email protected]>
shikharj05
requested review from
cwperks,
DarshitChanpura,
derek-ho,
nibix,
peternied,
RyanL1997,
reta and
willyborankin
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5099 +/- ##
==========================================
- Coverage 71.55% 71.54% -0.02%
==========================================
Files 336 337 +1
Lines 22649 22690 +41
Branches 3603 3609 +6
==========================================
+ Hits 16206 16233 +27
- Misses 4641 4655 +14
Partials 1802 1802
|
|
Thank you for this PR @shikharj05. We will also want to update the documentation accordingly.
^ Looks like these cases are already being handled as well |
src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/SecurityUtils.java
Outdated
Show resolved
Hide resolved
Ack, will create a separate PR for docs. |
src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/SecurityUtils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: shikharj05 <[email protected]>
…treams Signed-off-by: shikharj05 <[email protected]>
| if (pattern.indexOf('/') != -1) { | ||
| try { | ||
| SubnetInfo subnetInfo = cidrCache.computeIfAbsent(pattern, authFailureListener::getSubnetForCidr); | ||
| return subnetInfo.isInRange(hostAddress); |
There was a problem hiding this comment.
If I see it correctly, SubnetUtils and SubnetInfo only support IPv4. If hostAddress is in IPv6 format, it will throw an IllegalArgumentException:
I guess, we also need to support IPv6?
There was a problem hiding this comment.
sure, will add support for ipv6.
|
|
||
| return authFailureListener.getIgnoreHosts().stream().anyMatch(pattern -> { | ||
| // Handle CIDR patterns | ||
| if (pattern.indexOf('/') != -1) { |
There was a problem hiding this comment.
I do not think that using / is sufficient for identifying CIDRs. The ignore_hosts property supports the whole wildcard matcher feature set which also supports specifying regexes using the /regex/ syntax. This would also hit on these regexes.
There was a problem hiding this comment.
good catch. one of the options is to implement regex check for ipv4/ipv6 addresses to identify CIDRs specifically - will check other options and update the PR
There was a problem hiding this comment.
You can also keep it simple and get the last index of / as long as / is not the final char in the string
Signed-off-by: shikharj05 <[email protected]>
Description
This change adds support to specify CIDR ranges in ignore_hosts settings.
While ignore_hosts currently supports specifying IP addresses and hostnames, it would be good to support adding CIDR ranges as well. For example, see comment here- [Feature Request] Request to Document Behaviour Change in Unauthenticated Request Handling in OpenSearch 2.11.0 or later #4927 (comment)
Adding support for CIDR ranges in
ignore_hostsIssues Resolved
#4927
Is this a backport? If so, please add backport PR # and/or commits #, and remove
backport-failedlabel from the original PR.Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.