opensearch-project
diff --git a/‎reports-scheduler/src/main/config/reports-scheduler.yml
Lines changed: 1 addition & 1 deletion b/‎reports-scheduler/src/main/config/reports-scheduler.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/action/ReportDefinitionActions.kt
Lines changed: 7 additions & 4 deletions b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/action/ReportDefinitionActions.kt
Lines changed: 7 additions & 4 deletions
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/action/ReportInstanceActions.kt
Lines changed: 7 additions & 4 deletions b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/action/ReportInstanceActions.kt
Lines changed: 7 additions & 4 deletions
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/index/ReportDefinitionsIndex.kt
Lines changed: 10 additions & 2 deletions b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/index/ReportDefinitionsIndex.kt
Lines changed: 10 additions & 2 deletions
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/index/ReportInstancesIndex.kt
Lines changed: 10 additions & 2 deletions b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/index/ReportInstancesIndex.kt
Lines changed: 10 additions & 2 deletions
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/model/ReportDefinitionDetails.kt
Lines changed: 10 additions & 1 deletion b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/model/ReportDefinitionDetails.kt
Lines changed: 10 additions & 1 deletion
diff --git a/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/model/ReportInstance.kt
Lines changed: 10 additions & 1 deletion b/‎reports-scheduler/src/main/kotlin/com/amazon/opendistroforelasticsearch/reportsscheduler/model/ReportInstance.kt
Lines changed: 10 additions & 1 deletion
@@ -30,7 +30,7 @@ opendistro.reports:
     # adminAccess values:
     ## Standard -> Admin user access follows standard user
     ## AllReports -> Admin user with "all_access" role can see all reports of all users.
-    filterBy: "NoFilter"
+    filterBy: "NoFilter" # Applied when tenant != __user__
     # filterBy values:
     ## NoFilter -> everyone see each other's reports
     ## User -> reports are visible to only themselves
 
@@ -54,6 +54,7 @@ internal object ReportDefinitionActions {
         val reportDefinitionDetails = ReportDefinitionDetails("ignore",
             currentTime,
             currentTime,
+            UserAccessManager.getUserTenant(user),
             UserAccessManager.getAllAccessInfo(user),
             request.reportDefinition
         )
@@ -74,13 +75,14 @@ internal object ReportDefinitionActions {
         val currentReportDefinitionDetails = ReportDefinitionsIndex.getReportDefinition(request.reportDefinitionId)
         currentReportDefinitionDetails
             ?: throw ElasticsearchStatusException("Report Definition ${request.reportDefinitionId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, currentReportDefinitionDetails.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, currentReportDefinitionDetails.tenant, currentReportDefinitionDetails.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportDefinitionId}", RestStatus.FORBIDDEN)
         }
         val currentTime = Instant.now()
         val reportDefinitionDetails = ReportDefinitionDetails(request.reportDefinitionId,
             currentTime,
             currentReportDefinitionDetails.createdTime,
+            UserAccessManager.getUserTenant(user),
             currentReportDefinitionDetails.access,
             request.reportDefinition
         )
@@ -101,7 +103,7 @@ internal object ReportDefinitionActions {
         val reportDefinitionDetails = ReportDefinitionsIndex.getReportDefinition(request.reportDefinitionId)
         reportDefinitionDetails
             ?: throw ElasticsearchStatusException("Report Definition ${request.reportDefinitionId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.tenant, reportDefinitionDetails.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportDefinitionId}", RestStatus.FORBIDDEN)
         }
         return GetReportDefinitionResponse(reportDefinitionDetails, UserAccessManager.hasAllInfoAccess(user))
@@ -118,7 +120,7 @@ internal object ReportDefinitionActions {
         val reportDefinitionDetails = ReportDefinitionsIndex.getReportDefinition(request.reportDefinitionId)
         reportDefinitionDetails
             ?: throw ElasticsearchStatusException("Report Definition ${request.reportDefinitionId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.tenant, reportDefinitionDetails.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportDefinitionId}", RestStatus.FORBIDDEN)
         }
         if (!ReportDefinitionsIndex.deleteReportDefinition(request.reportDefinitionId)) {
@@ -135,7 +137,8 @@ internal object ReportDefinitionActions {
     fun getAll(request: GetAllReportDefinitionsRequest, user: User?): GetAllReportDefinitionsResponse {
         log.info("$LOG_PREFIX:ReportDefinition-getAll fromIndex:${request.fromIndex} maxItems:${request.maxItems}")
         UserAccessManager.validateUser(user)
-        val reportDefinitionsList = ReportDefinitionsIndex.getAllReportDefinitions(UserAccessManager.getSearchAccessInfo(user),
+        val reportDefinitionsList = ReportDefinitionsIndex.getAllReportDefinitions(UserAccessManager.getUserTenant(user),
+            UserAccessManager.getSearchAccessInfo(user),
             request.fromIndex,
             request.maxItems)
         return GetAllReportDefinitionsResponse(reportDefinitionsList, UserAccessManager.hasAllInfoAccess(user))
 
@@ -61,6 +61,7 @@ internal object ReportInstanceActions {
             currentTime,
             request.beginTime,
             request.endTime,
+            UserAccessManager.getUserTenant(user),
             UserAccessManager.getAllAccessInfo(user),
             request.reportDefinitionDetails,
             Status.Success, // TODO: Revert to request.status when background job execution supported
@@ -84,7 +85,7 @@ internal object ReportInstanceActions {
         val reportDefinitionDetails = ReportDefinitionsIndex.getReportDefinition(request.reportDefinitionId)
         reportDefinitionDetails
             ?: throw ElasticsearchStatusException("Report Definition ${request.reportDefinitionId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, reportDefinitionDetails.tenant, reportDefinitionDetails.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportDefinitionId}", RestStatus.FORBIDDEN)
         }
         val beginTime: Instant = currentTime.minus(reportDefinitionDetails.reportDefinition.format.duration)
@@ -95,6 +96,7 @@ internal object ReportInstanceActions {
             currentTime,
             beginTime,
             endTime,
+            UserAccessManager.getUserTenant(user),
             reportDefinitionDetails.access,
             reportDefinitionDetails,
             currentStatus)
@@ -115,7 +117,7 @@ internal object ReportInstanceActions {
         val currentReportInstance = ReportInstancesIndex.getReportInstance(request.reportInstanceId)
         currentReportInstance
             ?: throw ElasticsearchStatusException("Report Instance ${request.reportInstanceId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, currentReportInstance.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, currentReportInstance.tenant, currentReportInstance.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportInstanceId}", RestStatus.FORBIDDEN)
         }
         if (request.status == Status.Scheduled) { // Don't allow changing status to Scheduled
@@ -142,7 +144,7 @@ internal object ReportInstanceActions {
         val reportInstance = ReportInstancesIndex.getReportInstance(request.reportInstanceId)
         reportInstance
             ?: throw ElasticsearchStatusException("Report Instance ${request.reportInstanceId} not found", RestStatus.NOT_FOUND)
-        if (!UserAccessManager.doesUserHasAccess(user, reportInstance.access)) {
+        if (!UserAccessManager.doesUserHasAccess(user, reportInstance.tenant, reportInstance.access)) {
             throw ElasticsearchStatusException("Permission denied for Report Definition ${request.reportInstanceId}", RestStatus.FORBIDDEN)
         }
         return GetReportInstanceResponse(reportInstance, UserAccessManager.hasAllInfoAccess(user))
@@ -156,7 +158,8 @@ internal object ReportInstanceActions {
     fun getAll(request: GetAllReportInstancesRequest, user: User?): GetAllReportInstancesResponse {
         log.info("$LOG_PREFIX:ReportInstance-getAll fromIndex:${request.fromIndex} maxItems:${request.maxItems}")
         UserAccessManager.validateUser(user)
-        val reportInstanceList = ReportInstancesIndex.getAllReportInstances(UserAccessManager.getSearchAccessInfo(user),
+        val reportInstanceList = ReportInstancesIndex.getAllReportInstances(UserAccessManager.getUserTenant(user),
+            UserAccessManager.getSearchAccessInfo(user),
             request.fromIndex,
             request.maxItems)
         return GetAllReportInstancesResponse(reportInstanceList, UserAccessManager.hasAllInfoAccess(user))
 
@@ -20,6 +20,7 @@ import com.amazon.opendistroforelasticsearch.reportsscheduler.ReportsSchedulerPl
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.ReportDefinitionDetails
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.ReportDefinitionDetailsSearchResults
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.ACCESS_LIST_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.TENANT_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.UPDATED_TIME_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.settings.PluginSettings
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.SecureIndexClient
@@ -147,21 +148,28 @@ internal object ReportDefinitionsIndex {
 
     /**
      * Query index for report definition for given access details
+     * @param tenant the tenant of the user
      * @param access the list of access details to search reports for.
      * @param from the paginated start index
      * @param maxItems the max items to query
      * @return search result of Report definition details
      */
-    fun getAllReportDefinitions(access: List<String>, from: Int, maxItems: Int): ReportDefinitionDetailsSearchResults {
+    fun getAllReportDefinitions(tenant: String, access: List<String>, from: Int, maxItems: Int): ReportDefinitionDetailsSearchResults {
         createIndex()
         val sourceBuilder = SearchSourceBuilder()
             .timeout(TimeValue(PluginSettings.operationTimeoutMs, TimeUnit.MILLISECONDS))
             .sort(UPDATED_TIME_FIELD)
             .size(maxItems)
             .from(from)
+        val tenantQuery = QueryBuilders.termsQuery(TENANT_FIELD, tenant)
         if (access.isNotEmpty()) {
-            val query = QueryBuilders.termsQuery(ACCESS_LIST_FIELD, access)
+            val accessQuery = QueryBuilders.termsQuery(ACCESS_LIST_FIELD, access)
+            val query = QueryBuilders.boolQuery()
+            query.filter(tenantQuery)
+            query.filter(accessQuery)
             sourceBuilder.query(query)
+        } else {
+            sourceBuilder.query(tenantQuery)
         }
         val searchRequest = SearchRequest()
             .indices(REPORT_DEFINITIONS_INDEX_NAME)
 
@@ -23,6 +23,7 @@ import com.amazon.opendistroforelasticsearch.reportsscheduler.model.ReportInstan
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.ReportInstanceSearchResults
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.ACCESS_LIST_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.STATUS_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.TENANT_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.UPDATED_TIME_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.settings.PluginSettings
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.SecureIndexClient
@@ -151,21 +152,28 @@ internal object ReportInstancesIndex {
 
     /**
      * Query index for report instance for given access details
+     * @param tenant the tenant of the user
      * @param access the list of access details to search reports for.
      * @param from the paginated start index
      * @param maxItems the max items to query
      * @return search result of Report instance details
      */
-    fun getAllReportInstances(access: List<String>, from: Int, maxItems: Int): ReportInstanceSearchResults {
+    fun getAllReportInstances(tenant: String, access: List<String>, from: Int, maxItems: Int): ReportInstanceSearchResults {
         createIndex()
         val sourceBuilder = SearchSourceBuilder()
             .timeout(TimeValue(PluginSettings.operationTimeoutMs, TimeUnit.MILLISECONDS))
             .sort(UPDATED_TIME_FIELD)
             .size(maxItems)
             .from(from)
+        val tenantQuery = QueryBuilders.termsQuery(TENANT_FIELD, tenant)
         if (access.isNotEmpty()) {
-            val query = QueryBuilders.termsQuery(ACCESS_LIST_FIELD, access)
+            val accessQuery = QueryBuilders.termsQuery(ACCESS_LIST_FIELD, access)
+            val query = QueryBuilders.boolQuery()
+            query.filter(tenantQuery)
+            query.filter(accessQuery)
             sourceBuilder.query(query)
+        } else {
+            sourceBuilder.query(tenantQuery)
         }
         val searchRequest = SearchRequest()
             .indices(REPORT_INSTANCES_INDEX_NAME)
 
@@ -24,7 +24,9 @@ import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.ACCE
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.CREATED_TIME_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.ID_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.REPORT_DEFINITION_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.TENANT_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.UPDATED_TIME_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager.DEFAULT_TENANT
 import com.amazon.opendistroforelasticsearch.reportsscheduler.settings.PluginSettings
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.logger
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.stringList
@@ -44,7 +46,8 @@ import java.time.Instant
  *   "id":"id",
  *   "lastUpdatedTimeMs":1603506908773,
  *   "createdTimeMs":1603506908773,
- *   "access":["u:user", "r:sample_role", "ber:sample_backend_role"]
+ *   "tenant":"__user__",
+ *   "access":["User:user", "Role:sample_role", "BERole:sample_backend_role"]
  *   "reportDefinition":{
  *      // refer [com.amazon.opendistroforelasticsearch.reportsscheduler.model.ReportDefinition]
  *   }
@@ -55,6 +58,7 @@ internal data class ReportDefinitionDetails(
     val id: String,
     val updatedTime: Instant,
     val createdTime: Instant,
+    val tenant: String,
     val access: List<String>,
     val reportDefinition: ReportDefinition
 ) : ScheduledJobParameter {
@@ -71,6 +75,7 @@ internal data class ReportDefinitionDetails(
             var id: String? = useId
             var updatedTime: Instant? = null
             var createdTime: Instant? = null
+            var tenant: String? = null
             var access: List<String> = listOf()
             var reportDefinition: ReportDefinition? = null
             XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.currentToken(), parser)
@@ -81,6 +86,7 @@ internal data class ReportDefinitionDetails(
                     ID_FIELD -> id = parser.text()
                     UPDATED_TIME_FIELD -> updatedTime = Instant.ofEpochMilli(parser.longValue())
                     CREATED_TIME_FIELD -> createdTime = Instant.ofEpochMilli(parser.longValue())
+                    TENANT_FIELD -> tenant = parser.text()
                     ACCESS_LIST_FIELD -> access = parser.stringList()
                     REPORT_DEFINITION_FIELD -> reportDefinition = ReportDefinition.parse(parser)
                     else -> {
@@ -92,10 +98,12 @@ internal data class ReportDefinitionDetails(
             id ?: throw IllegalArgumentException("$ID_FIELD field absent")
             updatedTime ?: throw IllegalArgumentException("$UPDATED_TIME_FIELD field absent")
             createdTime ?: throw IllegalArgumentException("$CREATED_TIME_FIELD field absent")
+            tenant = tenant ?: DEFAULT_TENANT
             reportDefinition ?: throw IllegalArgumentException("$REPORT_DEFINITION_FIELD field absent")
             return ReportDefinitionDetails(id,
                 updatedTime,
                 createdTime,
+                tenant,
                 access,
                 reportDefinition)
         }
@@ -121,6 +129,7 @@ internal data class ReportDefinitionDetails(
         }
         builder.field(UPDATED_TIME_FIELD, updatedTime.toEpochMilli())
             .field(CREATED_TIME_FIELD, createdTime.toEpochMilli())
+            .field(TENANT_FIELD, tenant)
         if (params?.paramAsBoolean(ACCESS_LIST_FIELD, true) == true && access.isNotEmpty()) {
             builder.field(ACCESS_LIST_FIELD, access)
         }
 
@@ -27,7 +27,9 @@ import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.IN_C
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.REPORT_DEFINITION_DETAILS_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.STATUS_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.STATUS_TEXT_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.TENANT_FIELD
 import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag.UPDATED_TIME_FIELD
+import com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager.DEFAULT_TENANT
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.logger
 import com.amazon.opendistroforelasticsearch.reportsscheduler.util.stringList
 import org.elasticsearch.common.xcontent.ToXContent
@@ -48,7 +50,8 @@ import java.time.Instant
  *   "createdTimeMs":1603506908773,
  *   "beginTimeMs":1603506908773,
  *   "endTimeMs":1603506908773,
- *   "access":["u:user", "r:sample_role", "ber:sample_backend_role"]
+ *   "tenant":"__user__",
+ *   "access":["User:user", "Role:sample_role", "BERole:sample_backend_role"]
  *   "reportDefinitionDetails":{
  *      // refer [com.amazon.opendistroforelasticsearch.reportsscheduler.model.reportDefinitionDetails]
  *   },
@@ -64,6 +67,7 @@ internal data class ReportInstance(
     val createdTime: Instant,
     val beginTime: Instant,
     val endTime: Instant,
+    val tenant: String,
     val access: List<String>,
     val reportDefinitionDetails: ReportDefinitionDetails?,
     val status: Status,
@@ -86,6 +90,7 @@ internal data class ReportInstance(
             var createdTime: Instant? = null
             var beginTime: Instant? = null
             var endTime: Instant? = null
+            var tenant: String? = null
             var access: List<String> = listOf()
             var reportDefinitionDetails: ReportDefinitionDetails? = null
             var status: Status? = null
@@ -101,6 +106,7 @@ internal data class ReportInstance(
                     CREATED_TIME_FIELD -> createdTime = Instant.ofEpochMilli(parser.longValue())
                     BEGIN_TIME_FIELD -> beginTime = Instant.ofEpochMilli(parser.longValue())
                     END_TIME_FIELD -> endTime = Instant.ofEpochMilli(parser.longValue())
+                    TENANT_FIELD -> tenant = parser.text()
                     ACCESS_LIST_FIELD -> access = parser.stringList()
                     REPORT_DEFINITION_DETAILS_FIELD -> reportDefinitionDetails = ReportDefinitionDetails.parse(parser)
                     STATUS_FIELD -> status = Status.valueOf(parser.text())
@@ -117,12 +123,14 @@ internal data class ReportInstance(
             createdTime ?: throw IllegalArgumentException("$CREATED_TIME_FIELD field absent")
             beginTime ?: throw IllegalArgumentException("$BEGIN_TIME_FIELD field absent")
             endTime ?: throw IllegalArgumentException("$END_TIME_FIELD field absent")
+            tenant = tenant ?: DEFAULT_TENANT
             status ?: throw IllegalArgumentException("$STATUS_FIELD field absent")
             return ReportInstance(id,
                 updatedTime,
                 createdTime,
                 beginTime,
                 endTime,
+                tenant,
                 access,
                 reportDefinitionDetails,
                 status,
@@ -153,6 +161,7 @@ internal data class ReportInstance(
             .field(CREATED_TIME_FIELD, createdTime.toEpochMilli())
             .field(BEGIN_TIME_FIELD, beginTime.toEpochMilli())
             .field(END_TIME_FIELD, endTime.toEpochMilli())
+            .field(TENANT_FIELD, tenant)
         if (params?.paramAsBoolean(ACCESS_LIST_FIELD, true) == true && access.isNotEmpty()) {
             builder.field(ACCESS_LIST_FIELD, access)
         }