Reads feature flag correctly

DarshitChanpura · DarshitChanpura · commit 2e05310babf9 · 2025-01-19T22:04:49.000-05:00
Signed-off-by: Darshit Chanpura &lt;dchanp@amazon.com&gt;
diff --git a/src/main/java/org/opensearch/ad/constant/ConfigConstants.java b/src/main/java/org/opensearch/ad/constant/ConfigConstants.java
@@ -0,0 +1,6 @@
+package org.opensearch.ad.constant;
+
+public class ConfigConstants {
+    public static final String OPENSEARCH_RESOURCE_SHARING_ENABLED = "plugins.security.resource_sharing.enabled";
+    public static final Boolean OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT = true;
+}
diff --git a/src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java b/src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java
@@ -27,6 +27,7 @@
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.WriteRequest;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.ad.indices.ADIndexManagement;
 import org.opensearch.ad.model.AnomalyDetector;
 import org.opensearch.ad.rest.handler.IndexAnomalyDetectorActionHandler;
@@ -64,6 +65,7 @@ public class IndexAnomalyDetectorTransportAction extends HandledTransportAction<
     private volatile Boolean filterByEnabled;
     private final SearchFeatureDao searchFeatureDao;
     private final Settings settings;
+    private final boolean resourceSharingEnabled;
 
     @Inject
     public IndexAnomalyDetectorTransportAction(
@@ -90,6 +92,8 @@ public IndexAnomalyDetectorTransportAction(
         filterByEnabled = AnomalyDetectorSettings.AD_FILTER_BY_BACKEND_ROLES.get(settings);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(AD_FILTER_BY_BACKEND_ROLES, it -> filterByEnabled = it);
         this.settings = settings;
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
     }
 
     @Override
@@ -116,7 +120,7 @@ private void resolveUserAndExecute(
     ) {
         try {
             // If resource sharing flag is enabled then access evaluation will be performed at DLS level
-            if (!featureEnabled && filterByEnabled) {
+            if (!resourceSharingEnabled && filterByEnabled) {
                 // Check if user has backend roles
                 // When filter by is enabled, block users creating/updating detectors who do not have backend roles.
                 String error = checkFilterByBackendRoles(requestedUser);
@@ -141,7 +145,8 @@ private void resolveUserAndExecute(
                     clusterService,
                     xContentRegistry,
                     filterByBackendRole,
-                    AnomalyDetector.class
+                    AnomalyDetector.class,
+                    resourceSharingEnabled
                 );
             } else {
                 // Create Detector. No need to get current detector.
diff --git a/src/main/java/org/opensearch/ad/transport/PreviewAnomalyDetectorTransportAction.java b/src/main/java/org/opensearch/ad/transport/PreviewAnomalyDetectorTransportAction.java
@@ -34,6 +34,7 @@
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.ad.AnomalyDetectorRunner;
 import org.opensearch.ad.constant.ADCommonMessages;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.ad.model.AnomalyDetector;
 import org.opensearch.ad.model.AnomalyResult;
 import org.opensearch.ad.settings.AnomalyDetectorSettings;
@@ -70,6 +71,7 @@ public class PreviewAnomalyDetectorTransportAction extends
     private volatile Boolean filterByEnabled;
     private final CircuitBreakerService adCircuitBreakerService;
     private Semaphore lock;
+    private final boolean resourceSharingEnabled;
 
     @Inject
     public PreviewAnomalyDetectorTransportAction(
@@ -93,6 +95,8 @@ public PreviewAnomalyDetectorTransportAction(
         clusterService.getClusterSettings().addSettingsUpdateConsumer(AD_FILTER_BY_BACKEND_ROLES, it -> filterByEnabled = it);
         this.adCircuitBreakerService = adCircuitBreakerService;
         this.lock = new Semaphore(MAX_CONCURRENT_PREVIEW.get(settings), true);
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(MAX_CONCURRENT_PREVIEW, it -> { lock = new Semaphore(it); });
     }
 
@@ -115,7 +119,8 @@ protected void doExecute(
                 client,
                 clusterService,
                 xContentRegistry,
-                AnomalyDetector.class
+                AnomalyDetector.class,
+                resourceSharingEnabled
             );
         } catch (Exception e) {
             logger.error(e);
diff --git a/src/main/java/org/opensearch/forecast/transport/ForecastRunOnceTransportAction.java b/src/main/java/org/opensearch/forecast/transport/ForecastRunOnceTransportAction.java
@@ -25,6 +25,7 @@
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
@@ -97,6 +98,7 @@ public class ForecastRunOnceTransportAction extends HandledTransportAction<Forec
     private final FeatureManager featureManager;
     private final ForecastStats forecastStats;
     private volatile Boolean filterByEnabled;
+    private final boolean resourceSharingEnabled;
 
     protected volatile Integer maxSingleStreamForecasters;
     protected volatile Integer maxHCForecasters;
@@ -147,6 +149,8 @@ public ForecastRunOnceTransportAction(
         this.maxHCForecasters = MAX_HC_FORECASTERS.get(settings);
         this.maxForecastFeatures = MAX_FORECAST_FEATURES;
         this.maxCategoricalFields = ForecastNumericSetting.maxCategoricalFields();
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(MAX_SINGLE_STREAM_FORECASTERS, it -> maxSingleStreamForecasters = it);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(MAX_HC_FORECASTERS, it -> maxHCForecasters = it);
     }
@@ -166,7 +170,8 @@ protected void doExecute(Task task, ForecastResultRequest request, ActionListene
                 client,
                 clusterService,
                 xContentRegistry,
-                Forecaster.class
+                Forecaster.class,
+                resourceSharingEnabled
             );
         } catch (Exception e) {
             LOG.error(e);
diff --git a/src/main/java/org/opensearch/forecast/transport/IndexForecasterTransportAction.java b/src/main/java/org/opensearch/forecast/transport/IndexForecasterTransportAction.java
@@ -28,6 +28,7 @@
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.WriteRequest;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
@@ -63,6 +64,7 @@ public class IndexForecasterTransportAction extends HandledTransportAction<Index
     private final SearchFeatureDao searchFeatureDao;
     private final ForecastTaskManager taskManager;
     private final Settings settings;
+    private final boolean resourceSharingEnabled;
 
     @Inject
     public IndexForecasterTransportAction(
@@ -89,6 +91,8 @@ public IndexForecasterTransportAction(
         this.searchFeatureDao = searchFeatureDao;
         this.taskManager = taskManager;
         this.settings = settings;
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
     }
 
     @Override
@@ -125,7 +129,7 @@ private void resolveUserAndExecute(
             boolean filterByBackendRole = requestedUser == null ? false : filterByEnabled;
 
             // If resource sharing flag is enabled then access evaluation will be performed at DLS level
-            if (!featureEnabled && filterByEnabled) {
+            if (!resourceSharingEnabled && filterByEnabled) {
                 // Check if user has backend roles
                 // When filter by is enabled, block users creating/updating detectors who do not have backend roles.
                 String error = checkFilterByBackendRoles(requestedUser);
@@ -146,7 +150,8 @@ private void resolveUserAndExecute(
                     clusterService,
                     xContentRegistry,
                     filterByBackendRole,
-                    Forecaster.class
+                    Forecaster.class,
+                    resourceSharingEnabled
                 );
             } else {
                 // Create Detector. No need to get current detector.
diff --git a/src/main/java/org/opensearch/timeseries/transport/BaseDeleteConfigTransportAction.java b/src/main/java/org/opensearch/timeseries/transport/BaseDeleteConfigTransportAction.java
@@ -24,6 +24,7 @@
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.WriteRequest;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.ad.model.ADTask;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
@@ -69,6 +70,7 @@ public abstract class BaseDeleteConfigTransportAction<TaskCacheManagerType exten
     private final String stateIndex;
     private final Class<ConfigType> configTypeClass;
     private final List<TaskTypeEnum> batchTaskTypes;
+    private final boolean resourceSharingEnabled;
 
     public BaseDeleteConfigTransportAction(
         TransportService transportService,
@@ -100,6 +102,8 @@ public BaseDeleteConfigTransportAction(
         this.stateIndex = stateIndex;
         this.configTypeClass = configTypeClass;
         this.batchTaskTypes = historicalTaskTypes;
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
     }
 
     @Override
@@ -142,7 +146,8 @@ protected void doExecute(Task task, DeleteConfigRequest request, ActionListener<
                 client,
                 clusterService,
                 xContentRegistry,
-                configTypeClass
+                configTypeClass,
+                resourceSharingEnabled
             );
         } catch (Exception e) {
             LOG.error(e);
diff --git a/src/main/java/org/opensearch/timeseries/transport/BaseGetConfigTransportAction.java b/src/main/java/org/opensearch/timeseries/transport/BaseGetConfigTransportAction.java
@@ -31,6 +31,7 @@
 import org.opensearch.action.get.MultiGetResponse;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.CheckedConsumer;
@@ -101,6 +102,7 @@ public abstract class BaseGetConfigTransportAction<GetConfigResponseType extends
     private final String singleStreamHistoricalTaskname;
     private final String hcHistoricalTaskName;
     private final TaskProfileRunnerType taskProfileRunner;
+    private final boolean resourceSharingEnabled;
 
     public BaseGetConfigTransportAction(
         TransportService transportService,
@@ -154,6 +156,8 @@ public BaseGetConfigTransportAction(
         this.hcHistoricalTaskName = hcHistoricalTaskName;
         this.singleStreamHistoricalTaskname = singleStreamHistoricalTaskname;
         this.taskProfileRunner = taskProfileRunner;
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
     }
 
     @Override
@@ -172,7 +176,8 @@ public void doExecute(Task task, ActionRequest request, ActionListener<GetConfig
                 client,
                 clusterService,
                 xContentRegistry,
-                configTypeClass
+                configTypeClass,
+                resourceSharingEnabled
             );
         } catch (Exception e) {
             LOG.error(e);
diff --git a/src/main/java/org/opensearch/timeseries/transport/BaseJobTransportAction.java b/src/main/java/org/opensearch/timeseries/transport/BaseJobTransportAction.java
@@ -13,6 +13,7 @@
 import org.opensearch.action.ActionType;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Setting;
@@ -53,6 +54,7 @@ public abstract class BaseJobTransportAction<IndexType extends Enum<IndexType> &
     private final String failtoStopMsg;
     private final Class<? extends Config> configClass;
     private final IndexJobActionHandlerType indexJobActionHandlerType;
+    private final boolean resourceSharingEnabled;
 
     public BaseJobTransportAction(
         TransportService transportService,
@@ -82,6 +84,8 @@ public BaseJobTransportAction(
         this.failtoStopMsg = failtoStopMsg;
         this.configClass = configClass;
         this.indexJobActionHandlerType = indexJobActionHandlerType;
+        this.resourceSharingEnabled = settings
+            .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
     }
 
     @Override
@@ -106,7 +110,8 @@ protected void doExecute(Task task, JobRequest request, ActionListener<JobRespon
                 client,
                 clusterService,
                 xContentRegistry,
-                configClass
+                configClass,
+                resourceSharingEnabled
             );
         } catch (Exception e) {
             logger.error(e);
diff --git a/src/main/java/org/opensearch/timeseries/util/ParseUtils.java b/src/main/java/org/opensearch/timeseries/util/ParseUtils.java
@@ -503,7 +503,8 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
         Client client,
         ClusterService clusterService,
         NamedXContentRegistry xContentRegistry,
-        Class<ConfigType> configTypeClass
+        Class<ConfigType> configTypeClass,
+        boolean resourceSharingEnabled
     ) {
         try {
             if (requestedUser == null || configId == null) {
@@ -520,7 +521,8 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
                     clusterService,
                     xContentRegistry,
                     filterByEnabled,
-                    configTypeClass
+                    configTypeClass,
+                    resourceSharingEnabled
                 );
             }
         } catch (Exception e) {
@@ -550,7 +552,8 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
         ClusterService clusterService,
         NamedXContentRegistry xContentRegistry,
         boolean filterByBackendRole,
-        Class<ConfigType> configTypeClass
+        Class<ConfigType> configTypeClass,
+        boolean resourceSharingEnabled
     ) {
         if (clusterService.state().metadata().indices().containsKey(CommonName.CONFIG_INDEX)) {
             GetRequest request = new GetRequest(CommonName.CONFIG_INDEX).id(configId);
@@ -567,7 +570,8 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
                                 function,
                                 xContentRegistry,
                                 filterByBackendRole,
-                                configTypeClass
+                                configTypeClass,
+                                resourceSharingEnabled
                             ),
                             exception -> {
                                 logger.error("Failed to get config: " + configId, exception);
@@ -610,7 +614,8 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
         Consumer<ConfigType> function,
         NamedXContentRegistry xContentRegistry,
         boolean filterByBackendRole,
-        Class<ConfigType> configTypeClass
+        Class<ConfigType> configTypeClass,
+        boolean resourceSharingEnabled
     ) {
         if (response.isExists()) {
             try (
@@ -619,7 +624,7 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
                 ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.nextToken(), parser);
                 @SuppressWarnings("unchecked")
                 ConfigType config = (ConfigType) Config.parseConfig(configTypeClass, parser);
-                if(featureFlagEnabled) {
+                if (resourceSharingEnabled) {
                     // Permission evaluation will be done at DLS level in security plugin
                     function.accept(config);
                 } else {
@@ -630,9 +635,12 @@ public static <ConfigType extends Config, GetConfigResponseType extends ActionRe
                     } else {
                         logger.debug("User: " + requestUser.getName() + " does not have permissions to access config: " + configId);
                         listener
-                                .onFailure(
-                                        new OpenSearchStatusException(CommonMessages.NO_PERMISSION_TO_ACCESS_CONFIG + configId, RestStatus.FORBIDDEN)
-                                );
+                            .onFailure(
+                                new OpenSearchStatusException(
+                                    CommonMessages.NO_PERMISSION_TO_ACCESS_CONFIG + configId,
+                                    RestStatus.FORBIDDEN
+                                )
+                            );
                     }
                 }
 
