Skip to content

Add FGAC integration tests for multi-index PPL queries#5581

Draft
finnegancarroll wants to merge 1 commit into
opensearch-project:mainfrom
finnegancarroll:analytics-engine-security-it-wildcards
Draft

Add FGAC integration tests for multi-index PPL queries#5581
finnegancarroll wants to merge 1 commit into
opensearch-project:mainfrom
finnegancarroll:analytics-engine-security-it-wildcards

Conversation

@finnegancarroll

@finnegancarroll finnegancarroll commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Description

Adds regression tests verifying that FGAC correctly evaluates permissions on all indices in comma-separated multi-source PPL queries. Previously, only the first index in the list was checked, allowing unauthorized access to subsequent indices.

Test cases

Test Scenario
testPPLMultiIndexDeniedWhenSecondIndexUnauthorized source = allowed, forbidden → must be 403
testPPLMultiIndexDeniedWithBackticksAuthorizedFirst Same with backtick-quoted indices
testPPLMultiIndexDeniedWithUnauthorizedFirst source = forbidden, allowed → 403 (control)
testPPLMultiIndexAllowedWhenAllAuthorized source = allowed1, allowed2 → succeeds

Also fixes

Plugin install order in analyticsEngineSecurityIT cluster config — composite-engine must be installed before analytics-backend-lucene (dependency).

Validation

All 4 tests pass on latest upstream main — confirms the bypass is not present on current HEAD.

Signed-off-by: Finnegan Carroll carrofin@amazon.com

@finnegancarroll finnegancarroll force-pushed the analytics-engine-security-it-wildcards branch 13 times, most recently from b6fc89f to 9de2f9d Compare June 24, 2026 23:21
@finnegancarroll
Add multi-index comma-separated source FGAC bypass tests
38a327d 
Regression tests for authorization bypass where PPL multi-index queries
(source = idx1, idx2) only evaluated permissions on the first index,
allowing unauthorized access to subsequent indices.

Tests cover:
- Authorized index first, unauthorized second (the bypass vector)
- Backtick-quoted variant of the same
- Unauthorized index first (control: should be denied)
- Both indices authorized (positive case)

Signed-off-by: Finnegan Carroll <carrofin@amazon.com>
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll finnegancarroll force-pushed the analytics-engine-security-it-wildcards branch from 9de2f9d to 38a327d Compare June 24, 2026 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ps48 ps48 Awaiting requested review from ps48 ps48 will be requested when the pull request is marked ready for review ps48 is a code owner
@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 will be requested when the pull request is marked ready for review joshuali925 is a code owner
@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen will be requested when the pull request is marked ready for review dai-chen is a code owner
@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric will be requested when the pull request is marked ready for review mengweieric is a code owner
@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar will be requested when the pull request is marked ready for review vamsimanohar is a code owner
@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis will be requested when the pull request is marked ready for review Swiddis is a code owner
@penghuo penghuo Awaiting requested review from penghuo penghuo will be requested when the pull request is marked ready for review penghuo is a code owner
@anirudha anirudha Awaiting requested review from anirudha anirudha will be requested when the pull request is marked ready for review anirudha is a code owner
@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto will be requested when the pull request is marked ready for review acarbonetto is a code owner
@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 will be requested when the pull request is marked ready for review ykmr1224 is a code owner
@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin will be requested when the pull request is marked ready for review LantaoJin is a code owner
@noCharger noCharger Awaiting requested review from noCharger noCharger will be requested when the pull request is marked ready for review noCharger is a code owner
@qianheng-aws qianheng-aws Awaiting requested review from qianheng-aws qianheng-aws will be requested when the pull request is marked ready for review qianheng-aws is a code owner
@yuancu yuancu Awaiting requested review from yuancu yuancu will be requested when the pull request is marked ready for review yuancu is a code owner
@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 will be requested when the pull request is marked ready for review RyanL1997 is a code owner
@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs will be requested when the pull request is marked ready for review ahkcs is a code owner
@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws will be requested when the pull request is marked ready for review songkant-aws is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@finnegancarroll