security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[FEATURE] Improve Create Action Group UX to ensure valid action groups are created

Open cwperks opened this issue 1 year ago • 1 comments

The current user interface for creating action groups in the OpenSearch Security plugin allows for the combination of actions from different categories within a single group. These categories are:

  1. cluster_permissions
  2. index_permissions
  3. tenant_permissions

Ideally, all actions within a single action group should belong to the same category. Although it's technically possible to mix action types in a group, this practice is ineffective for role assignment purposes. Only actions belonging to the category relevant to the role's section will be acknowledged during authorization checks.

For example, consider an action group that includes both a cluster action (cluster:monitor/health) and an index action (indices:data/read/search). To utilize all permissions in this action group, it must be assigned to both the cluster_permissions and index_permissions sections of a role. If this action group is only assigned to the cluster_permissions section, then the index actions in the group will not be effective.

Screenshot 2024-01-02 at 9 44 24 AM

Here's an example of how a role is defined:

example_role:
  reserved: true
  hidden: false
  static: true
  description: "Example role"
  cluster_permissions:
    - "<list_of_allowed_cluster_actions_or_action_groups>"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "<list_of_allowed_index_actions_or_action_groups>"
  tenant_permissions:
    - tenant_patterns:
        - "*"
      allowed_actions:
        - "kibana_all_write | kibana_all_read"

This structure implies that when defining roles, careful attention should be paid to the categorization of actions in action groups to ensure effective permission assignments.

cwperks avatar Jan 02 '24 14:01 cwperks

[Triage] Hi @cwperks, thank you for adding this issue. This seems like a worthwhile change. We can always get specific UX/UI input but in the meantime you idea seems reasonable and like a good improvement. Let's mark this as triaged, and help wanted/ good first issue. Thanks :)

stephen-crawford avatar Jan 08 '24 16:01 stephen-crawford