[FEATURE] Capability to hide `View roles and identities` for readonly role.

[prudhvigodithi]

trafficstars

Is your feature request related to a problem? For a readonly user dashboard the View roles and identities that shows the information about role, backend mapped role should be hidden for the readonly user. This information has all the details of Backend roles including IAM account number, IAM role information if its mapped to a IAM role or information of external authentication system. The screenshots shows the information and is the same if its an IAM or any external authentication system.

What solution would you like?

• Default to false by adding a capability to readonly similar to https://github.com/opensearch-project/OpenSearch-Dashboards/blob/2.12/src/plugins/discover/server/plugin.ts#L38-L48

(or)

• Have an option for admins to disable or enable the View roles and identities in the security settings.

[cwperks]

[Triage] Thank you for filing this feature request. We would gladly accept a PR for this issue.

[derek-ho]

@prudhvigodithi can you provide some more details on what exactly is the nature of the sensitive information exposure? Are you only talking about anonymous user? Etc.? We need some more details to determine the impact, since users should generally be able to see their own associated roles and backend roles. Is there some workaround to the role mapping to avoid including the IAM account as part of the role?

[prudhvigodithi]

Thanks, had an offline discussion with @derek-ho and provided additional details. Adding @yongliangus.