opensearch-project
[FEATURE] Full resource name security for OpenSearch entities: Templates, Aliases, Pipelines
Is your feature request related to a problem?
We're implementing security configurations for OpenSearch based on database as a service approach. So we allow every user to work with indexes it owns, in our cases which start from {username} prefix. For example, user1 can create/update/write/read to index user1-test, but can't to user2-test. We reached it with the role:
{
"admin_role" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_composite_ops",
"indices:data/read/scroll/clear",
"indices:admin/index_template/put",
"indices:admin/index_template/get",
"indices:admin/index_template/delete"
],
"index_permissions" : [
{
"index_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"indices:*",
]
},
{
"index_patterns" : [
"*"
],
"allowed_actions" : [
"indices:admin/resize"
]
}
],
"tenant_permissions" : [ ],
"static" : false
}
}
We previously faced an issue, that it is not possible to strict creating aliases with specific name, but it's not critical, because created alias can't linked with index of user don't have permission to.
Most important problem that we can't configure granular security for Index Templates.
We would like user to create only Template with allowed name ({username} prefix), and specify "index_pattern" only indexes, allowed by security pattern ({username} prefix). But now OpenSearch security requires to add template cluster wide permissions and there are no granularity for name pattern.
What solution would you like?
- First of all I think we need additional configurations for Roles, targeted to Templates, Aliases and Pipelines (probably I missed something else). Something like:
"index_permissions" : [
{
"index_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"indices:*",
]
}
],
"template_permissions": [
"template_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"template_all"
]
}
],
"alias_pemissions": [
"alias_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"alias_all"
]
}
]
And when user tries to access entity with some name it should be checked with granular permissions, not cluster.
- There should be validation for Index Templates for
index_patternfield to allow user to create templates only with index pattern they have an access (covered with their role).
Do you have any additional context? Created after discussion Add any other context or screenshots about the feature request here.
[Triage] Hi @mrMigles, thank you for filing this issue. Without seeing additional details in the form of either a pull request or design draft, it is not clear whether this feature is something the security plugin is able to support long term. If you would like to contribute towards either of these, that could help bring the maintainers towards a conclusion about this request.
Thank you.
Hi @scrawfor99, I created this Feature request to understand is in interesting for OpenSearch community or not and to find someone who also needs such feature. If this requirement corresponds the targets of OpenSearch security evolution I think we consider the development from our side and prepare Pull Request.
Thank you!
[Triage] @mrMigles It looks like there is some interest on this issue. If you have any high level design for this feature it would be helpful for the maintainers when reviewing this feature request.
I've got a prototype for resources permissions [1] to be used in conjunction with a new feature from OpenSearch call Views, maybe you can see how that case aligns with the scenarios you are considering.
...
resource_permissions:
- resource_type: "view"
resource_ids: ["songs", "albums"]
- resource_type: "search-template"
resource_ids: ["top-billboard-songs"]
- [1] https://github.com/peternied/OpenSearch-1/pull/139
