opensearch-project
[FEATURE] Create a formal relationship between a plugin and its associated roles and system indices
Is your feature request related to a problem?
Plugin teams make PRs to the security repo to add default roles and add system indices to the security's list that tracks system indices. Oftentimes, you can determine which plugin is associated with a role or system index by naming convention, but there is no strong link between the 2.
Plugins do have unique names that they must define in the plugin's build.gradle which can also be found in plugin-descriptor.properties file under the name key after a plugin is installed in the plugin's root directory.
By convention, plugins typically add their names to the role names to make it obvious that the role is associated with the plugin. See the security-analytics roles as examples: https://github.com/opensearch-project/security/blob/main/config/roles.yml#L363-L401
The system index list also does not contain a link between the system index and the plugin that its associated with.
What solution would you like?
Ideally, there is an established link between a plugin and its security resources (roles + system index). There is a formal link between a plugin and its system indices through the SystemIndexPlugin extension point.
If there is a formal link between a plugin and its security resources, it may be possible to add the security resources or remove them on install/uninstall to prevent having dangling references to roles which cannot provide any functionality if a plugin is removed.
What alternatives have you considered?
Keep the same practice that exists today.
Do you have any additional context?
For additional context, the security plugin tracks system indices because the security plugin gives special system index protection that does not allow any regular user to meddle with a system index.
[Triage] Thank you for filing this issue @cwperks. It would be great to establish a link between plugin and security resources for better management.