security icon indicating copy to clipboard operation
security copied to clipboard
verified publisher icon opensearch-project

[FEATURE] Create DenyList.yml

Open derek-ho opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? We currently have AllowList.yml. However this isn't generally feasible for many use cases. A more reasonable use case is when a cluster admin wants to explicitly deny permission to a certain few endpoints. We should provide a mechanism to allow for this, instead of blocking all endpoints except for a few. What solution would you like? An equivalent to AllowList.yml, but for denial. What alternatives have you considered? None Do you have any additional context? No

derek-ho avatar Oct 24 '24 19:10 derek-ho

[Triage] Thank you for filing this issue @derek-ho. Can you provide an example configuration?

Typically with security its preferred to deny all by default and explicitly allow routes then the opposite. In what situations would a denylist be preferred than an allowlist?

cwperks avatar Oct 28 '24 15:10 cwperks

@cwperks the main impetus for this issue is this thread on the slack: https://opensearch.slack.com/archives/C051Y637FKK/p1729457231761789. I think a common use case may be that a cluster admin wants to enable searching on data, but doesn't want users to perform actions like changing any cluster settings. That would be difficult today, where the only avenue is allowlisting, which means they would need to enumerate all common cluster operations instead of explicitly denying the ones they want to.

derek-ho avatar Oct 28 '24 16:10 derek-ho