Add filter for service account access to non system indices

Signed-off-by: Ryan Liang <jiallian@amazon.com>
RyanL1997 · Oct 26, 2023 · a08c251 · a08c251
1 parent 04c96d5
commit a08c251
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java
@@ -43,10 +43,7 @@
 import org.opensearch.security.user.User;
 import org.opensearch.tasks.Task;
 
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
 
 /**
@@ -153,6 +150,16 @@ public PrivilegesEvaluatorResponse evaluate(
         return presponse;
     }
 
+    /**
+     * Checks if user is a service account user
+     * @param user request which contains attribute of service account
+     * @return true if a match is found, false otherwise
+     */
+    public Boolean isServiceAccount(final User user) {
+        Map<String, String> userAttributesMap = user.getCustomAttributesMap();
+        return userAttributesMap != null && "true".equals(userAttributesMap.get("attr.internal.service"));
+    }
+
     /**
      * Checks if request is for any system index
      * @param requestedResolved request which contains indices to be matched against system indices
@@ -235,6 +242,13 @@ private void evaluateSystemIndicesAccess(
         boolean containsSystemIndex = requestContainsAnySystemIndices(requestedResolved);
 
         if (isSystemIndexPermissionEnabled) {
+            if (isServiceAccount(user) && !containsSystemIndex) {
+                auditLog.logSecurityIndexAttempt(request, action, task);
+                log.info("{} not permitted for a service account {} on non system indices.", action, securityRoles);
+                presponse.allowed = false;
+                presponse.markComplete();
+                return;
+            }
             boolean containsProtectedIndex = requestContainsAnyProtectedSystemIndices(requestedResolved);
             if (containsProtectedIndex) {
                 auditLog.logSecurityIndexAttempt(request, action, task);