Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Full resource name security for OpenSearch entities: Templates, Aliases, Pipelines #3665

Open
mrMigles opened this issue Nov 7, 2023 · 4 comments
Open

[FEATURE] Full resource name security for OpenSearch entities: Templates, Aliases, Pipelines #3665

mrMigles opened this issue Nov 7, 2023 · 4 comments
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@mrMigles
Copy link

mrMigles commented Nov 7, 2023
edited
Loading

Is your feature request related to a problem?

We're implementing security configurations for OpenSearch based on database as a service approach.
So we allow every user to work with indexes it owns, in our cases which start from {username} prefix.
For example, user1 can create/update/write/read to index user1-test, but can't to user2-test.
We reached it with the role:

{
  "admin_role" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops",
      "indices:data/read/scroll/clear",
      "indices:admin/index_template/put",
      "indices:admin/index_template/get",
      "indices:admin/index_template/delete"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
          "indices:*",
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "allowed_actions" : [
          "indices:admin/resize"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

We previously faced an issue, that it is not possible to strict creating aliases with specific name, but it's not critical, because created alias can't linked with index of user don't have permission to.

Most important problem that we can't configure granular security for Index Templates.

We would like user to create only Template with allowed name ({username} prefix), and specify "index_pattern" only indexes, allowed by security pattern ({username} prefix). But now OpenSearch security requires to add template cluster wide permissions and there are no granularity for name pattern.

What solution would you like?

  1. First of all I think we need additional configurations for Roles, targeted to Templates, Aliases and Pipelines (probably I missed something else).
    Something like:
"index_permissions" : [
      {
        "index_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
           "indices:*",
        ]
      }
  ],
"template_permissions": [
  "template_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
          "template_all"
        ]
      }
  ],
"alias_pemissions": [
  "alias_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
          "alias_all"
        ]
      }
  ]

And when user tries to access entity with some name it should be checked with granular permissions, not cluster.

  1. There should be validation for Index Templates for index_pattern field to allow user to create templates only with index pattern they have an access (covered with their role).

Do you have any additional context?
Created after discussion Add any other context or screenshots about the feature request here.
@mrMigles mrMigles added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 7, 2023
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Nov 8, 2023
@stephen-crawford
Copy link
Contributor

[Triage] Hi @mrMigles, thank you for filing this issue. Without seeing additional details in the form of either a pull request or design draft, it is not clear whether this feature is something the security plugin is able to support long term. If you would like to contribute towards either of these, that could help bring the maintainers towards a conclusion about this request.

Thank you.

@mrMigles
Copy link
Author

Hi @scrawfor99,
I created this Feature request to understand is in interesting for OpenSearch community or not and to find someone who also needs such feature. If this requirement corresponds the targets of OpenSearch security evolution I think we consider the development from our side and prepare Pull Request.

Thank you!

@cwperks
Copy link
Member

cwperks commented Dec 4, 2023

[Triage] @mrMigles It looks like there is some interest on this issue. If you have any high level design for this feature it would be helpful for the maintainers when reviewing this feature request.

@stephen-crawford stephen-crawford added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Dec 11, 2023
@peternied
Copy link
Member

I've got a prototype for resources permissions [1] to be used in conjunction with a new feature from OpenSearch call Views, maybe you can see how that case aligns with the scenarios you are considering.

  ...
  resource_permissions:
    - resource_type: "view"
      resource_ids: ["songs", "albums"]
    - resource_type: "search-template"
      resource_ids: ["top-billboard-songs"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peternied @mrMigles @cwperks @stephen-crawford