[Feature Request] Explicitly declare what transport actions a plugin will perform and prompt on plugin install #15958
Comments
cwperks
added
enhancement
|
In the case of the audit log index of the security plugin, the name of the audit log index could change based on cluster settings.
The settings may not be fully available at installation time. |
I believe the permissions should be declarative and non-dynamic (which programmatic implementation brings with it), |
|
@reta One of the challenges that I faced with the security plugin, for the audit log as an opensearch index use-case, is that the final index that security needs permission to is only known after the settings are read. My solution around this problem was to show the default value on the installation prompt and leave a message:
Does that sound reasonable to you? Section of the installation prompt around requesting explicit permission to perform cluster actions and index actions: |
|
Yes, that's a good idea. Maybe something like: |
Is your feature request related to a problem? Please describe
This issue is coming from a conversation from here
In some cases, plugins need to perform transport actions and have a guarantee that the operation will succeed. When the security plugin is installed, transport actions will be authorized as the authenticated user[1]. In order to perform transport actions outside of the authenticated user context, a plugin will temporarily stash the ThreadContext and perform actions like interacting with a system index. In #14630 and opensearch-project/security#4665, a general method was added for system index access where a plugin is assigned a pluginSubject that they can use to directly replace instances of
try (ThreadContext.StoredContext ctx = threadContext.stashContext()) { ... }calls withpluginSubject.runAs(() -> { ...}). The advantage of the latter is that it allows the security plugin to enforce that plugins only interact with their own system indices and not system indices registered by other plugins.In opensearch-project/opensearch-plugins#238, it was pointed out that there may be instances other than system index access, that a plugin wants to perform an operation outside of an authenticated user context. I am opening this issue to discuss how plugins can declare what these actions will be and to prompt a cluster administrator at installation time to accept that a plugin will perform the requested actions.
The 2 instances pointed out are:
internal_opensearch). In this case, security needs a guarantee that it can write to the index even though it is not a system index.Describe the solution you'd like
I would like something analogous to
plugin-security.policythat can define what transport actions a plugin will perform. Minimally, it needs to be separated into 2 sections: 1) Cluster Actions and 2) Index Actions. Index Actions will need index patterns associated with the actions.One strategy is to define the actions in code and load a plugin at installation time to get its requested permissions. A POC for this strategy was done in this PR: #15778
Another strategy could be to have a yml file on the same level as
plugin-security.policyand define the requested permissions in the yml file.Related component
Plugins
Describe alternatives you've considered
Status quo where plugins can perform any transport actions within a
try (ThreadContext.StoredContext ctx = threadContext.stashContext()) { ... }block.Additional context
[1] When handling an API Request the security plugin will authenticate the request before delegating to the original handler. When an API Request is authenticated the security plugin will hydrate the threadContext with info about the authenticated user.
The text was updated successfully, but these errors were encountered: