Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.9.0
Describe the issue:
Hello,
We’re implementing security configurations for OpenSearch based on database as a service approach.
So we allow every user to work with indexes it owns, in our cases which start from {username} prefix.
For example, user1 can create/update/write/read to index user1-test, but can’t to user2-test.
We reached it with the role:
"index_permissions" : [
{
"index_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"indices_all",
"INDICES_ALL"
]
}
We previously faced an issue, that it is not possible to strict creating aliases with specific name, but it’s not critical, because created alias can’t linked with index of user don’t have permission to.
Most important problem that we can’t configure granular security for Index Templates.
We would like user to create only Template with allowed name ({username} prefix), and specify “index_pattern” only indexes, allowed by security pattern ({username} prefix). But now OpenSearch security requires to add template cluster wide permissions and there are no granularity for name pattern.
Is there any way how to configure role in such way?
Or may be plans to support this feature in the future?
Configuration:
Full admin role:
{
"admin_role" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_composite_ops",
"CLUSTER_COMPOSITE_OPS",
"cluster:monitor/main",
"cluster:monitor/health",
"indices:data/read/scroll/clear",
"indices:admin/index_template/put",
"indices:admin/index_template/get",
"indices:admin/index_template/delete"
],
"index_permissions" : [
{
"index_patterns" : [
"${attr.internal.username}*"
],
"allowed_actions" : [
"indices_all",
"INDICES_ALL"
]
},
{
"index_patterns" : [
"*"
],
"allowed_actions" : [
"indices:admin/resize"
]
}
],
"tenant_permissions" : [ ],
"static" : false
}
}
But it has a problem with templates, now user can create template with any name and they can be applied to any index (not only which user is allowed to create).
Relevant Logs or Screenshots:
Thank you in advice!