How to make true security for Index templates

mrMigles · November 1, 2023, 11:22am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 2.9.0

Describe the issue:

Hello,

We’re implementing security configurations for OpenSearch based on database as a service approach.
So we allow every user to work with indexes it owns, in our cases which start from {username} prefix.
For example, user1 can create/update/write/read to index user1-test, but can’t to user2-test.
We reached it with the role:

"index_permissions" : [
      {
        "index_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
          "indices_all",
          "INDICES_ALL"
        ]
      }

We previously faced an issue, that it is not possible to strict creating aliases with specific name, but it’s not critical, because created alias can’t linked with index of user don’t have permission to.

Most important problem that we can’t configure granular security for Index Templates.

We would like user to create only Template with allowed name ({username} prefix), and specify “index_pattern” only indexes, allowed by security pattern ({username} prefix). But now OpenSearch security requires to add template cluster wide permissions and there are no granularity for name pattern.

Is there any way how to configure role in such way?
Or may be plans to support this feature in the future?

Configuration:
Full admin role:

{
  "admin_role" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops",
      "CLUSTER_COMPOSITE_OPS",
      "cluster:monitor/main",
      "cluster:monitor/health",
      "indices:data/read/scroll/clear",
      "indices:admin/index_template/put",
      "indices:admin/index_template/get",
      "indices:admin/index_template/delete"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "${attr.internal.username}*"
        ],
        "allowed_actions" : [
          "indices_all",
          "INDICES_ALL"
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "allowed_actions" : [
          "indices:admin/resize"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

But it has a problem with templates, now user can create template with any name and they can be applied to any index (not only which user is allowed to create).

Relevant Logs or Screenshots:

Thank you in advice!

Mantas · November 3, 2023, 2:15pm

Hi mrMigles,

You are correct the index template permissions are for indexes but applies globally to the cluster.
I had a quick look at the OpenSearch GitHub and could not see any request/plans for such a feature.
You could raise a new feature request in GitHub.

Let me know if you have any following questions.

Best,
Mantas

mrMigles · November 7, 2023, 12:57pm

Thank you for answer, I’ve created FR: [FEATURE] Full resource name security for OpenSearch entities: Templates, Aliases, Pipelines · Issue #3665 · opensearch-project/security · GitHub

Topic		Replies	Views
No permissions on indices:data/read/search template when the permission is attached in the role Security	10	7396	September 19, 2023
Roles and users Security configure	2	382	April 27, 2022
Internet user, permissions, roles and role mappings Security configure	3	464	March 3, 2022
Restrict access exclusively to 1 index Security discuss , configure	4	782	September 20, 2022
Change default index pattern with role // Discover feature Security configure	8	783	February 28, 2023

How to make true security for Index templates

Related Topics