Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11 (Amazon OpenSearch Service OpenSearch_2_11_R20231113-P1)
Describe the issue :
Dears,
I configured roles restricting access to an index using “index permission” feature, specifing a index pattern.
For instance: role “app1-reader” has read permission on indices that starts with “app1-*”.
I’d like to do the same with pipelines.
So, role “app1-reader” would have restriction access only to pipelines that starts with “app1-*”.
It would be able to “GET _ingest/pipeline/app1-test”, but not “GET _ingest/pipeline/app2-test”.
How can I do this?
Configuration :
I configure my domain using Terraform opensearch-project/opensearch. There it has “index_patterns” (also “tenant_patterns”), but I can’t see something like “pipeline_patterns”, neither in Dashboards interface.
resource “opensearch_role” “app1-reader” {"] /get”
Relevant Logs or Screenshots :
N/A
Seems ingest pipeline doesn’t have fine grained access control, can you open an issue here: Issues · opensearch-project/security · GitHub ?
pablo
January 19, 2024, 9:11pm
3
I agree with @gaobinlong . The pipeline permission is set at the cluster and admin levels (i.e. cluster:admin/ingest/pipeline/get).
At the cluster permission level, you can either allow or deny managing a feature (i.e. pipelines).
I wouldn’t treat it as a bug but rather as a feature request.
Ok, thanks anyway. I created the feature issue bellow.
opened 07:05PM - 24 Jan 24 UTC
enhancement
untriaged
**Is your feature request related to a problem?**
My OS domain is shared with m… any applications. Each app has an internal user that can only access indices that starts with the username.
For instance, app1 has user "app1", which can only create and read index that starts with "app1-...", as the index "app1-documents".
I do this, in Terraform language, creating a role for each app that has this definition:
resource "opensearch_role" "role_app1" {
role_name = "app1"
index_permissions {
index_patterns = ["app1-*"]
[...]
I also do the same with tenants, using "tenant_patterns" inside a "tentant_permissions" block.
My problem is that I want to the the same with ingest pipelines, but there isn't such feature, not in Terraform, neither in Dashboards Role definition.
**What solution would you like?**
I want to, in a role definition, create a "pipeline_permission" block with "pipeline_patterns" as in the example above.
For instance:
resource "opensearch_role" "role_app1" {
role_name = "app1"
index_permissions {
index_patterns = ["app1-*"]
[...]
}
pipeline_permissions {
pipeline_patterns = ["app1-*"]
allowed_actions = [
"cluster:admin/ingest/pipeline/delete",
"cluster:admin/ingest/pipeline/get",
"cluster:admin/ingest/pipeline/put",
"cluster:admin/ingest/pipeline/simulate",
"cluster:admin/ingest/processor/grok/get"
]
}
**Do you have any additional context?**
Besides allow doing this on Dashboards, update Terraform opensearch provider the also allow this configuration.