How to restrict access to a specific pipeline pattern name?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.11 (Amazon OpenSearch Service OpenSearch_2_11_R20231113-P1)

Describe the issue:


I configured roles restricting access to an index using “index permission” feature, specifing a index pattern.

For instance: role “app1-reader” has read permission on indices that starts with “app1-*”.

I’d like to do the same with pipelines.

So, role “app1-reader” would have restriction access only to pipelines that starts with “app1-*”.

It would be able to “GET _ingest/pipeline/app1-test”, but not “GET _ingest/pipeline/app2-test”.

How can I do this?


I configure my domain using Terraform opensearch-project/opensearch. There it has “index_patterns” (also “tenant_patterns”), but I can’t see something like “pipeline_patterns”, neither in Dashboards interface.

resource “opensearch_role” “app1-reader” {
role_name = “app1-reader”
index_permissions {
index_patterns = [“app1-"]
allowed_actions = [
tenant_permissions {
tenant_patterns = [“app1”]
allowed_actions = [

Relevant Logs or Screenshots:


Seems ingest pipeline doesn’t have fine grained access control, can you open an issue here: Issues · opensearch-project/security · GitHub ?

I agree with @gaobinlong. The pipeline permission is set at the cluster and admin levels (i.e. cluster:admin/ingest/pipeline/get).

At the cluster permission level, you can either allow or deny managing a feature (i.e. pipelines).

I wouldn’t treat it as a bug but rather as a feature request.

Ok, thanks anyway. I created the feature issue bellow.