[FEATURE] Add user level access control based on backend roles #668
Assignees
Labels
Comments
amitgalitz
added
enhancement
{
"password": "123alice!",
"backend_roles": [
"odfe"
],
"attributes": {}
}
{
"password": "123elk45!",
"backend_roles": [
"odfe",
"hr"
],
"attributes": {}
}
{
"password": "123bob45!",
"backend_roles": [
"opensearch"
],
"attributes": {}
}
{
"backend_roles": [],
"hosts": [],
"users": [
"alice",
"elk",
"bob"
]
}
|
5 tasks
Merged
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
What we have now:
If users want to send requests to the Flow-Framework plugin to create/get workflows, they should have appropriate permissions to perform the actions. The security plugin has two built-in roles to cover flow-framework use cases: flow_framework_read_access, and flow_framework_full_access.
What solution would you like?
Add security-based access control so that only authorized users have access to workflows created/owned by other users. This feature is similar to AD/Alerting plugin resource control where a user can only access the detectors/monitors when at least one of the back-end roles of the user matches with that of the detectors/monitors.
Users are mapped to back-end roles based on which we filter the workflows/templates that can be accessed by them. Whenever a user sends an flow-framework API request, along with verifying if they have appropriate permissions, we also check them against authorized back-end roles. Each user can have more than one back-end role.
Back-end role-based access control enable an additional layer of security where a user can access only those workflows that are owned by same back-end role users.
We should have a setting to enabled filtering by backend role like other plugins have.
We should follow exact same interface as AD has here : https://opensearch.org/docs/latest/observing-your-data/ad/security/#advanced-limit-access-by-backend-role
Task Breakdown
In order to enable access control based on backend role filtering we will need to make modification in all APIs
In summary we want to be checking the backend role of the user making the request and comparing it to the backend role of the user that created the template.
This feature will be enabled/disabled by a new setting:
filter_by_backend_rolesTasks
Tasks 1,2,3 can be done at the same time as task 4 and 5. (4, 5 don't depend on prior tasks)
Additional Consideration:
An additional request that customers have asked for in the past include the ability to change the backend role configured with a particular resource after creation. This is something that hasn’t been implemented in AD but has been implemented in Alerting and ML-Commons through model groups.
Alerting had a solution for this by adding a new field specifying the backend roles and adding logic for admins and other users to either set these fields or update them: opensearch-project/alerting#635 I estimate this will take around 2 weeks to add if we go for the same complexity
ML-Commons has a slightly different solution because they have different concepts of access through the model access groups, where they already had a different field for backendroles.
However if we see ourselves adding the ability to assign backend roles in the near future we might want to add a new backend role field already in our initial implementation.
The text was updated successfully, but these errors were encountered: