Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Add fine grained access control to ingest pipeline #3983

Closed
joaoolavobv opened this issue Jan 24, 2024 · 2 comments
Closed

[FEATURE] Add fine grained access control to ingest pipeline #3983

joaoolavobv opened this issue Jan 24, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@joaoolavobv
Copy link

Is your feature request related to a problem?
My OS domain is shared with many applications. Each app has an internal user that can only access indices that starts with the username.

For instance, app1 has user "app1", which can only create and read index that starts with "app1-...", as the index "app1-documents".

I do this, in Terraform language, creating a role for each app that has this definition:

resource "opensearch_role" "role_app1" {
role_name = "app1"
index_permissions {
index_patterns = ["app1-*"]
[...]

I also do the same with tenants, using "tenant_patterns" inside a "tentant_permissions" block.

My problem is that I want to the the same with ingest pipelines, but there isn't such feature, not in Terraform, neither in Dashboards Role definition.

What solution would you like?
I want to, in a role definition, create a "pipeline_permission" block with "pipeline_patterns" as in the example above.

For instance:

resource "opensearch_role" "role_app1" {
role_name = "app1"
index_permissions {
index_patterns = ["app1-"]
[...]
}
pipeline_permissions {
pipeline_patterns = ["app1-"]
allowed_actions = [
"cluster:admin/ingest/pipeline/delete",
"cluster:admin/ingest/pipeline/get",
"cluster:admin/ingest/pipeline/put",
"cluster:admin/ingest/pipeline/simulate",
"cluster:admin/ingest/processor/grok/get"
]
}

Do you have any additional context?
Besides allow doing this on Dashboards, update Terraform opensearch provider the also allow this configuration.
@joaoolavobv joaoolavobv added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 24, 2024
@stephen-crawford
Copy link
Contributor

stephen-crawford commented Jan 29, 2024
edited
Loading

[Triage] Hi @joaoolavobv thanks for filing this issue. Based on this description, it sounds like you are looking for a form of resource based permissions. At the moment, we are currently working on adding support for resource-based permissions but do not offer that feature: #3890. If you are interested more specifically on the permissioning of ingest pipelines, you can find some more info here: https://opensearch.org/docs/latest/ingest-pipelines/

Going to leave this untriaged in case you want to follow-up but I will close this in a week if we don't hear back. Thanks!

@stephen-crawford stephen-crawford removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jan 29, 2024
@stephen-crawford
Copy link
Contributor

Closing it per above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joaoolavobv @stephen-crawford