-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOC] Add doc for Authorization in REST Layer #4381
Labels
3 - Done
Issue is done/complete
release-notes
PR: Include this PR in the automated release notes
security
v2.11.0
Milestone
Comments
15 tasks
cwillum
added
1 - Backlog
Issue: The issue is unassigned or assigned but not started
security
v2.9.0
labels
Jun 28, 2023
hdhalter
removed
1 - Backlog
Issue: The issue is unassigned or assigned but not started
security
labels
Jun 28, 2023
cwillum
added
1 - Backlog
Issue: The issue is unassigned or assigned but not started
security
and removed
untriaged
labels
Jun 28, 2023
Getting this started now. |
cwillum
added
2 - In progress
Issue/PR: The issue or PR is in progress.
and removed
1 - Backlog
Issue: The issue is unassigned or assigned but not started
labels
Jul 3, 2023
1 task
4 tasks
As per Dave, this has been moved to 2.10. |
@cwillum This is not going to make it for 2.10, moving to 2.11 - sorry for the shuffle. CC: @davidlago @hdhalter |
31 tasks
hdhalter
added
6 - Done but waiting to merge
PR: The work is done and ready to merge
release-notes
PR: Include this PR in the automated release notes
3 - Done
Issue is done/complete
and removed
2 - In progress
Issue/PR: The issue or PR is in progress.
6 - Done but waiting to merge
PR: The work is done and ready to merge
labels
Oct 2, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 - Done
Issue is done/complete
release-notes
PR: Include this PR in the automated release notes
security
v2.11.0
What do you want to do?
Tell us about your request. Provide a summary of the request and all versions that are affected.
Description of the Feature
The Security plugin has recently introduced a new feature. This addition enhances the plugin's capabilities by enabling user authorization for requested REST routes. Let's delve into the details of how this feature functions.
NOTE: This feature sits on top of existing authorization check at Transport Layer. No changes were made at Transport Layer.
During the registration of a new route, the plugin requires a unique name to be assigned to each route. This ensures that no duplicate names are used during the registration process. Additionally, the plugin provides the option to register a set of "legacy" cluster permissions for each route. These permissions, such as
cluster:admin/transport/
, serve as the criteria against which the route is evaluated when a user attempts to access it.Functionality of the Feature
The authorization process for this feature operates as follows: when a user initiates a REST request, their roles are examined, and each permission associated with the user is evaluated. The evaluation is conducted to determine if either of the following conditions is met: a match with the unique name assigned to the route or a match with any of the legacy actions defined during the route's registration.
For instance, let's consider a scenario where a user is assigned to role A. Here is an example configuration in YAML format:
Suppose the plugin has two registered routes under the
abcplugin
namespace as instance of NamedRoute:/_plugins/_abcplugin/route/get
registered with the unique namerouteGet
and associated with the legacy transport actioncluster:admin/opensearch/abcplugin/route/get
./_plugins/_abcplugin/route/delete
registered with the unique namerouteDelete
and associated with the legacy transport actioncluster:admin/opensearch/abcplugin/route/delete
.In this scenario, when the user makes a REST API call to
/_plugins/_abcplugin/route/get
, they will be granted authorization. The request flow will proceed as normal.However, if the same user attempts a REST call to
/_plugins/_abcplugin/route/delete
, they will be denied authorization and receive an error message.Goal of the documentation
Related issue: opensearch-project/security#2590
The text was updated successfully, but these errors were encountered: