Create a permissions check API for extensions to us with custom resources

[peternied]

OpenSearch should be responsible for inspecting the user, roles, resources to ensure standard practices are used. A permissions check API should be designed and implemented to offload this work from extensions creators.

• Design an API for extensions to use to check users permissions on a resource
  • First examine and consider the model used by Anomaly Detection plugin
  • Examine other plugins for permissions additional model that might need to be supported.
  • Consider any other permissions implementations that should be covered.
• Implement in OpenSearch
• Implement in the SDK, allowing for drop in replacement of anomaly detection.

[peternied]

For additional context checkout some anti-patterns, a pluginside permission check in AD, link. Read up more at for how detectors are configured and expressed as user stories https://opensearch.org/docs/latest/monitoring-plugins/ad/index/

[peternied]

Off the top of my head, it could look like this:

GET /security/checkResourcePermission
{
   // User is embedden in the requset
   "permissions": "NAME OF THE PERMISSION FOR THE RESOURCE",
   "resourceId": "The identifier of the resource",
   "additionalData": { "other information that can be used to process the request for allowing/disallowing"}
}