-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
configure new ML plugin actions #1182
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1182 +/- ##
=======================================
Coverage 71.78% 71.78%
=======================================
Files 88 88
Lines 2027 2027
Branches 269 269
=======================================
Hits 1455 1455
Misses 509 509
Partials 63 63
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there documentation around the new features that are being permissioned that would be helpful to read up on? From the new names structure is hard for me to understand the relationship between the permissions and their granularity.
e.g.
Added a new model metadata, automatically created on new models, can be manually created via an API call to create_model_meta. If the user has access to the model they can read the metadata. Only users with permissions can call the API to manually create the metadata.
From Fake Feature Documentation
'cluster:admin/opensearch/ml/execute', | ||
'cluster:admin/opensearch/ml/forward', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both forward/syncup seem like they apply to something rather than a top level permission, is this expected?
[Offline Recap] FYI @ylwu-amzn More changes might be needed to the backendThis change does not change any default permissions settings or register new permissions associated with roles or action groups. It only modifies the permissions that are displayed in the UI for the security plugin for admins to add/remove permissions in a couple of flows. If default permissions, roles, action groups, need to be changed those need to happen in the security backend's config files [1]. Permissions should only be created that impact users experienceThere is a permission in the current pull request Testing should be done with the security pluginThere are a couple of comments where there is a question of functionality - I am at a disadvantage answer these questions as the security plugin has not changed its model, but it sounds like considerable work has been done inside ML for its new features. In order to know if those features will work correctly or you'll need to see how you've changed the contract of the systems. [1] https://github.com/opensearch-project/security/tree/main/config |
To get more background on setting up for using with Security plugin, see this https://github.com/opensearch-project/security#onboarding-new-apis |
Signed-off-by: Yaliang Wu <[email protected]>
6de7930
No need, we have configured reserved roles before opensearch-project/security#1654
Agree, these internal actions were removed.
Yes , we have done test with security backend plugin (I guess @peternied knows better than me, security dashboard plugin is not necessary when do pen test as security plugin provides APIs ). This PR is just add new actions to security dashboard plugin, so user can configure action easily on UI. |
@ylwu-amzn Thanks for the confirmation, you are good to merge. Please create an issue to document these permissions - I couldn't find any references to those names within the OpenSearch project. |
Signed-off-by: Yaliang Wu <[email protected]> Co-authored-by: Chang Liu <[email protected]> (cherry picked from commit 1ae8e24)
Signed-off-by: Yaliang Wu <[email protected]> Co-authored-by: Chang Liu <[email protected]> (cherry picked from commit 1ae8e24)
Signed-off-by: Yaliang Wu <[email protected]> Co-authored-by: Chang Liu <[email protected]> (cherry picked from commit 1ae8e24)
Signed-off-by: Yaliang Wu <[email protected]> Co-authored-by: Chang Liu <[email protected]> (cherry picked from commit 1ae8e24)
Yes, tech writer is working on these documentation. |
Signed-off-by: Yaliang Wu [email protected]
Description
Configure new plugin actions for 2.4 release.
Category
Maintenance
Why these changes are required?
We need these actions for 2.4 release.
What is the old behavior before changes and new behavior after changes?
Old: no these actions
New: add these actions, so user can configure custom permission role
Issues Resolved
Resolve #1181
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.