Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization check for extension REST Request #2527

Closed
cwperks opened this issue Mar 8, 2023 · 1 comment
Closed

Authorization check for extension REST Request #2527

cwperks opened this issue Mar 8, 2023 · 1 comment
Assignees
@cwperks @DarshitChanpura
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@cwperks
Copy link
Member

cwperks commented Mar 8, 2023

Plugins currently permit users to perform actions registered by the plugin via roles. Below is an example of roles added for Anomaly Detection:

# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/ad/detector/info'
    - 'cluster:admin/opendistro/ad/detector/search'
    - 'cluster:admin/opendistro/ad/detectors/get'
    - 'cluster:admin/opendistro/ad/result/search'
    - 'cluster:admin/opendistro/ad/tasks/search'
    - 'cluster:admin/opendistro/ad/detector/validate'
    - 'cluster:admin/opendistro/ad/result/topAnomalies'

# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster:admin/opendistro/ad/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'

For extensions, the actions also need to be permitted but the authorization cannot be performed on the Transport layer because the REST request is forwarded to the extension without ever hitting the transport layer.

Authorization needs to be built into the REST layer for requests destined for extensions (or other requests too?) to block the request before it is forwarded.

Extension REST handlers need a mapping to a string that identifies the action that can be permitted.
@cwperks cwperks self-assigned this Mar 8, 2023
@cwperks cwperks converted this from a draft issue Mar 8, 2023
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 8, 2023
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 13, 2023
@stephen-crawford stephen-crawford added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Mar 20, 2023
@davidlago davidlago moved this to In Progress in Security for Extensions May 10, 2023
@davidlago davidlago moved this from In Progress to Awaiting Review in Security for Extensions May 11, 2023
@davidlago
Copy link

#2590 supersedes this effort.

@github-project-automation github-project-automation bot moved this from Awaiting Review to Done in Security for Extensions Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwperks cwperks

@DarshitChanpura DarshitChanpura

Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
Security for Extensions
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peternied @davidlago @cwperks @DarshitChanpura @stephen-crawford