-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit Service Account permissions #3201
Comments
Looks good to me! |
[Triage] Thank you for filing this issue @peternied. This issue has clear expectations for action items (completing the check list) so going to mark as triaged. |
@peternied What if this did not rely on a role at all and instead extension initialization included a With this setting, the ExtensionsManager will have a mapping from Can the service account not be mapped to any roles at all and only carry the identity of the extension? Within the SystemIndexAccessEvaluator it can lookup if a request is coming from an extension's service account and determine if the extension is making the request on only its set of reserved indices and no other indices or else fail the request. The implementation of service account tokens I did in opensearch-project/opensearch-sdk-java#892 to show the SDK integrated with security for extensions does this if you'd like to see an example. |
This task has already been triaged, pointed, and scheduled in the current sprint, I'm not sure what you are asking? |
@peternied I'm concerned that it could be confusing to have a role like
but effectively we introduce logic to "whittle it down" to
behind the scenes. (At least that's what I'm understanding this issue to be from the description). Is my understanding incorrect? If we can modify the SystemIndexAccessEvaluator to lookup the extension's settings based on its principal then we can determine if that principal is associated with the system indices being acted upon. I think its simpler and logic does not need to be introduced to "whittle down" a role. |
@cwperks that is the correct observation. It is intentional to be strange, because its easy to implement and easy to revert without breaking deployed services accounts if/when we invest more into this space. Since extensions are not in active development, features such as service accounts are minimally built up to support these scenarios and we can improve on them as provides value. Since this is already costed and included in the sprint change this design is a signal to remove it from the sprint. Lets move the meta discussion to an internal channel were we figure out how to handle this item. |
For the initial release permissions for service accounts are going to be locked down so they only can be used with explicitly granted system indexes
Exit Criteria
The text was updated successfully, but these errors were encountered: