-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Retire support for config option config.dynamic.multi_rolespan_enabled
in config.yml
#4495
Comments
@scrawfor99 @cwperks @peternied @DarshitChanpura Another proposal for a simplification :) Would be curious on your opinion on this as well. |
Hi @nibix, I agree. Let's drop the false option. It serves no real value. |
[Triage] Hi @nibix, thanks for filing this issue. Going to mark as triaged. |
Breaking changes like removing config options are generally done on major releases. I'd be in favor of deprecating in 2.x and dropping it in 3.0.0, but I don't think it should be dropped in 2.x or else it could break some clusters. Edit: On further review, this feature is undocumented and does not provide clear benefit. I think the benefits from Optimized Privilege Evaluation outweigh support of this undocumented setting. |
Taking a fresh look at this RFC. This configuration option doesn't make any sense to me because there is a clear workaround where a cluster admin could always create a role that has all necessary permissions which would render When thinking about tradeoffs, I think the performance improvements from Optimized Privilege Evaluation outweigh the support for |
Background
I am asking for opinions and comments on the following topic because it influences the work on #3870.
Current situation
The OpenSearch security config file
config.yml
supports an option calledconfig.dynamic.multi_rolespan_enabled
.This config option is undocumented. Doing a search for it only returns hits which includes dumps of
config.yml
where the option with default value is just coincidentally contained in the config file:The only very brief mention of this option can be found in the docs of a related project:
Functionality
If this option is set to
true
(which is the default if aconfig.yml
file in version 2/7 is in use), privileges for a single OpenSearch operation can be collected from several roles. If this option is set tofalse
, privileges for a single operation must be located in exactly one role.This can pertain to actions or indices.
Several indices
If I issue a search request on indices
a
andb
, I need the privilegeindices:data/read/search
for both indices.With
multi_rolespan_enabled = true
, it is possible that the user has two different roles which provide the different privileges:With
multi_rolespan_enabled = false
, however, these roles would be not sufficient for a single search operation on both indices. Instead, a user would need to have a single role with both privileges:Several actions
For example, in order to issue a bulk index insert request, I need two privileges:
indices:data/write/bulk
indices:data/write/index
With
multi_rolespan_enabled = true
, it is possible that the user has two different roles which provide the different privileges:With
multi_rolespan_enabled = false
, however, these roles would be not sufficient for a bulk index operation. Instead, a user would need to have a single role with both privileges:The set of operations which require two privileges at once is very limited, all can be quickly found by checking the code at:
security/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
Line 601 in 6dedfb4
This shows that the following operations need two privileges:
_bulk
,indices:data/write/bulk
: requiresindices:data/write/bulk
and depending on the bulk item typeindices:data/write/index
,indices:data/write/delete
orindices:data/write/update
indices:admin/shards/search_shards
requires additionallyindices:data/read/search
_aliases
,indices:admin/aliases
with an item typeremove
needs additionallyindices:admin/delete
indices:admin/create
with a specified alias needs additionallyindices:admin/aliases
cluster:admin/snapshot/restore
needs additionallyindices:admin/create
,indices:data/write/index
-- but only if the config optionplugins.security.check_snapshot_restore_write_privileges
is set to trueDefault value
On OpenSearch clusters where the
config.yml
configuration with_meta.config_version=2
is in use, this defaults totrue
.On OpenSearch clusters where a
config.yml
configuration from ODFE 0.x in version 1 is in use, this defaults tofalse
.Reasons for using the non-default value
multi_rolespan_enabled = false
Seriously, I do not know any reasons for using the non-default value
multi_rolespan_enabled = false
.Having the option set to
false
allows a more granular control over privileges.However, I would argue that this added granularity does not have any value:
a
in one request and additionally in indexb
in another request, but denying my to searcha
andb
at the same time.POST _aliases
API while allowing it me using the normalDELETE index
API.Current work
In the context of #3870, we need to re-write significant parts of the privilege evaluation code. Supporting
multi_rolespan_enabled
would significantly increase the complexity of the code - and thus also increase the necessary work and later maintenance effort.Proposal: Just drop it
In my opinion, it would be not economical to put any effort into an option that offers hardly any value.
Thus, I am proposing to drop support for that option. We should always behave like its value would be
true
-- the default value.As it is an undocumented option, I would argue that such a breaking change would be even possible in a minor version upgrade.
The text was updated successfully, but these errors were encountered: