-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Resource Permissions and Sharing #4500
Comments
Thanks for the proposal @DarshitChanpura ! This looks interesting! High-level comments- From what I understand, this proposal is targeting current roles and adding new This proposal talks in depth about plugins, can you add an example if such a resource is added by core. This could also pave the way for treating indices as resources and tying down an ACL with them. As this is introducing a new field/permission model, should this be a new |
Adding few more comments on each design question-
For backwards compatibility, I think this should be introduced with default behavior of treating For example, an existing role without resource permissions specified would be treated as equal to the following-
This would allow users upgrading to newer versions of OpenSearch where these permissions are introduced while letting users/admins define more granular access control methods. |
For the reasons mentioned in previous comment, I think |
I agree with the requirement, however, this could also break existing customers. If we can cover migrations/upgrades with enough tests, it should be okay to use a feature flag to enable it. However, I would prefer a flag to turn this functionality on/off smoothly for initial release as this could be a breaking change. |
For file change, kindly consider the changes being brought in by #3870 and ensure changes are compatible with the RFC. Since this introduces a new class in existing model, do you know if contents of this class are sent over transport channel with requests? If so, this could cause issues during ugprades in a mixed-version cluster. |
[Triage] Hi @DarshitChanpura, thanks for filing this issue. This proposal/rfc is for the resource permissions you are working on. I will go ahead and mark it as triaged. |
@shikharj05 Thank you for your comments.
Not sure if i completely understand what an ACL is. However, this proposal introduces 1 more layer which is closer to the resource being evaluated.
Index permissions should cover this correct? Or are you talking about merging resource permissions and index permissions? I'm not aware of any "resource" introduced by core.
We can consider this as a new config version, however the scope of #4493 might not overlap with this as that RFC discusses retiring v6 and this RFC talks about introducing a new property to a role. Having said that this should be be tested in mixed cluster scenario.
Proposed path for roles with no resource_permissions is to skip Resource Permissions evaluation entirely which essentially mimics
Agreed.
Since that is still in draft state I have not considered those changes here.
Agreed. This will have to be tested. Can you elaborate on what contents will be sent over transport channel? |
@nibix would love your inputs on this. |
@DarshitChanpura I think a good aim for action naming is to make them as succinct as possible to help cluster admins understand what they do based off of this short name. We could have the prefix of the action name be the resource type and allow plugins to specify what the type of resource is. i.e. In Anomaly-Detection the resource type could be
|
I agree with succinct naming, however the prefixes for transport actions are statically defined here. If we were to define plugin names as prefixes instead of |
Interesting proposal! That moves OpenSearch quite a bit into the direction of a whole application platform. My comments (completely IMHO) below: Configuration structure
I can understand the motivation for both. Both have pros and cons. The pro about However, I would like to take one step back first. Do I see it correctly that we have these dimensions?
While I am pretty sure that these dimensions can be modeled with the proposed Generally, to verify the real-world suitability of a new config format, I like to recommend to actually create some complete real-world examples, which incorporate several features for several different cases. Backwards compatibility considerations I have read the discussions about backwards compat. Just some random thoughts about this:
Code infrastructure: Extending I can think about two different way of extending Approach a): Add an empty method that can be overridden:
Approach b): Include the actual resource information here.
Code infrastructure: Privilege meta data I am deviating from the proposal a bit to make a related observation: In core OpenSearch, there is also no standardized interface to deduce required privileges from action requests. Instead, the security plugin has a quite involved logic to deduce required privileges from requests. See for example: security/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java Lines 601 to 631 in 2b5a811
security/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java Lines 623 to 808 in 2b5a811
Could it make sense to extend the proposal to enhance New config version So far the proposal for the new configuration is a pure super-set of the previous configuration. Thus, the new properties can be considered as a "progressive enhancement", which does not make a new config version necessary. I guess that introducing new config versions introduces significant pains (migration processes, tools, etc), which should be avoided if possible. |
This would be ideal. I also don't believe a new config version is necessary.
That data structure can be treated as a registry and an extension point could be introduced for plugins to register resource types. I see "views" is in that list and that could be considered a resource type. Since the new section of the role would be called |
+1, while this offers easier migration path, however this will make authorization decisions complicated with custom authZ. @DarshitChanpura - can you help list plugins performing custom authZ within the opensearch-project? I think this proposal can cover migrating these plugins away from custom authZ.
I think it should be okay to introduce this feature with a flag. i.e. fail-open with |
For example, consider Linux OS. Permissions on a file can be defined for file owner, group owner & others. i.e. resource permissions are dictated by ACL defined on the file. As an example, for OpenSearch, this could possibly translate to a Super Admin user being able to create a detector in AD plugin and adding an ACL to it that looks like - CRUD for super admin users & RU for users with anomaly_full_access role and R for others. For an incoming request, security plugin would first evaluate permissions based on the identity (caller of the request); next, request would be evaluated against resource(in this case a |
These are great thoughts/suggestions. This feature would require end to end testing to understand the migration path for plugins with custom authz schemes. However, the idea is to enforce those plugins to use security plugin as the standard for any authorization which would be considered breaking change for plugins but the end user experience remains the same (except now they have to have resource permissions, of course).
I'm leaning towards
My understanding is that resource names would be extracted from the API request as is before forwarding those to transport action calls. I'm not entirely sure if we need to expand and resolve resource names similar to index-pattern. If we do then, we will have to develop an API to fetch all resources and resolve them based on the pattern supplied, similar to IndexResolverReplacer. This might need a deeper look.
This sounds like a good approach. However it also relies to plugins registering the resource types. If we are to move with this path then we would have to highlight that all plugins that will be utilizing this new authz scheme should register the resource types. AFAIK, keeping a consistent prefix avoids a lot of problems around validation and we already have redundancy in cluster_permissions and index_permissions.
From my knowledge and talking with @cwperks, these plugins currently perform custom authZ: alerting, anomaly-detection, ml-commons and flow-framework.
I'm not sure if we have a concept of ACL today, but wouldn't it be similar to creating roles like |
@DarshitChanpura I had some more recent thoughts on Resource Permissions and wanted to run them by you. I think Resource Permissions are fundamentally about sharing a resource created by some user. I was thinking about what it would take to create a Searchable Photo Album plugin (Hackathon idea) where users of the plugin can share their photo albums with others to add photos, add captions, etc. Each resource should have a resource user, the user that creates the resource. The resource user, should have the ability to allow others to interact with their resources (either explicitly adding someone by username or perhaps someone that shares a role/backend role) I'm starting to think about the Job-Scheduler SPI model where the security plugin can listen to index operation on resource indexes and then store the resource user centrally along with the docId of the resource, the resource index, the resource user and what level of access ( Also I'm now thinking that resources should not have unique names. i.e. You and I can both have photo albums called Let's say user1 is trying to upload a photo to user2's photo album, how would the authz work?
For a user's own resource, they can continue to be authorized using the I'm still thinking through this idea some and I will reply back with another comment once its more complete. |
@cwperks I think your idea also aligns with Resource ACLs. ACLs would allow a user to create a resource and define an ACL on it. i.e. permissions will be defined on the resource and not defined on user requesting access. |
+1 to @shikharj05's comment. I like this idea @cwperks, however we are moving towards a more ACL approach where the resource "owner/creator" has the right to define ACL's to the resource. At present, the "owner" of these resources is admin or someone who has access to manage roles, and these admins can then define access levels to individual resources or resource patterns. Allowing the ability to share resources is an administerial task. For what you are suggesting, the idea of a cluster admin might change to allow a regular user more control over their own resources. I personally am in favor of adding such a feature however this might be a v2 of this or a separate feature overall. |
Outstanding Questions:
Please let me know your thoughts and any questions. |
@shikharj05 @nibix @cwperks I have updated the design to follow a new approach that is more scalable. Please review it and add comments. If you would prefer to review via google doc, lmk. |
This feature will be released under |
Nice job @DarshitChanpura specifically taking all the feedback in stride and reworking the design to fit the comments and concerns :) |
@shikharj05 @nibix @willyborankin @cwperks @derek-ho I have update the design slightly to include scopes for individual or group access to a resource. Please review whenever you get a chance and let me know if there are any comments/concerns. |
@DarshitChanpura From an implementation perspective how will security differentiate between read operation and write operation? Would it be done in the |
hasPermission will be tweaked to hasPermission(resource, scope) where scope will default to read_only. Plugin owners are responsible for calling with correct scope. Let me know if you have a different approach in mind |
Great work on the design updates! Some comments-
What are your thoughts about adding a more generic AuthZ plugin interface in core OpenSearch? ResourcePlugin can be an implementation in SecurityPlugin with other existing methods. This would align with vision proposed in opensearch-project/OpenSearch#5834 and pave the way to make AuthZ more extensible as proposed in #4702
Can we layout what it would look like to add support for patterns? |
ResourcePlugin should be defined in core as it defines a new type of plugin that declares resources that are shareable. I can add another scaffolding for declaring AuthZ contracts, which ResourcePlugin can then extend. However, ResourcePlugin should not be moved to security.
This would require reading all users, roles and backend_roles from configuration (or config cache) then resolving them to concrete entity names. And this would need to happen every-time access is checked for the resource which might become memory intensive. Hence, it is not included by design. |
In cwperks#26, I explored making the security plugin an ExtensiblePlugin and spiked on creating a SPI approach for this RFC. In general I think its a good approach to the problem in this RFC or for making authz pluggable. If used for this RFC, there would need to be a change in core to relax the rule on extended plugins to make them optional instead of required. Example PR: cwperks/OpenSearch#209 ^ One advantage of the SPI approach (at least in the context of this RFC) is testability. It would allow us to maximize changes in the Security plugin (minimize core changes) and provides good testability where it doesn't rely on changes merged into core for testing. |
SPI approach is good, however it creates a dependency on Security Plugin to be declared for plugins like AD to utilize the APIs similar . With this approach there is a clear definition of different types of plugins and doesn't declare any requirements on Security Plugin. |
With a small change in core like cwperks/OpenSearch#209, it removes the requirement. Not sure if there is appetite for a change like that, but it would remove the restriction that extended plugins are required. i.e. if changed, then AD can be installed even if JS is not installed in the cluster. Currently it makes sense because any instance of extendedPlugin is required, but I think there's a case to be made for this use-case from security. i.e. If you have a plugin that implements the SPI and security is installed on the cluster then you get the resource sharing feature. If security is not installed on the cluster, you can still install the dependent plugin but rely on noop implementation where there is no resource authorization. In noop, all users have full access created to resources created by any user. |
In the current design drafted here (opensearch-project/OpenSearch#16030), I've introduced ResourceAccessControl Plugin type which, for now, can either be No-op or Sec plugin. The implementing plugins are not aware of the underlying implementation and do not need to declare dependency on Security. Instead they simply use the APIs provided by ResourceAccessControlPlugin.java class and get a response back. |
With the latest discussion on opensearch-project/OpenSearch#16030, the focus has now shifted to an SPI model. In addition, the share/revoke model will be now exposed as a REST api and a DLS check will be implemented to auto filter results for resource-indices. PRs soon to follow. |
Resource Sharing
Status Quo
Currently, there is no mechanism provided by the security plugin for plugins to utilize to provide fine-grained access control to own resources created by each plugin. Some plugins have addressed this by implementing their own custom authorization mechanism, however it is not sustainable for each plugin to handle resource-level FGAC using their own custom implementation. For example, in anomaly detection, granting permissions to delete detectors requires the user to be granted cluster:admin/opendistro/ad/detector/delete, which allows the user to delete all detectors in the cluster. Anomaly Detection has implemented their own authz mechanism.To address this, we are introducing a new concept of Resource Sharing. This feature introduces a new way of authorization in addition to existing RBAC authorization model.
Abstract:
With Resource Sharing, the high-level idea is that a resource owner determines how a resource can be shared with others. A user should be able to control access to the resources created by them. A cluster admin will not be able to control access unless they are defined as REST or TLS admins.
This will enable a collaborative usage of OpenSearch like never before. Quip is one of the well known tools around for document sharing and collaboration. With quip you can define documents private to you, or you can grant access to a group of people, or you can mark the document as public. Resource Sharing is following a similar approach where different access control scopes and levels can be defined to permission resources.
Motivation:
Due to the absence of any mechanism for resource access control, many plugins have resorted to implement custom authorization schemes to curb access to resources defined by such plugins. Here is one such example of a known public documentation for ML-Commons plugin (link) to control access to model groups.
ML Commons implements a robust authorization model that categorizes access to model groups into three distinct modes: public, private, and restricted. These modes provide flexible control over who can view and interact with model groups:
This approach is inspired by the ML Commons architecture and aims to provide a reusable mechanism for any plugin to leverage the Security plugin for resource sharing. By centralizing authorization within the Security plugin, plugin development is simplified, while ensuring that access control remains robust and scalable. This model also provides a clear pathway for migrating existing access control mechanisms from plugins to the Security framework.
Feature Implementation:
Components:
There are 3 major components to this design:
resource_sharing
index: This index will be stored centrally and will contain information about how a particular resource is shared.Assumptions:
A Resource is a document stored within a plugin’s system index, containing metadata about that resource. Examples of resources include Model Groups in ML Commons, Anomaly Detectors in anomaly-detection, and Detectors in alerting plugins.
The
.resource-sharing
index will always maintain a compound key that references the location of the original resource. This compound key consists of two components:This structure ensures a clear and direct link between the shared resource and its original location.
Index design:
The
resource_sharing
index document has following entries:source_idx
: The system index which resource metadata. This is usually the plugin’s system index.resource_id
: The id of the resource document defined in thesource_idx
.created_by
: Defined the user or a backend_role that created this resource.shared_with
: Defines access scope for this resource. It contains users, roles and backend_roles this resource is shared with. Access scope is defined in 3 ways:shared_with
entry exists, and containsusers
entry mapped to*
.shared_with
entry exists, and containsusers
entry not mapped to*
.shared_with
entry is empty or doesn’t exist.shared_with
will also contain the level of access that each user, role or backend_role may have. These are two scopes at presentread_only
andread_write
.Note: The relationship between entries in this index and the resource metadata stored in plugin’s index is many-to-one.
Here are 3 examples of entries in resource_sharing index, one for each scope.
NOTE: Each user, role and backend_role must be individually added as there is no pattern matching at present by design.
Code Implementation:
A new plugin type
ResourcePlugin
will be defined in OpenSearch. This is an extensible contract and will define core Java APIs to be used by plugins to check access:.resource-sharing
to define how a resource is shared.Security will add a concrete implementation to these APIs to determine access to a particular resource, and plugins will call these APIs to verify a user’s access to requested resource.
Flow Diagram:
Pros & Cons:
Test Plan
Will the feature require a security review?
This feature will require a security review to confirm that it correctly evaluates the scope of the requested resource.
Documentation
The documentation should be added for this feature detailing how users can utilize this feature.
--
Next Steps
Expand to see old design:
Allows users to use all Anomaly Detection functionality on selected resources, i.e., detectors
anomaly_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/ad/'
index_permissions:
- index_patterns:
- ''
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
resource_permissions:
- identifier_pattern:
- 'detector1'
- 'detector2'
allowed_actions:
- 'resource:ad/detectors/read'
Low-Level Design
Design Questions
*
(match_all) patterns for accessing resources? OR should they be individually listed under the role?detector_c*
can still be allowed but the question here is, should*
be prohibited as a resource_name pattern.ressource_permissions
be hidden behind feature flag?File Changes
List<String> resources
. This should then be implemented by plugins to populate this property when handling an actionRequest after which SecurityFilter.java will intercept this call to perform privilege evaluation. (It is important to note this change when creating a documentation to onboard plugin developers to this change)resource:
as a valid transport action prefix here.Resource
(Use the class Index as reference)The text was updated successfully, but these errors were encountered: