[DOC] Add documentation for permission-able system indices

[DarshitChanpura]

What do you want to do?

• Request a change to existing documentation
• Add new documentation
• Report a technical problem with the documentation
• Other

Tell us about your request. Provide a summary of the request and all versions that are affected.

There is a new feature in flight, which allows system indices to now be accessible similar to a regular index, to offload some super-admin work to a regular user. The idea behind this to mitigate escalation of privileges required to access a system index. Plugins currently assume the role of super-admin when accessing their system index, and are inherently trusted. This new feature sets up the base of service-accounts which once implemented can be associated with plugins and can then be granted access to their own system index.

Docs needed:

• Document that this new feature is toggle-able by super-admin
• Once enabled, super-admin along-with anyone that has the permission restapi:admin/roles to modify a role can now grant system-index permission to self/other users.
• Security index is an exception to this and a permission to it cannot be granted.
• Super-admin accepts the risk that once enabled this feature opens access to system indices, which may contain sensitive information, by a regular user.

What other resources are available? Provide links to related issues, POCs, steps for testing, etc.

• PR: System index permissions security#2887
• Feature Request: [Feature] Update SecurityIndexAccessEvaluator to support new index permission security#2553
• META issue: [META] System Indices access for Extensions security#2529

Note: We are targeting 2.10 for feature release.

[cwillum]

@DarshitChanpura Thanks again for generating this doc issue. I've been reviewing related security issues and PRs to get better context of this change and how this new permission is used. I still can't tell if it was decided to create a new flag that enables this permission and a second to list an array of system indexes that can be accessed by someone with this permission. Is that still part of the plan here? If yes, has that been decided yet, the name of the new flags (settings)?

[DarshitChanpura]

Yes, a feature control flag has been added via opensearch-project/security#2887.

The setting key is labelled as : plugins.security.system_indices.additional_control.enabled and will be enabled by default for new clusters.

[cwillum]

@DarshitChanpura Thanks for the answer. So this is the only new setting? There is NOT a second that allows you to specify individual system indexes that are turned on when enabled? I'm guessing not. But I want to confirm (for example, the suggestion made by cwperks in this comment: opensearch-project/security#2553 (comment). This idea is no longer in play, right?).
Last, is this setting made in config.yml or opensearch.yml?

[DarshitChanpura]

So this is the only new setting? There is NOT a second that allows you to specify individual system indexes that are turned on when enabled? I'm guessing not. But I want to confirm (for example, the suggestion made by cwperks in this comment: opensearch-project/security#2553 (comment). This idea is no longer in play, right?).

Correct, there is only one setting and that is to toggle the feature.

Last, is this setting made in config.yml or opensearch.yml?

This setting will be in opensearch.yml