Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Several actions cannot be delegated to users and must be run as an admin user #1878

Closed
peternied opened this issue Jun 7, 2022 · 4 comments
Closed

[BUG] Several actions cannot be delegated to users and must be run as an admin user #1878

peternied opened this issue Jun 7, 2022 · 4 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@peternied
Copy link
Member

peternied commented Jun 7, 2022
edited
Loading

What is the bug?
There are APIs, such as reloadcerts, which are only authorized for full admin users.

What is the expected behavior?
There should be granular permissions that for all actions in OpenSearch to be individually assigned. The large blast radius in production clusters when performing operational tasks goes against common security practices like the least privileged.

Do you have any additional context?

Also, Just noticed this which gets in the way of me having an internal user run the refresh command. This could be it's own permissions group, potentially.

Originally reported by @patcable in #1877

Other APIs that are admin only

  • nodesdn
  • allowlist
  • actiongroup
  • user / internalusers
  • roles
  • rolesmapping
  • tenants
@peternied peternied added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 7, 2022
@patcable patcable mentioned this issue Jun 7, 2022
Closed
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jun 7, 2022
@davidlago davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022
@willyborankin
Copy link
Collaborator

willyborankin commented Jan 3, 2023
edited
Loading

Hi @davidlago and @peternied Out company is interested in fixing this problem, so I can prepare PR for it. Wdyt?
Besides that some of endpoints do not work with the default security_rest_api_access e.g. it is impossible to get NodesDn but it is possible to change the plugin configuration which is confusing.

@peternied
Copy link
Member Author

@willyborankin That would be awesome, I'd love to see a PR!

@willyborankin
Copy link
Collaborator

@peternied ok will try to do it asap

@willyborankin willyborankin mentioned this issue Jan 20, 2023
Merged
3 tasks
@peternied peternied mentioned this issue Apr 1, 2023
Closed
@DarshitChanpura DarshitChanpura mentioned this issue Jun 6, 2023
Closed
4 tasks
@davidlago
Copy link

Closing as #2411 was merged and released in 2.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@willyborankin @peternied @davidlago