-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] Use System index registry from the core to determine if a request matches system indices #4535
Comments
A couple of questions to look into further:
|
Is there an efficient way to form a "union" set of plugin's system indices across all nodes? |
I don't think this is a requirement today.
If a plugin registering a system index is not present on one of the nodes, the index won't be treated as system index on that node and hence this could lead to bad/unexpected behavior. For now, it might be okay to document this behavior and such plugins would still need to leverage |
That's what I was thinking as well. I will update our developer documentation and corresponding pages on the documentation website to accurately reflect what this setting does to provide protection to system indices for plugins in the cluster. |
We could potentially use the cluster state to keep track of the primary list |
This could potentially explode the cluster state by a lot. For e.g. consider a 100/500 node cluster with 30 plugins running. |
All PRs associated with this issue have now been merged. Closing the issue. |
Removing 2.16 label and adding 2.17. |
Currently, the security plugin uses an opensearch setting to track the list of system index patterns in the cluster. To enable system index protection requires a cluster admin to configure the following settings:
For concrete indices matching these patterns, the security plugin gives special protections that forbid regular users (including admin) from performing operations on these indices like writing to the index or deleting the index. The integrity of system indices is important for cluster operations and these indices are not meant to be meddled with by regular users.
OpenSearch core provides an extension point called SystemIndexPlugin that is intended for plugins that define system index patterns. In effect, this extension point creates a registry of system indices that is known to the core. Only a subset of default plugins that create system indices currently use the extension point.
Currently, the security plugin does not utilize this registry to determine if an incoming request contains indices that match system indices and instead relies on the configured setting.
The security plugin should take advantage of the system index registry in core to determine if a request matches system indices. This will have an advantage of plugin teams not needing to create an additional PR to the security plugin, but will also have a formal mapping from <plugin> -> Set<String> systemIndexPatterns which will help towards #4439 which is seeking to provide better system index protection in the plugin ecosystem.
The text was updated successfully, but these errors were encountered: