Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource type and identifiers in OpenSearch #3889

Open
3 tasks
Tracked by #3873
peternied opened this issue Dec 22, 2023 · 1 comment
Open
3 tasks
Tracked by #3873

Resource type and identifiers in OpenSearch #3889

peternied opened this issue Dec 22, 2023 · 1 comment
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@peternied
Copy link
Member

peternied commented Dec 22, 2023
edited
Loading

Description

When views are accessed data shall be provided to downstream systems to reason if a request is authorized or not. While identity work has started in OpenSearch plugins such as the Security plugin are the current standard for access control - modification to the existing identity interfaces is out of scope for this effort.

Create a mechanism to allow for requests to convey the resource that is being accessed and the identifier of this resource, in this case a view and the view_id, but this could be a machine learning model and its id or a credential and its identifier. This issue contains an initial proposal built in a proof of concept, but is not hard requirements for the feature.

[Proposal 1] Resource Request

In order to permissions views OpenSearch needs a way to consistently refer to them, this is a generic problem and views will be a first use case. Resource requests require a map of types to identifiers for the request, multiple resources could be part of a single request, but only one of each type.

Considering the request to search a view, POST /view/{view_id}/_search, the path parameter 'view_id' is the type and the value from the request would be the identifier.

public interface ResourceRequest {
   /** Returns the resource types and ids associated with this request */
    Map<String, String> getResourceTypeAndIds();

    /** Validates the resource type and id pairs are in an allowed format */
    public static ActionRequestValidationException validResourceIds(
        final ResourceRequest resourceRequest,
        final ActionRequestValidationException validationException
    ) {;}
}

It would be ideal if this information could be accessed at the RestLayer - less resources spent on rejected requests - but at the TransportLayer will also be needed.

Exit Criteria

  • Resource interfaces
  • Resource validation patterns
  • Expose resource type & id mappings to downstream system
@peternied peternied mentioned this issue Dec 22, 2023
Open
13 tasks
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Dec 22, 2023
@stephen-crawford
Copy link
Contributor

[Triage] This is related to the same linked RFC and prototype for resource based permissions. We can mark this as triaged.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 8, 2024
@peternied peternied mentioned this issue Feb 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peternied @stephen-crawford