Prevent regressions in Dashboard's dev tools permissions

cloud-gov / opensearch-dashboards-cf-auth-proxy

authentication proxy for use with Opensearch Dashboards

Other

0 stars 0 forks source link

Open bengerman13 opened 3 years ago

bengerman13 commented 3 years ago

In order to prevent regressions in intended permissions, the Dashboard dev tools app should have e2e tests for auth.

GIVEN I am not a platform-ops member
- [ ] WHEN I view the Opensearch Dashboard \ THEN I don't see links to "Dev Tools"
- [ ] WHEN I poke a Dev Tools URL \ THEN I have no ability to make changes

This change ensures we're not leaking information between users or letting users modify information as we make other changes in the proxy.

[ ] validate a match_all query doesn't return any results a user shouldn't see
[ ] validate queries in dev tools do not allow users to modify, create, or delete documents
We can use the Security API to write tests

rcgottlieb commented 2 years ago

Closed this when meaning to close the window but not the story. Reopened it so it is back in it's prior state.

markdboyd commented 1 year ago

However, we want admins to have access the dev tools console which can be helpful for debugging.

Unfortunately, there is no granular system for showing menu links based on user permissions: https://github.com/opensearch-project/security-dashboards-plugin/issues/857.

So this issue is blocked until Opensearch implements some sort of granular permissions system for menu links.

divanshurox commented 1 year ago

Hi, I had a similar use case where I just want the platform-admins to have access to the Dev Tools. Are you guys working on this?

markdboyd commented 1 year ago

@divanshurox This feature can't be implemented without upstream changes to the Opensearch security-dashboards-plugin: