search

opensearch-project / alerting

📟 Get notified when your data meets certain conditions by setting up monitors, alerts, and notifications
https://opensearch.org/docs/latest/monitoring-plugins/alerting/index/
Apache License 2.0
60 stars 102 forks source link

[Feature Request] Alerting permissions separation #1451

Open rlevytskyi opened 7 months ago

rlevytskyi commented 7 months ago

Is your feature request related to a problem? Please describe

We have several teams at our organization with access to OpenSearch. We use Alerting a lot to make people aware on some events. Typically alerts are managed by SA team which has access to Alerting. We want to make some Devs available to create/edit their own alerts but don't want them to be able to change our alerts. I've carefully read the "Alerting Security" manual at https://opensearch.org/docs/latest/observing-your-data/alerting/security/ and found no way to accomplish the task. I.e. either we give Devs team (teams) access to Alerting and they will be able to edit our alerts or we have to create alert for them.

Describe the solution you'd like

Probably some owner/editor/viewer set of attributes for every individual alert would make it possible to manage user's own or permitted alerts only.

Related component

Other

Describe alternatives you've considered

We have test/staging installation where Devs can create and test the alerts; however, it's not possible to have Prod data there.

Additional context

No response

peternied commented 7 months ago

@opensearch-project/admin Could you please transfer this issue to the alerting repo?

scubbx commented 1 month ago

As described at https://opensearch.org/docs/latest/observing-your-data/alerting/security/#create-a-monitor-with-an-rbac-role, with the OpenSearch API it is possible to explicitly specify the backend roles that will be able to see and edit a specific monitor. Wouldn't it be possible to make this property available from within OpenSearch-Dashboards?

When creating or editing any monitor a property containing backend-roles with access-permissions can be set via a multi-selection option. The options that can be selected are a list of all backend-roles the current user is mapped to.

By this, a single user can further restrict access to monitors for certain users without losing access themselves.

scubbx commented 1 month ago

Just found out, my comment is better located at the OpenSearch-Dashboards-Alerting-Plugin repo. There is already an issue concerning my suggestion: https://github.com/opensearch-project/alerting-dashboards-plugin/issues/860