search

opensearch-project / alerting

📟 Get notified when your data meets certain conditions by setting up monitors, alerts, and notifications
https://opensearch.org/docs/latest/monitoring-plugins/alerting/index/
Apache License 2.0
61 stars 102 forks source link

Alerts needs stricter ownership #82

Open adityaj1107 opened 3 years ago

adityaj1107 commented 3 years ago

Issue by oscarkraemer Thursday Nov 19, 2020 at 10:21 GMT Originally opened as https://github.com/opendistro-for-elasticsearch/alerting/issues/302

Is your feature request related to a problem? Please describe. Alerts are hard to managed since the ownership seems to based on all the roles a user belongs to. If a user belongs to many roles then a lot of users will see the alerts that the user creates.

Describe the solution you'd like Alerts should be owned by tenants and/or alerts should be tightly coupled with a specific role.

Describe alternatives you've considered

Additional context Assumes that this is configured: “opendistro.alerting.filter_by_backend_roles": "true”

Our example organisation: network-admins belongs to network-role database-admins belongs to database-role Senior-admins - belongs to network-role and database-role

In this kind of setup senior-admins can’t create an alerts that only network-admins have access, since all alerts senior-admin creates both network-admins and database-admins will have access to.

adityaj1107 commented 3 years ago

Comment by skkosuri-amzn Saturday Nov 28, 2020 at 23:12 GMT

@oscarkraemer Thanks for creating enhancement. One way to achieve this would be - to select the roles to be associated with the monitor during create or update. Added this to the backlog.

adityaj1107 commented 3 years ago

Comment by ryn9 Friday Feb 05, 2021 at 05:48 GMT

@skkosuri-amzn

Selecting the backend to be associated with the monitor during creation and updates would be very welcome for alerting and anomaly detection, which has a similar mechanism.

Additionally, a permission that could bypass the filter for admin and management purposes is needed. Currently we cannot admin/manage alerting and anomaly detection from our admin accounts, nor api calls, due to requiring the caller to be in the needed backend groups, but not additional unwanted groups. Very frustrating!

ryn9 commented 3 years ago

@aditjind @skkosuri-amzn is there anyway - in the interim - to update the roles and backend_roles for a monitor via the api?

skkosuri-amzn commented 3 years ago

@aditjind editing roles via API will create a security hole.

ryn9 commented 3 years ago

@aditjind @skkosuri-amzn so the only current work around would be to do something like mentioned here?https://github.com/opensearch-project/anomaly-detection/issues/112#issuecomment-875154315 "So one workaround is let someone who has only 1 backend role to update the detector if you need to strictly limit only this backend role can access the detector."

brijos commented 1 year ago

The following PR will allow alert administrators to explicitly set monitor roles via the API.

https://github.com/opensearch-project/alerting/pull/635

It would be great to hear from the community additional use cases around stricter ownership.