Open sebastienbonami opened 1 month ago
[Triage] Hi @sebastienbonami, thank you for filing this issue. Looks like there is some missing documentation for this feature. @cwperks could you please move this issue over to the documentation repository to be addressed? Thank you.
Tranferring this issue to the documentation website to track adding documentation about this setting in a roles mapping.
Host mapping is used to map requests from certain IP Addresses or Hostnames to roles within OpenSearch. To map hostnames to roles you must configure the hostResolverMode
to enable domain name lookup.
Thanks for the follow-up.
So it's true that there's missing documentation for this, but according to what you're saying @cwperks it means that there's certainly a bug that need to be addressed. It's not intended that setting the hosts
parameter to [ "*" ]
would result in all created users are mapped to the role concerned in the role mapping.
@sebastienbonami Using hosts: ['*']
means that requests from any IP Address are mapped to the role.
If you specify hostnames in the mapping like hosts: ['opensearch.org']
, then only requests from opensearch.org
would be mapped to the role, but you would need to set hostResolverMode
to ip-lookup
to enable name lookup.
Using hosts: ['*'] means that requests from any IP Address are mapped to the role.
@cwperks Thanks for the precision, but on my side it's also mapping all created users to all roles, which gives unexpected permissions to users. I just want to make sure that not only the documentation is updated, but that the bug I'm encountering is considered.
To avoid the bug, I removed specifying hosts
on all my role mappings as I'm guessing this results in any hostnames/ips being accepted, which is what I want.
What is the bug? I'm looking for an explanation of what the
hosts
parameter means in role mappings. I was guessing that it's to specify hostnames/ips to restrict where requests can come from. So I've been setting thehosts
parameter to[ "*" ]
when creating role mappings and I realised that all users I created are mapped to all roles I created.How can one reproduce the bug? Steps to reproduce the behaviour:
admin
+dev
all_access
to useradmin
:Based on the documentation here: https://opensearch.org/docs/latest/security/access-control/api/#create-role-mapping
What is the expected behavior? Role
all_access
should be mapped to useradmin
only, not todev
as well. Userdev
should have no role mapped.What is your host/environment?
Do you have any screenshots? When connected with user
dev
in OpenSearch Dashboards, going to sectionView roles and identities
I can see this: