search

opensearch-project / documentation-website

The documentation for OpenSearch, OpenSearch Dashboards, and their associated plugins.
https://opensearch.org/docs
Apache License 2.0
68 stars 471 forks source link

[Documentation] Parameter "hosts" in role mapping gives unexpected results #7969

Open sebastienbonami opened 1 month ago

sebastienbonami commented 1 month ago

What is the bug? I'm looking for an explanation of what the hosts parameter means in role mappings. I was guessing that it's to specify hostnames/ips to restrict where requests can come from. So I've been setting the hosts parameter to [ "*" ] when creating role mappings and I realised that all users I created are mapped to all roles I created.

How can one reproduce the bug? Steps to reproduce the behaviour:

  1. Create 2 users: admin + dev
  2. Create this role mapping for role all_access to user admin: 
    curl -X PUT "http://localhost:9200/_plugins/_security/api/rolesmapping/all_access" -H 'Content-Type: application/json' -d'
{
"hosts" : [ "*" ],
"users" : [ "admin" ]
}
'

    Based on the documentation here: https://opensearch.org/docs/latest/security/access-control/api/#create-role-mapping

What is the expected behavior? Role all_access should be mapped to user admin only, not to dev as well. User dev should have no role mapped.

What is your host/environment?

Do you have any screenshots? When connected with user dev in OpenSearch Dashboards, going to section View roles and identities I can see this: image

stephen-crawford commented 1 month ago

[Triage] Hi @sebastienbonami, thank you for filing this issue. Looks like there is some missing documentation for this feature. @cwperks could you please move this issue over to the documentation repository to be addressed? Thank you.

cwperks commented 1 month ago

Tranferring this issue to the documentation website to track adding documentation about this setting in a roles mapping.

Host mapping is used to map requests from certain IP Addresses or Hostnames to roles within OpenSearch. To map hostnames to roles you must configure the hostResolverMode to enable domain name lookup.

sebastienbonami commented 1 month ago

Thanks for the follow-up.

So it's true that there's missing documentation for this, but according to what you're saying @cwperks it means that there's certainly a bug that need to be addressed. It's not intended that setting the hosts parameter to [ "*" ] would result in all created users are mapped to the role concerned in the role mapping.

cwperks commented 1 month ago

@sebastienbonami Using hosts: ['*'] means that requests from any IP Address are mapped to the role.

If you specify hostnames in the mapping like hosts: ['opensearch.org'], then only requests from opensearch.org would be mapped to the role, but you would need to set hostResolverMode to ip-lookup to enable name lookup.

sebastienbonami commented 1 month ago

Using hosts: ['*'] means that requests from any IP Address are mapped to the role.

@cwperks Thanks for the precision, but on my side it's also mapping all created users to all roles, which gives unexpected permissions to users. I just want to make sure that not only the documentation is updated, but that the bug I'm encountering is considered.

To avoid the bug, I removed specifying hosts on all my role mappings as I'm guessing this results in any hostnames/ips being accepted, which is what I want.