[Enhancement][OpenSearch]

sevenval-admins commented 2 years ago

Is your feature request related to a problem? Please describe. Hi guys, I have the following problem: I was testing the Alerting plugin and as stated in the documentation, basically every monitor and destination that is created is visible to every user, except if the following setting is applied:

PUT _cluster/settings
{
  "transient": {
    "plugins.alerting.filter_by_backend_roles": "true"
  }
}

With this option it is possible depending on the backend role to restrict the display of monitors and destinations. My OpenSearch is connected to a LDAP-Server and in my company there are hundreds of AD-Groups which my OpenSearch resolves all as backend roles. All of us in the company share several AD-Groups and as specified in the documentation the separation of monitors and destinations only works if no backend role is shared. Setting the resolve_nested_roles option to false excludes all roles that are nested but still leaves several that are not. Even if I use the nested_role_filter parameter this only applies to nested roles and leaves out all those that are not.

Describe the solution you'd like It would be a great improvement to have the possibility to separate the Monitoring and Destinations according to Tenant or to really be able to filter out all unnecessary roles.

Thanks in advance to anyone wo will take a look into it.

prudhvigodithi commented 2 years ago

Hey @sevenval-admins from what I understood, you are targeting to share the monitors and destinations only to specific user group, this include even to exclude nested group ?

Can you please try this way?

Create a specific group in LDAP and add only required users.
Create a specific Role and map the role to the the group created above.

there is another option skip_users, it also supports regex patterns.

sevenval-admins commented 2 years ago

Hi @prudhvigodithi and thank you for your reply. I have already created a Group in LDAP and added only the required users, as well as created a Role and mapped it with the previous LDAP group. The Problem is that the users that I added belongs to different LDAP groups and the separation of monitors and destinations only works if no backend role (in this case LDAP-Group) is shared. Basically that´s what I done:

created LDAP groups "project-test-group-1" and "project-test-group-2"
added user-1 and user-2 to "project-test-group-1" LDAP group, than added user-3 and user-4 to "project-test-group-2" LDAP group
created "project-test-role-1" and "project-test-role-2" Role
mapped "project-test-role-1" Role with "project-test-group-1" group
mapped "project-test-role-2" Role with "project-test-group-2" group

Results: No matter which of the four users creates a monitor or an alert, these will be visible to all other users as they are all part of the LDAP group (for example) 'Gitlab-Users', even if there is no mapping between 'Gitlab-Users' group and a Role in OpenSearch. And this happens because no backend role has to be shared in order to make the separation working.

smlx commented 2 years ago

~Monitors and Alerts are associated with the tenant. You need to assign separate tenants to each group, and create the monitors and alerts in different tenants instead of using the Global tenant.~

edit: this is wrong - see below

sevenval-admins commented 2 years ago

Hi @smlx and thank you for you reply. Unfortunately Monitors and Alerts are not associated with tenants but with backend-role, as stated in the Documentation: "[...]when users view alerting resources in OpenSearch Dashboards (or make REST API calls), they only see monitors and destinations that are created by users who share at least one backend role". This is exactly what I have done (you can reproduce it):

create tenant-1 and tenant-2

create role-1 and role-2 and give the roles all the needed permissions:

    role-1:
      reserved: true
      cluster_permissions:
        - "cluster_composite_ops"
        - "indices_monitor"
        - "cluster:monitor/state"
        - "cluster:admin/opendistro/alerting/alerts/ack"
        - "cluster:admin/opendistro/alerting/alerts/get"
        - "cluster:admin/opendistro/alerting/destination/delete"
        - "cluster:admin/opendistro/alerting/destination/email_account/delete"
        - "cluster:admin/opendistro/alerting/destination/email_account/get"
        - "cluster:admin/opendistro/alerting/destination/email_account/search"
        - "cluster:admin/opendistro/alerting/destination/email_account/write"
        - "cluster:admin/opendistro/alerting/destination/email_group/delete"
        - "cluster:admin/opendistro/alerting/destination/email_group/get"
        - "cluster:admin/opendistro/alerting/destination/email_group/search"
        - "cluster:admin/opendistro/alerting/destination/email_group/write"
        - "cluster:admin/opendistro/alerting/destination/get"
        - "cluster:admin/opendistro/alerting/destination/write"
        - "cluster:admin/opendistro/alerting/monitor/delete"
        - "cluster:admin/opendistro/alerting/monitor/execute"
        - "cluster:admin/opendistro/alerting/monitor/get"
        - "cluster:admin/opendistro/alerting/monitor/search"
        - "cluster:admin/opendistro/alerting/monitor/write"
      index_permissions:
        - index_patterns:
            - "logs-tenant-1-*"
          allowed_actions:
            - "read"
      tenant_permissions:
        - tenant_patterns:
            - "tenant-1"
          allowed_actions:
            - "kibana_all_write"
      static: false

    role-2:
      reserved: true
      cluster_permissions:
        - "cluster_composite_ops"
        - "indices_monitor"
        - "cluster:monitor/state"
        - "cluster:admin/opendistro/alerting/alerts/ack"
        - "cluster:admin/opendistro/alerting/alerts/get"
        - "cluster:admin/opendistro/alerting/destination/delete"
        - "cluster:admin/opendistro/alerting/destination/email_account/delete"
        - "cluster:admin/opendistro/alerting/destination/email_account/get"
        - "cluster:admin/opendistro/alerting/destination/email_account/search"
        - "cluster:admin/opendistro/alerting/destination/email_account/write"
        - "cluster:admin/opendistro/alerting/destination/email_group/delete"
        - "cluster:admin/opendistro/alerting/destination/email_group/get"
        - "cluster:admin/opendistro/alerting/destination/email_group/search"
        - "cluster:admin/opendistro/alerting/destination/email_group/write"
        - "cluster:admin/opendistro/alerting/destination/get"
        - "cluster:admin/opendistro/alerting/destination/write"
        - "cluster:admin/opendistro/alerting/monitor/delete"
        - "cluster:admin/opendistro/alerting/monitor/execute"
        - "cluster:admin/opendistro/alerting/monitor/get"
        - "cluster:admin/opendistro/alerting/monitor/search"
        - "cluster:admin/opendistro/alerting/monitor/write"
      index_permissions:
        - index_patterns:
            - "logs-tenant-2-*"
          allowed_actions:
            - "read"
      tenant_permissions:
        - tenant_patterns:
            - "tenant-2"
          allowed_actions:
            - "kibana_all_write"
      static: false

create group-1 and group-2 in LDAP and set me as member in group-1 and my colleague John in group-2

map the 2 roles with the 2 backend roles:

     role-1:
      reserved: true
      backend_roles:
      - "group-1"

     role-1:
      reserved: true
      backend_roles:
      - "group-1"

I create a Destination in tenant-1 named destination-test
My colleague John log into the UI and choose the tenant-2 (only option available under Choose from Custom) and he is able to visualize, edit and delete my destination-test Destination that I created under test-1 Tenant. Why? Because me and John are in Admins and Gilab-Users LDAP Groups, so we share more than one backend role. That´s the reason why I asked as enhancement the possibility to separate Destinations and Monitors according to tenants.

smlx commented 2 years ago

Oh sorry, yes you are correct.

prudhvigodithi commented 2 years ago

We might need to address this by giving an other option to only look for a specified backend role (if specified) and not look for shared backend role, else go with the default behavior to look for shared backend roles. Something like

         role-1:
          reserved: true
          backend_roles:
          - "group-1"
          allow_shared_roles: false

prudhvigodithi commented 2 years ago

Hey @sevenval-admins and @smlx I have raised an issue https://github.com/opensearch-project/alerting/issues/459 in alerting repo.

opensearch-project / helm-charts

[Enhancement][OpenSearch] #266