search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
188 stars 272 forks source link

[FEATURE] Add additional validations for role mappings #3244

Open willyborankin opened 1 year ago

willyborankin commented 1 year ago

Is your feature request related to a problem? Outcome of this PR https://github.com/opensearch-project/security/pull/3123.

Missing validations in role mappings:  - users JSON property. There is no validation in place for the list of users that exist in the system. As a result, it is possible to add non-existing users to any role mapping.  - hosts there are not clear rules around this property what it should contain. It looks like hosts functionality has never been finished since OSD hasnt has possibility to add hosts.

What solution would you like?

  1. Add check that users exist in the system
  2. define clear rules how hosts should look like and add validation for this property.

What alternatives have you considered? If we do not use hosts remove this property or re-implement it.

davidlago commented 1 year ago

Linking related https://github.com/opensearch-project/security/issues/1852

peternied commented 1 year ago

Configuration validation can create some problems for us, in its current form we don't have a required order of declarations - this could create backwards capability trouble

Calling the APIs to create a user, role, and rolemapping the order doesn't matter. However, if we start enforcing this it gets more interesting for our clients. IMO that feels like a optional feature we could enable ?validateReference=true and then make it the default in a major version bump.