Open dlvenable opened 10 months ago
[Triage] Thank you for filing this issue @dlvenable . There is a static role for logstash that you can look at and model the data prepper roles from. Are there any specific questions about what actions the roles should be able to perform?
@cwperks , I am aware of the logstash
role. But, I think there are a few reasons for creating one or more new Data Prepper roles.
logstash
role has permissions for indexes that fit Logstash use-cases (logstash-*
and *beat*
). Few Data Prepper users will use those index patterns.Are there any specific questions about what actions the roles should be able to perform?
I'm a maintainer on the Data Prepper project. So we'd be able to get the necessary permissions.
One thing I would point out is that our users write to many different indexes. So I do propose the the data_prepper_write
have write access to all indexes. I think we could have a role that has well known indexes as well.
@dlvenable Please feel free to create a pull request to add these role(s), I think that would help facilitate this discussion.
Is your feature request related to a problem?
Users of OpenSearch and Data Prepper often have difficulty setting up the roles they use. Determining the permissions they need can be challenging.
What solution would you like?
To help users with these permissions, I'd like to provide useful predefined configurations in OpenSearch. In particular, I'm thinking of having existing OpenSearch roles tailored for Data Prepper. Users can choose to map the role or roles that fit their scenario to the user that they configure Data Prepper to use.
Here are the roles I'm thinking of creating:
data_prepper_write
- Can write to any index along with other roles for writingdata_prepper_observability
- Similar todata_prepper_write
, but can be scoped down to predefined indexes such as that for trace analytics and Simple Schema for Observability. It would also need to be able to read from these indexes.data_prepper_read
- A role that can read from any index to support theopensearch
source.What alternatives have you considered?
One alternative is a single role with all permissions. But, this seems too broad. We could encourage users to combine the roles they need for their specific use-case. Say, for example, have a user which maps to
data_prepper_write
anddata_prepper_read
.Do you have any additional context?
We could create a PR for this, but I want to get feedback first.