[FEATURE] Provide built-in Data Prepper roles

[dlvenable]

Is your feature request related to a problem?

Users of OpenSearch and Data Prepper often have difficulty setting up the roles they use. Determining the permissions they need can be challenging.

What solution would you like?

To help users with these permissions, I'd like to provide useful predefined configurations in OpenSearch. In particular, I'm thinking of having existing OpenSearch roles tailored for Data Prepper. Users can choose to map the role or roles that fit their scenario to the user that they configure Data Prepper to use.

Here are the roles I'm thinking of creating:

• data_prepper_write - Can write to any index along with other roles for writing
• data_prepper_observability - Similar to data_prepper_write, but can be scoped down to predefined indexes such as that for trace analytics and Simple Schema for Observability. It would also need to be able to read from these indexes.
• data_prepper_read - A role that can read from any index to support the opensearch source.

What alternatives have you considered?

One alternative is a single role with all permissions. But, this seems too broad. We could encourage users to combine the roles they need for their specific use-case. Say, for example, have a user which maps to data_prepper_write and data_prepper_read.

Do you have any additional context?

We could create a PR for this, but I want to get feedback first.

[cwperks]

[Triage] Thank you for filing this issue @dlvenable . There is a static role for logstash that you can look at and model the data prepper roles from. Are there any specific questions about what actions the roles should be able to perform?

[dlvenable]

@cwperks , I am aware of the logstash role. But, I think there are a few reasons for creating one or more new Data Prepper roles.

1. The logstash role has permissions for indexes that fit Logstash use-cases (logstash-* and *beat*). Few Data Prepper users will use those index patterns.
2. Data Prepper is part of the OpenSearch project, so having a built-in role is quite appropriate.
3. We may be able to have more least-privilege by using different roles. As I pointed out, sometimes users read from OpenSearch and sometimes users write. We also have some well-known indexes for trace analytics. So users could reduce the number of indexes available using that instead.

Are there any specific questions about what actions the roles should be able to perform?

I'm a maintainer on the Data Prepper project. So we'd be able to get the necessary permissions.

One thing I would point out is that our users write to many different indexes. So I do propose the the data_prepper_write have write access to all indexes. I think we could have a role that has well known indexes as well.

[peternied]

@dlvenable Please feel free to create a pull request to add these role(s), I think that would help facilitate this discussion.