search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
180 stars 264 forks source link

[FEATURE] Default labeling rule for security based tenancy labeling #4402

Open ansjcy opened 4 weeks ago

ansjcy commented 4 weeks ago

Is your feature request related to a problem? As part of the effort to introduce multi-tenancy as a construct in OpenSearch (https://github.com/opensearch-project/OpenSearch/issues/13341), we are introducing a labeling service to attach tenancy labels to search requests. Plugins can define their rules to compute labels based on the given request and thread context. We need to add a "default" labeling rule in security plugin to get the tenancy information if the cluster is using security plugin as their auth method as part of https://github.com/opensearch-project/OpenSearch/pull/13374

What solution would you like? Add a default labeling rule so that we can attach user info in a request.

What alternatives have you considered? We can also maintain all rules in the core repo, but it would be better to let plugins implement their own rules, which would get registered with the RuleBasedLabelingService in core.

Do you have any additional context? Please see https://github.com/opensearch-project/OpenSearch/issues/13341 https://github.com/opensearch-project/OpenSearch/pull/13374

scrawfor99 commented 3 weeks ago

[Triage] Hi @ansjcy, thanks for filing this issue. From speaking with @cwperks, this work is currently paused based on some core work you are doing. That being said, feel free to resume work on the PR when you are ready to move forward.