[FEATURE] possibility to attach user to role (not backend role)

opensearch-project / terraform-provider-opensearch

https://registry.terraform.io/providers/opensearch-project/opensearch

Apache License 2.0

73 stars 55 forks source link

[FEATURE] possibility to attach user to role (not backend role) #191

Closed rapcore2 closed 3 weeks ago

rapcore2 commented 1 month ago

Is your feature request related to a problem?

I tried to map custom role to user, but there is no possibility with opensearch terraform provider.

What solution would you like?

Possibility to attach (custom) role to user. For example (as it possible):

resource "opensearch_user" "simple_user" {
  username    = "simple.user"
  password    = "SuperPassword!"
  description = "Simple User"
  backend_roles = [
    "my_custom_backend_role"
  ]
  roles = [
    "my_custom_role
  ]
}

What alternatives have you considered?

In Dev Tools

PUT _plugins/_security/api/rolesmapping/custom_role
{
  "users" : [ "custom_user" ]
}

rblcoder commented 1 month ago

PUT _plugins/_security/api/rolesmapping/custom_role
{
  "users" : [ "custom_user" ]
}

The above can be called using opensearch_roles_mapping resource https://github.com/opensearch-project/terraform-provider-opensearch/blob/3699cfb370cf73d2a12124caa3b6ab5201e733f8/provider/resource_opensearch_roles_mapping.go#L186-L205

https://github.com/opensearch-project/terraform-provider-opensearch/blob/3699cfb370cf73d2a12124caa3b6ab5201e733f8/provider/resource_opensearch_roles_mapping.go#L36-L41

rapcore2 commented 1 month ago

@rblcoder thank You for reply. Could You provide example in terraform how to attach role (not backend role) in opensearch_roles_mapping ? In my opinion it is impossible.

rblcoder commented 1 month ago

Here is an example terraform code

https://github.com/idealo/terraform-aws-opensearch/blob/main/role_mapping.tf

Also documentation specifying the schema

https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping#schema

rapcore2 commented 1 month ago

@rblcoder thank You for reply. But its backend_role not a role... I asked about possibility to attach role not backend role.

Role - Security roles define the scope of a permission or action group: cluster, index, document, or field. For example, a role named delivery_analyst might have no cluster permissions, the READ action group for all indexes that match the delivery-data-* pattern, access to all document types within those indexes, and access to all fields except delivery_driver_name.

Backend role - (Optional) Arbitrary strings that you specify or that come from an external authentication system (for example, LDAP/Active Directory). Backend roles can help simplify the role mapping process. Rather than mapping a role to 100 individual users, you can map the role to a single backend role that all 100 users share.

rblcoder commented 1 month ago

PUT _plugins/_security/api/rolesmapping/custom_role { "users" : [ "custom_user" ] } the above is mapping a user to a role.

rblcoder commented 1 month ago

You can see a test added here that the same works using the provider as well

https://github.com/opensearch-project/terraform-provider-opensearch/pull/193/files

rapcore2 commented 3 weeks ago

works as expected in version 2.3.0 . @rblcoder thank You :)