Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Workspace] Define and implement ACL for the saved objects within workspaces #5083

Closed
gaobinlong opened this issue Sep 21, 2023 · 0 comments · Fixed by #5084
Closed

[Workspace] Define and implement ACL for the saved objects within workspaces #5083

gaobinlong opened this issue Sep 21, 2023 · 0 comments · Fixed by #5084
Assignees
@gaobinlong
Labels
enhancement New feature or request v2.12.0 workspace

Comments

@gaobinlong
Copy link
Contributor

gaobinlong commented Sep 21, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

This issue describes the definition and implementation of the ACL for the saved objects within workspaces.

According to the access control design proposal for saved objects in workspaces, each workspace object will be attached to an ACL, and the saved objects in that workspace will inherited the ACL by default. A saved object can be potentially in multiple workspaces, thus it inherits the ACL from all the workspaces it is assigned to. In most cases, the saved objects in a workspace will not be attached to an ACL, except it's shared with multiple workspaces or it's a global level advanced settings and can only be updated by the super admin of OSD.

Describe the solution you'd like

1. Workspace attached ACL

The following field permissions will be added to the document of the workspace object in OSD index(.kibana)

{
  "permissions": {
    "library_read": {
        "users": ["<user_1>", "<user_2>"],
        "groups":["<group_1>", "<group_2>"]
   },
    "library_write": {
        "users": ["<user_1>", "<user_2>"],
        "groups":["<group_1>", "<group_2>"]
   }
  } 
}

Permission modes:

  • library_read: only can view the saved objects in the workspace
  • library_write: can view and create/update/delete saved objects in the workspace
- **management**: can view and create/update/delete saved objects in the workspace, and also can view and update the feature set , settings, ACL of the workspace

Principal types:

  • users: single user list, can use wildcard * to indicate all users
  • groups: user group, can use wildcard * to indicate all groups

2. Ordinary saved object attached ACL

The following field permissions will be added to the document of the ordinary saved object in OSD index(.kibana)

{
  "permissions": {
    "read": {
        "users": ["<user_1>", "<user_2>"],
        "groups":["<group_1>", "<group_2>"]
   },
    "write": {
        "users": ["<user_1>", "<user_2>"],
        "groups":["<group_1>", "<group_2>"]
   }
  } 
}

Permission types:

  • read: only can view the saved object
  • write: can view, update, delete the saved object, and can also update the ACL of the saved object

Principal types:

  • users: single user list, can use wildcard * to indicate all users
  • groups: user group, can use wildcard * to indicate all groups

3. ACL related functions

Here are some encapsulated functions which can be used by SavedObjectClientWrapper.

  • boolean hasPermission(permissionTypes: string[], principals: Principals): check whether the specific principal has the specific permission types or not
  • addPermission(permissionTypes: string[], principals: Principals) : permissions object build function, add principal with specific permission to the object
  • removePermission(permissionTypes: string[], principals: Principals): permissions object build function, remove specific permission of specific principal from the object
  • toFlatList(): transform permissions format from permissionType->principals to principal->permissionTypes
  • generateGetPermittedSavedObjectsQueryDSL( permissionTypes: string[], principals: Principals) : generate query DSL by the specific conditions, used for fetching saved objects from the saved objects index

Additional context
@gaobinlong gaobinlong added the enhancement New feature or request label Sep 21, 2023
@gaobinlong gaobinlong mentioned this issue Sep 21, 2023
Merged
8 tasks
@xluo-aws xluo-aws mentioned this issue Sep 21, 2023
Open
25 tasks
@kavilla kavilla linked a pull request Sep 26, 2023 that will close this issue
[Workspace][Feature] Add ACL related functions #5084
Merged
8 tasks
@xluo-aws xluo-aws mentioned this issue Oct 10, 2023
Open
8 tasks
@stephen-crawford stephen-crawford mentioned this issue Jan 22, 2024
Closed
@wanglam wanglam mentioned this issue Mar 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gaobinlong gaobinlong

Labels
enhancement New feature or request v2.12.0 workspace
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Workspace][Feature] Add ACL related functions gaobinlong/OpenSearch-Dashboards
4 participants
@seanneumann @kavilla @gaobinlong @abbyhu2000