-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend ActionRequest and TransportService for Resource permissions #15230
Closed
stephen-crawford
wants to merge
2
commits into
opensearch-project:main
from
stephen-crawford:resourcePermissions
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have already touched upon resources: what are resources? how they are related to action? (and action request)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HI @reta, thanks for following up.
I am not sure what you mean by touched upon resources, but for context this is coming from: opensearch-project/security#4500.
This framework modifies the ActionRequest with the override-able method so that a plugin can define a set of resources its actions interact with. The expectation is that plugins such as the Ml-Commons which uses model-groups would override this method so that the request can pass along that their action interacts on "model-group-1" for example.
From this information, you can then perform roles based access control or an an alternative form of authc/z on the request.
The change to the transportService is required so that we can define TransportRequests following the pattern /plugin/resource/add/ etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't understand this concept:
I will try to find out, meanwhile leaving it for review to someone who has the context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ActionRequest class should not be modified. With ActionRequests that pertain to actions that involve indices, there is another interface called IndicesRequest which they will implement to indicate that the request uses indices. Items within BulkRequests or MultiGet requests can be IndicesRequests.
If Resource Permissions are implemented as an abstraction of Index Permissions, then I think following a similar pattern with a new interface would make sense, but there is some discussion on the proposal about different approaches to providing a mechanism from the security plugin that plugins can utilize to protect "resources" created by the plugin: opensearch-project/security#4500
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cwperks please look at the discussion on the linked RFC @DarshitChanpura created. I understand you and he had some differences of opinion but the finalized design explicitly details modification of the ActionRequest as discussed by him and Nils.
You have been advocating a re-design of the resource permissions to make them a form of index permission however this was never agreed upon on the RFC. To say that this class "should not be modified" based on your preferred alternative is not a fair representation in my opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proposed design in the RFC is about making a
resource_permissionssection in a role definition whereresource_permissionsare an abstraction ofindex_permissionsand the same glob matching done with index names would be applied to actions that apply to resources.I wanted to leave a comment about how IndicesRequests worked because not all ActionRequests are IndicesRequests. The Security plugin has some pretty convoluted logic to resolve concrete indices from a raw action request. It would be nice if there were a better way to resolve indices from a raw action request.
I left a comment about an idea of "resource sharing" which could provide a more backward compatible approach for ml commons. In Model Access Control for ML Commons, there is a notion of
public,privateandrestrictedthat specify how a model group can be shared. How would these translate to the new model for resource security?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for following up @cwperks.
I understand your concerns and am not saying that your preferred alternative may not be an advisable approach.
My point is simply that the existing design makes it explicit how these changes should occur--and they would require modifying the ActionRequest specifically.
I will caution against the creation of any concrete Resource object inside OpenSearch. As you know, resolving indices is challenging to begin with and I don't know how easy it would be to resolve Resources as a concrete object across the cluster.
For your concern on ML commons I would expect Roles based access control to be followed: opensearch-project/security#4638 (comment)
Perhaps you think this would not work though? I cede to your judgement there, but that is my interpretation of the existing design intent.
Just let me know what you think :)