Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Automatically upgrade default security configs (static + reserved) on cluster upgrade #5010

Open
cwperks opened this issue Jan 6, 2025 · 2 comments
Open

[FEATURE] Automatically upgrade default security configs (static + reserved) on cluster upgrade #5010

cwperks opened this issue Jan 6, 2025 · 2 comments
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@cwperks
Copy link
Member

cwperks commented Jan 6, 2025

Is your feature request related to a problem?

In Opensearch 2.14, 2 new APIs were introduced that allowed cluster administrators determine if their default security configs were outdated and take action accordingly. Those APIs are:

  1. Configuration Upgrade Check: https://opensearch.org/docs/latest/security/access-control/api/#configuration-upgrade-check
  2. Configuration Upgrade: https://opensearch.org/docs/latest/security/access-control/api/#configuration-upgrade

Below are definitions for "default" and "security config":

Default: Default means that either static or reserved is set to true
Security Config: This means the various different security config types. i.e. roles and action groups

These APIs require intervention, whereas it should also be possible to specify whether a cluster should perform these upgrades automatically.

What solution would you like?

Introduce a new feature flag with default set to true. (Maybe plugins.security.automatically_upgrade_default_security_configurations?) that will check if the default security configs are outdated on node bootstrap and, if outdated, perform the upgrade automatically.

What alternatives have you considered?

Status quo
@cwperks cwperks added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 6, 2025
@cwperks
Copy link
Member Author

cwperks commented Jan 6, 2025

This is the Rest API handler for config upgrades.

First though is to check if the default configs are outdated here. If outdated, perform the upgrade.

@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 13, 2025
@nibix
Copy link
Collaborator

nibix commented Jan 13, 2025

The static action group definition could be leveraged to solve this problem without having to rewrite the data persisted in the index:

https://github.com/opensearch-project/security/blob/main/src/main/resources/static_config/static_action_groups.yml

This way one would add action group names to the roles configuration instead of the actual action names (like "indices:data/write/bulk"). These action groups can be considered as a abstraction from implementation details (action names) to a user oriented interface (action group names).

Thus, whenever a new action is introduced, the action name just needs to be added to the respective static action group.

Note: It's important to keep in mind that static action groups are not persisted to the config index. Thus, the addition of entries to static action groups does not require modification of persisted data.

@shikharj05 shikharj05 mentioned this issue Jan 28, 2025
Open
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @nibix