Support an api to check logged on user own permissions.

[skkosuri-amzn]

Support an api to check logged on user own permissions. Similar to x-pack GET /_security/user/_has_privileges

Use case from alerting plugin: While creating an alerting monitor, check if user has permissions to read/search the
indices being monitored. Current workaround: Call _search on those indices to check for read permissions.

[getsaurabh02]

Hi Team, is there a plan to prioritize this one yet. This seems to be a very essential functionality to be able to identify the current user's permission. Lack of a direct API from the security side, have led to plugins building adhock workarounds, which has lead to performance and availability issues in the past. Such as : opensearch-project/index-management#414

[getsaurabh02]

cc : @davidlago @peternied

[peternied]

Thanks for the interest, I know this is a great feature request, but with the current architecture of the security plugin it isn't possible to do this in a complete fashion due to permissions being written on N objects (DLS/FLS).

We are revisiting some of the security plugins architecture with the work on extensions and we might have better mechanisms to do this as we integrate security features inside of OpenSearch, follow along https://github.com/opensearch-project/opensearch-sdk/blob/main/SECURITY.md

[lezzago]

This would also be beneficial to plugins that integrated with security. This allows the frontend of those plugins know that the user does not have access to a feature of the plugin and can proactively inform the customer that they do not have access to that. This can greatly enhance the user experience for these plugins.

For example:
The Alerting plugin has integrated with the security plugin. On the Alerting plugin page, when a user, with no alerting permission, tries to create a monitor and fills out all the information, they will get a popup that will indicate they cannot create a monitor since they do not have the corresponding permission. This is because the Alerting (backend) plugin will only know the user does not have access to create a monitor only when the CreateMonitor API is being called and that exception will be surfaced to the Alerting (frontend) plugin. Only after the exception is reaches the Alerting (frontend) plugin, can the Alerting plugin inform the user that they cannot create a monitor.

[stephen-crawford]

[Triage] Closing in favor of the Identity project which will provide these APIs.

[praveensameneni]

@scrawfor99 , We have another use case in Index Management and hit an issue due to security permissions. Any update on the prioritization or Identity project ?

[stephen-crawford]

Hi @praveensameneni, I will check on the status of this for you and provide an update below. I know we have made significant progress in the overall implementation but I am not sure whether the feature you are requesting has been implemented yet.

[cwperks]

[Triage] @willyborankin Tagging you on this issue for insight.