Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Should static key be part of keys allowed to an admin when interaction with action groups via API. #4387

Open
1 task
DarshitChanpura opened this issue May 30, 2024 · 6 comments
Open
1 task

[RFC] Should static key be part of keys allowed to an admin when interaction with action groups via API. #4387

DarshitChanpura opened this issue May 30, 2024 · 6 comments
Labels
question User requested information triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@DarshitChanpura
Copy link
Member

Coming from this discussion thread on the PR: #4371.

At the moment, we do not have clear answer neither there is a clear distinction between usages of hidden, reserved and static.

Expected outcome

  • An answer has been provided on whether static field should be allowed to be updated for an admin user.
@DarshitChanpura DarshitChanpura added the question User requested information label May 30, 2024
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label May 30, 2024
@DarshitChanpura DarshitChanpura mentioned this issue May 30, 2024
Merged
3 tasks
@willyborankin
Copy link
Collaborator

Not only action groups but roles, roles mapping,internal users and tenants

@stephen-crawford stephen-crawford changed the title [Question] Should static key be part of keys allowed to an admin when interaction with action groups via API. [RFC] Should static key be part of keys allowed to an admin when interaction with action groups via API. Jun 3, 2024
@stephen-crawford
Copy link
Contributor

[Triage] Thanks for filing this issue @DarshitChanpura. Swapped to RFC in the title just so more people click and provide their thoughts. I will look into the links you shared and try to offer an opinion later today.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 3, 2024
@nibix
Copy link
Collaborator

nibix commented Jul 1, 2024

I just saw this by coincidence, so I thought I'll give you my five cents.

As far as I understand it, the meaning of static, reserved and hidden in the config files is as follows:

  • static: Config entries which are defined in the source code (in https://github.com/opensearch-project/security/tree/main/src/main/resources/static_config ) are marked as such. These are config entries on which you can rely to be everywhere - like the action groups read or crud (except when disabled by a weird config option). Static config entries should not be exposed or editable by the REST APIs or the securityadmin tool. Having this as an attribute in the YAML file feels totally redundant, though, as static entries can be identified as such by being present in the respective collection here:

security/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java

Line 81 in 2b5a811

private static SecurityDynamicConfiguration<RoleV7> staticRoles = SecurityDynamicConfiguration.empty();

  • reserved: This is a config entry which can be only modified as a super admin user. It is visible to normal users, though.

  • hidden: This is a config entry which can be only modifed and seen by a super admin user.

So, to come back to the question:

Should static key be part of keys allowed to an admin when interaction with action groups via API.

My IMHO would be "no" :-)

@DarshitChanpura
Copy link
Member Author

@willyborankin based on @nibix 's explanation of the keywords and opinion, it seems like _static should not be part of admin actions via REST API.

@willyborankin
Copy link
Collaborator

@DarshitChanpura Agree. Lets convert it to an issue and remove it. Only one thing: Since the functionality is in the public documentation it should be implemented for 3.x version only. Wdyt?

@DarshitChanpura
Copy link
Member Author

Agreed as I'm not aware of the blast radius of this so 3.x sounds like a safer route to implement this.

@cwperks cwperks mentioned this issue Sep 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question User requested information triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@willyborankin @nibix @DarshitChanpura @stephen-crawford