Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Explicit Deny Construct in the Security Permission Model #5023

Open
devardee opened this issue Jan 13, 2025 · 1 comment
Open

[FEATURE] Explicit Deny Construct in the Security Permission Model #5023

devardee opened this issue Jan 13, 2025 · 1 comment
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@devardee
Copy link

Is your feature request related to a problem?
Current Permission Model of security plugin has no construct of explicit deny.

What solution would you like?
The Role would look something like this :

complex-role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "read"
  - "cluster:monitor/nodes/stats"
  - "cluster:monitor/task/get"
  allowed_index_permissions:
  - index_patterns:
    - "opensearch_dashboards_sample_data_*"
    dls: "{\"match\": {\"FlightDelay\": true}}"
    fls:
    - "~FlightNum"
    masked_fields:
    - "Carrier"
    allowed_actions:
    - "read"
   denied_index_permissions:
  - index_patterns:
    - "sample_index_*"
  tenant_permissions:
  - tenant_patterns:
    - "analyst_*"
    allowed_actions:
    - "kibana_all_write"
  static: false
_meta:

What alternatives have you considered?
No

Do you have any additional context?
No
@devardee devardee added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 13, 2025
@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 13, 2025
@cwperks
Copy link
Member

cwperks commented Jan 13, 2025

[Triage] Thank you for filing this issue @devardee. This has been brought up previously so I will try to resurrect the discussion.

The currently security model is to DENY ALL and explicitly allow permissions rather than the opposite ALLOW ALL and then list out the denial rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @devardee