Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Improve Create Action Group UX to ensure valid action groups are created #1713

Open
cwperks opened this issue Jan 2, 2024 · 1 comment
Open

[FEATURE] Improve Create Action Group UX to ensure valid action groups are created #1713

cwperks opened this issue Jan 2, 2024 · 1 comment
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed, need help from community triaged

Comments

@cwperks
Copy link
Member

cwperks commented Jan 2, 2024

The current user interface for creating action groups in the OpenSearch Security plugin allows for the combination of actions from different categories within a single group. These categories are:

  1. cluster_permissions
  2. index_permissions
  3. tenant_permissions

Ideally, all actions within a single action group should belong to the same category. Although it's technically possible to mix action types in a group, this practice is ineffective for role assignment purposes. Only actions belonging to the category relevant to the role's section will be acknowledged during authorization checks.

For example, consider an action group that includes both a cluster action (cluster:monitor/health) and an index action (indices:data/read/search). To utilize all permissions in this action group, it must be assigned to both the cluster_permissions and index_permissions sections of a role. If this action group is only assigned to the cluster_permissions section, then the index actions in the group will not be effective.

Screenshot 2024-01-02 at 9 44 24 AM

Here's an example of how a role is defined:

example_role:
  reserved: true
  hidden: false
  static: true
  description: "Example role"
  cluster_permissions:
    - "<list_of_allowed_cluster_actions_or_action_groups>"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "<list_of_allowed_index_actions_or_action_groups>"
  tenant_permissions:
    - tenant_patterns:
        - "*"
      allowed_actions:
        - "kibana_all_write | kibana_all_read"

This structure implies that when defining roles, careful attention should be paid to the categorization of actions in action groups to ensure effective permission assignments.
@cwperks cwperks added enhancement New feature or request untriaged labels Jan 2, 2024
@stephen-crawford
Copy link
Contributor

[Triage] Hi @cwperks, thank you for adding this issue. This seems like a worthwhile change. We can always get specific UX/UI input but in the meantime you idea seems reasonable and like a good improvement. Let's mark this as triaged, and help wanted/ good first issue. Thanks :)

@stephen-crawford stephen-crawford added help wanted Extra attention is needed, need help from community good first issue Good for newcomers triaged and removed untriaged labels Jan 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed, need help from community triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @stephen-crawford