Adds doc for Resource Sharing and Access Control feature #9667
Conversation
DarshitChanpura
requested review from
kolchfa-aws,
Naarcha-AWS,
AMoo-Miki,
natebower,
dlvenable and
epugh
as code owners
|
Thank you for submitting your PR. The PR states are In progress (or Draft) -> Tech review -> Doc review -> Editorial review -> Merged. Before you submit your PR for doc review, make sure the content is technically accurate. If you need help finding a tech reviewer, tag a maintainer. When you're ready for doc review, tag the assignee of this PR. The doc reviewer may push edits to the PR directly or leave comments and editorial suggestions for you to address (let us know in a comment if you have a preference). The doc reviewer will arrange for an editorial review. |
kolchfa-aws
added
v3.0.0
release-notes
|
|
There was a problem hiding this comment.
@DarshitChanpura: Most of this content seemed like implementation notes, so I tried to remove anything related to the development of the extensions or the plugin and make it more user-specific. That being said, is this extension meant only for plugin developers? If so, that would change how where we place the content.
I also have a few technical questions that need clarification.
|
|
||
| ### opensearch-security-spi | ||
|
|
||
| The `opensearch-security-spi` component: |
There was a problem hiding this comment.
Does the SPI component only pertain to plugin developers?
| - Tracks registered resource plugins at startup. | ||
| - Exposes a `ResourceSharingClient` for performing share, revoke, verify, and list operations. | ||
|
|
||
| You can customize this component based on the SPI implementation. To customize, create an extension file `src/main/resources/META-INF/services/org.opensearch.security.spi.ResourceSharingExtension` containing your SPI's class name: |
There was a problem hiding this comment.
How does someone know their SPI implementation? What is the implementation based off of?
There was a problem hiding this comment.
This is purely for plugin developers. It will be used when a new/existing plugin declares themselves as Resource plugin. Similar model is already in place for JobScheduler.
|
|
||
| ### Document structure | ||
|
|
||
| The resource sharing metadata is stored as JSON documents that define ownership, permissions, and access patterns. Each document contains fields that specify the resource location, identifier, creator information, and sharing configuration: |
There was a problem hiding this comment.
Where would I find or add this document? Is it an API call to the security plugin?
There was a problem hiding this comment.
This is not visible to regular users directly as it is hidden behind SystemIndex Protection.
For plugins intending to declare a protected resource, they can retrieve the information about who can access this resources by simply calling security client's hasPermission.
End users will, in future, iterations be able to control who they can share the resource with once plugin implements those APIs and makes the info available via dashboard.
At this point, the documentation intends to serve plugin developers, with allowing admins to optionally opt in to this feature by enabling feature flag.
We are trying to implement a sharing model that doesn't exist in OpenSearch yet. This is the first step by centralizing the sharing information to security, rather than plugins storing it individually.
There was a problem hiding this comment.
What would the hasPermission call look like?
There was a problem hiding this comment.
Plugins would call the client by passing the id of the resources, the index name where the resource sits and a listener to receive the response. This will then be evaluated on security plugin side and a boolean response will be sent through the listener.
|
|
||
| - Declare and register extensions correctly. | ||
| - Use the SPI client APIs instead of manual index queries. | ||
| - Enable only on fresh 3.0.0+ clusters to avoid upgrade issues. |
There was a problem hiding this comment.
What do we mean by "fresh" clusters?
There was a problem hiding this comment.
This feature is intended to be enabled only on brand new clusters.
There was a problem hiding this comment.
In next iteration, we will add a migration path to enable usage on existing clusters.
|
Yes, the extension is meant for plugin developers only. The feature itself toggles the "centralized " vs "non-centralized " approach when it comes to the internal sharing model. For example, for new cluster, if AD chooses to use this and their filter by backend role setting, all detectors will upon creation be shared with the creators backend roles. However, the difference between old way and the new way is that with new way the sharing information will be stored in central index in security vs with old approach it will be stored in the ad-config index. |
DarshitChanpura
force-pushed
the
resource-sharing-feature
branch
from
b780759 to
e465712
Compare
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
resource-sharing-feature
branch
from
ac67305 to
90aaf81
Compare
| To grant the resource sharing extension these permissions, add the following role to `roles.yaml`: | ||
|
|
||
| ```yaml | ||
| sample_full_access: | ||
| cluster_permissions: | ||
| - 'cluster:admin/sample-resource-plugin/*' | ||
|
|
||
| sample_read_access: | ||
| cluster_permissions: | ||
| - 'cluster:admin/sample-resource-plugin/get' | ||
| ``` | ||
| {% include copy.html %} |
There was a problem hiding this comment.
To which users shall these roles be assigned to? Anyone who shall be able to do resource sharing?
|
Thank you for this PR! Like @Naarcha-AWS I also believe that is mostly developer docs; I think we should try to keep user documentation and developer documentation separate. User documentation for this feature can be very minimalisting IMHO:
Developer documentation: A separate documentation target at developers should contain:
I am not exactly sure where such docs should go to. There is https://docs.opensearch.org/docs/latest/developer-documentation/ but this mostly points to .md files in the git repos. There are just two small documents that are parts of the documentation website. What's the general strategy regarding that? Shall the section on the documentation website be extended? My personal opinion would be that it is better to keep it directly in respective project repos, as this minimizes the gap between code and docs. But that's just IMHO. |
|
@nibix: Traditionally, Developer Documentation would belong in the repository where the source code lives, in this case, OpenSearch Security? If that's the correct location @DarshitChanpura, I can try and open a PR against that repo where the classes and such should live. |
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
|
Moving this out of 3.0.0 |
Description
Adds doc for the newly added Centralized Resource Access Control and Sharing feature.
Issues Resolved
Closes #9652
Version
3.0
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.