Remove `.opendistro-alerting-alert*` indices from system-indices configuration

[skkosuri-amzn]

Is your feature request related to a problem? Please describe.
Remove .opendistro-alerting-alert* indices from system-indices configuration by default.

Describe the solution you'd like
.opendistro-alerting-alert* indices contains current and historical alerts. Currently, .opendistro-alerting-alert* indices are configured as system-index by default. To access these indices, you must authenticate with an admin certificate. Though system-indices provide greater privileges requirements to directly access these indices, but at the same time users can't build visualizations and dashboards on top of these indices.

Proposal:

Remove .opendistro-alerting-alert* indices from system-indices configuration by default. Still the access to these indices are controlled by roles. This would enable building visualizations and dashboards on top of these indices.
And at the same time, secure access is controlled by security roles rather than system-indices.

Describe alternatives you've considered
Edit OpenSearch.yml file and remove .opendistro-alerting-alert* from opendistro_security.system_indices.indices.

Additional context
Similar proposal for .opendistro-anomaly-results* indices which store results of the Anomaly Detection plugin generated results.

[skkosuri-amzn]

Tagging @kaituo @ylwu-amzn @lezzago

[skkosuri-amzn]

Tagging more folks: @elfisher @praveensameneni

[elfisher]

@skkosuri-amzn does this retain the index, but just remove it from system indices? What is the impact to the user? Would they now need specific permission policies to access these indices? thx!

[kaituo]

@skkosuri-amzn Do we only need to remove the alert index from system index list in security plugin? Do we need anything else? Does that mean we accept no fine-grained access control on the alert index?

[ylwu-amzn]

@skkosuri-amzn does this retain the index, but just remove it from system indices? What is the impact to the user? Would they now need specific permission policies to access these indices? thx!

@elfisher @skkosuri-amzn
I think any user who has permission of alerting index can read/write/delete the index directly, of course admin user will be able to do anything. Generally, current users can still use alerting plugin via Kibana&API like before. Moving alerting index out of system index makes it possible to allow user who has specific security roles can query the index directly, like @skkosuri-amzn said, that can "enable building visualizations and dashboards on top of these indices", which is impossible as no one including admin user can query system indices directly.

[skkosuri-amzn]

@skkosuri-amzn does this retain the index, but just remove it from system indices? What is the impact to the user? Would they now need specific permission policies to access these indices? thx!

@elfisher - Yes, it removes from system-indices configuration. Users with privileges can access alerts (stored in .opendistro-alerting-alert* indices from both direct API as GET /.opendistro-alerting-alert*/_search and also using alerting api GET _opendistro/_alerting/monitors/alerts , with system-indices users can use only GET _opendistro/_alerting/monitors/alerts to read alerts. Only super-admin is able to access with direct API when these indices are configured as system-indices.

[skkosuri-amzn]

@skkosuri-amzn Do we only need to remove the alert index from system index list in security plugin? Do we need anything else? Does that mean we accept no fine-grained access control on the alert index?

@kaituo Yes, remove alerts* indices from opensearch.yml config for system-indices. We need to double check, if we need to modify default alerts roles. We still have fine-grained access control on these indices, we plan to remove only from system-index config. These indices still require privileges (roles) to access data from these indices.

[hardik-k-shah]

As discussed, we should only remove indices (from system index) on which specific plugin doesn't depend for its operation/configuration.

No user (including admin) should have direct access on any indices which store configurations or data on which plugin directly operates. Those indices should be part of system index and any modification on that indices should be allowed only via APIs exposed through plugin.

Indices which are configuration index and or indices which data plugin consumes for its operation should not be exposed to any user (except super admin). So, any accidental changes to these indices can be avoided.

In alerting case, if I understand correctly, the index mentioned in above issues stores only historical alerts and alerting plugin operations doesn't directly depends on history of the alerts and hence it is safe to remove that index out of system index.

[skkosuri-amzn]

Yes @hardik-k-shah This indices we plan to remove from system-indices list contain only alerts history.

[skkosuri-amzn]

Hi @ALL, This is targeted for next release of OpenSearch 1.1.