What is the bug?
There are APIs, such as reloadcerts, which are only authorized for full admin users.
What is the expected behavior?
There should be granular permissions that for all actions in OpenSearch to be individually assigned. The large blast radius in production clusters when performing operational tasks goes against common security practices like the least privileged.
Do you have any additional context?
Also, Just noticed this which gets in the way of me having an internal user run the refresh command. This could be it's own permissions group, potentially.
Originally reported by @patcable in #1877
Other APIs that are admin only
nodesdnallowlistactiongroupuser / internalusersrolesrolesmappingtenants
What is the bug?
There are APIs, such as reloadcerts, which are only authorized for full admin users.
What is the expected behavior?
There should be granular permissions that for all actions in OpenSearch to be individually assigned. The large blast radius in production clusters when performing operational tasks goes against common security practices like the least privileged.
Do you have any additional context?
Originally reported by @patcable in #1877
Other APIs that are admin only
nodesdnallowlistactiongroupuser/internalusersrolesrolesmappingtenants