[Feature] Update SecurityIndexAccessEvaluator to support new index permission

[peternied]

New permission for read/write access on system indexes

A new permissions should be created a starting point is 'system:admin/system_index', where 'system:' is a new convention. The new permission name should be used where {NEW PERMISSION R/W SYSTEM INDEX} is seen in the rest of this document

Updates to SecurityIndexAccessEvaluator

SecurityIndexAccessEvaluator is responsible for accepting/rejecting modifications to the system index. This class will be modified so the evaluate(...) method includes the permissions from the current user has '{NEW PERMISSION R/W SYSTEM INDEX}' permissions for each index in the request. If allowed on all the system indexes in the request, then preemptively return, otherwise use the conventional evaluation flow.

Along with this should be a new integration test that verify:

• The new permissions applies to the indexes that match its index pattern, no other system indexes.
• The new permissions allows for read and write operations on the permitted index(es)
• (Should already exist, if not add) Make sure that '*' allowed actions doesn't automatically give '{NEW PERMISSION R/W SYSTEM INDEX}' access

[samuelcostae]

@peternied @scrawfor99 Sorry if the answer is obvious, but I have a question, each Extension will have it's own index? or is it only one index called "system_index" that will contain info for all extensions? And Piggybacking on that, each extension would have it is own User and Role?

[peternied]

Additional background on system indexes configuration / security plugin interaction https://opensearch.org/docs/1.3/security/configuration/system-indexes/

Plugins implement the SystemIndexPlugin interface when they can describe N system indexes, [link]. Extensions will do the same (but that is out of scope for this task).

Check out how different plugins use them by searching through the org [search results].

[samuelcostae]

Hi!

"The new permissions allows for read and write operations on the permitted index(es)"

So a user mapped to the following role:

myExtensionRole:
  description: "Extension Role"
  cluster_permissions:
    - '*'
  index_permissions:
    - index_patterns:
        - '.myExtensionIndex'
      allowed_actions:
        - "system:admin/system_index"

Should be able to read/write without any of the existing allowed actions ? (e.g. "indices:admin/get" )

Cause i was thinking, couldn't just block the access if it is trying to access and extension index without the new permission and if it has the new permission, proceed with the remaining existing permission checks?

[cwperks]

@samuelcostae Not all extensions may request to reserve indices for the extension, but for the extensions that do they need a mechanism for interacting (i.e. creating, deleting, indexing, etc.) to those reserved indices and they need special protections to prevent unwanted actions akin to how plugins reserve indices in the plugin architecture.

Take for example Anomaly Detection which reserves: [".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state"]

AD as an extension needs a mechanism to work with these index patterns and prevent anyone else from doing anything with these indices.

In the plugin architecture, plugins will stash their threadcontext which grants the plugin to act as a superadmin and bypass security checks when doing anything with those indices. Since these indices are defined in this list, the security plugin gives special protection which even forbids the admin from doing anything, including deleting, the index. A good example of this is the security index used by the security plugin which contains config entries like the internal user list. Not even the admin can delete this index and you will receive an error message if you try.

I'm not sure if it makes sense to introduce an action name that can be assigned in a role, without tying it to an actual action in OpenSearch. system:admin/system_index should correspond to the name of a transport action in OpenSearch.

One thought that I have is if the request is coming from the service account that is tied to the extension that has reserved the index that we can modify the SecurityIndexAccessEvaluator to permit the request and forbid anyone else.