[FEATURE] Allow super-admin to control which system indices are not permission-able

[DarshitChanpura]

Related to #2553

With #2887, a user who has access to modify roles will now have the ability to grant other user with permissions to the system indices. There is a potential of misuse here. If a rogue user, gets access to security index they can delete it causing no users to be able to access the cluster other than the super-admin who will have to create the index again.

What solution would you like?

Create a "denylist" setting which contains a list of system indices that are not permission-able to normal users.

[stephen-crawford]

[Triage] Hi @DarshitChanpura, thank you for filing this issue. I am going to leave this issue untriaged pending further review of whether treating the security index separately is adequate.

[DarshitChanpura]

[Update from Security review] Having security index isolated and documenting it should suffice in satisfying the requirement for this issue.

[samuelcostae]

@DarshitChanpura "list of system indices that are not permission-able to normal user"

Only super admin would be able to access it by bypassing the checks, is that correct?

[stephen-crawford]

[Triage] @DarshitChanpura per your last message "Having security index isolated and documenting it should suffice in satisfying the requirement for this issue." Is there an issue addressing this specific concern? If so we can close this. If there is not, would you want to convert this issue accordingly.

[stephen-crawford]

[Triage] @DarshitChanpura following up

[peternied]

This is duplicate of #2845

[DarshitChanpura]

#2845 talks about adding an explicit feature flag that enables/disables the feature. This issue talks about maintaining an explicit deny-list of system indices which are not permission-able (this list will only contain security-index as of now). Let's close it once #2887 is merged.