[RFC] Aligning Access and Visibility in OpenSearch #4069
Description
Problem Statement
When a OpenSearch cluster admin Alice creates and then shares a Quarterly Sales dashboard with user Bill; Alice does not know if Bill will see the same data.
How can this be?
In the Security Plugin there are several permissions rules that are computed based on the user sending the query. These alter the query results and are invisible to the user Bill.
- Permissions for indexes are additive, to read an index a user need to have a role that grants them permission to that index. Sales data could be in indices named
sales-na-YYYY-MM&sales-eu-YYYY-MM, Bill might only have access to the EU region. - Document level security features (incl. row, columns, field-masking) are additive, if a user has a role with these features enabled it adds a restriction on the data. Sensitive sale data is filtered out by a DLS rule,
customer-name == Frodo Baggins - Security supports operating in a mode where queries are edited in flight to remove indexes the user does not have permissions to access. Bill does not have access to the NA region sales data and those results are silently filtered out
Bill's view of the dashboard would be missing data and he would not be unaware. Even if he brought this to Alice's attention she does not have a straight forward way to know what Bill data is missing nor if he needs more permissions to sales-na-* or less permissions so the sensitive sales data filter is not applied.
flowchart TB
A["Quarterly Sales Dashboard Query: sales-*"] -->B1["Alice: Expand Query Indices<br/>sales-na-jan, sales-na-feb, sales-eu-jan, sales-eu-feb"]
A -->B2["Bill: Expand Query Indices<br/>sales-na-jan, sales-na-feb, sales-eu-jan, sales-eu-feb"]
subgraph Alice ["Alice's Flow"]
B1 --> C1{"Resolve User Permissions"}
C1 -->|No Filters Applied| E1["Filtered Indices:<br/>sales-na-jan, sales-na-feb, sales-eu-jan, sales-eu-feb"]
E1 --> F1{Apply DLS Rules}
F1 -->|No DLS Rules Applied| G1["Final Query:<br/>sales-na-jan, sales-na-feb, sales-eu-jan, sales-eu-feb"]
G1 --> H1["Run Query"]
end
subgraph Bill ["Bill's Flow"]
B2 --> C2{"Resolve User Permissions"}
C2 -->|Filters Applied| E2["Filtered Indices:<br/>sales-eu-jan, sales-eu-feb"]
E2 --> F2{Apply DLS Rules}
F2 -->|Exclude 'Frodo Baggins'| G2["Final Query:<br/>sales-eu-jan, sales-eu-feb Exclude 'Frodo Baggins'"]
G2 --> H2["Run Query"]
end
H1 --> I["All Indices Data"]
H2 --> I
style A fill:#f9f,stroke:#333,stroke-width:2px
style I fill:#bff,stroke:#333,stroke-width:2px
Proposal
There should be a resource that combines these different access control rules together so that if access is grant to that resource Alice has confidence that Bill sees exactly the same view of the data. If Bill does not have access, there is a clear path to resolve the access question - "Alice could you grant me access to 'Company wide sales data' resource so I can see the Quarterly Sales dashboard?"
This resource would be fundamentally different from existing index/index pattern/alias/datastream that require explicit permissions. Administration of the setting of resources would require permissions of the 'targeted' indexes.
This resource would need a new way to be granted / reviewed since the existing permissions model only allows for cluster wide, index and tenants permissions.
I suggest this is called a View, as in "Alice could you grant me access to the 'Company wide sales view'".
Additional Context
Related issues
- [BUG] Role with Document-level security (DLS) masks more generic permissions #3773
- [BUG] "Field level security" and "Field masking definitions" don't work together with "Document level security" #3274
- [BUG]
dfm_empty_overrides_allremoves DLS also if other role has no explicit data/read permission #3963