Create a mechanism for tracking patches to the security index to eventually enable rollback/rollforward of adjacent changes

[cwperks]

Is your feature request related to a problem?

Currently, its possible to use the security audit log to track changes to the security index when listening for COMPLIANCE_INTERNAL_CONFIG_WRITE events. Its also possible to combine this with config.compliance.enabled: true, config.compliance.write_log_diffs: true and config.compliance.write_metadata_only: false to only capture the diffs for security index requests.

The problem with this is that its not intuitive to configure and leaves cluster operators filtering the audit log for these types of events to figure out security config changes.

I'm opening this issue to spark a discussion about separating these config changes out to a separate place with the eventual goal of supporting rollback/rollforward in case a cluster operator wants to revert to the last previously known good cluster state.

[DarshitChanpura]

@cwperks @nagarajg17 Seems like this is a good change? Any comments.

[nagarajg17]

Proposal : Versioned Security Configuration Management

To address the current limitations in security configuration management, proposal is implementing a comprehensive versioning system for the OpenSearch security index. This system will enable rollback and roll-forward capabilities, provide a history of changes, and allow administrators to easily view and select specific configurations from the past.

Key Components:

New System Index: Introduce a dedicated system index named .opendistro_security_config_versions to store versioned security configurations.

Versioning Mechanism:

• Generate a new version (e.g., v1, v2, v3) for each change in the security index.
• Store the complete security configuration for each version in the new system index.
• Have retention policy to purge old versions

Updated Security Config Update Flow: Modify the existing security configuration update process to

• Create a new version entry in the .opendistro_security_config_versions index
• Store the full configuration snapshot for each version

Rollback/Roll-forward Functionality:

• Implement a mechanism to revert to or advance to a specific version.
• Include compatibility checks to ensure the selected version is compatible with the current system state.

Change History Viewer: Develop a API to allow administrators or security managers to

• View the complete history of security configuration changes.
• Compare differences between versions.
• Select a specific version for rollback or roll-forward

Alternative Approach

Instead of storing complete security configurations, only store the differences (diffs) between versions in the .opendistro_security_config_versions index. While this approach is more space-efficient, it is creating increased complexity in reconstructing complete configurations for rollbacks and potential for errors in the diff chain, which could ultimately result in compromising the integrity of the security settings

API Design

View Security Configuration Versions

• Endpoint:

  • To view all the versions : GET _opendistro/_security/api/config/version/_all
  • To view a specific version : GET _opendistro/_security/api/config/version/{version_id}

• Access Control: Admin/Security Manager permissions required

• Response Format for specific version:

{
  "versions": [
    {
        "version_id": "v1",
        "timestamp": "2023-06-15T10:30:00Z",
        "config": {...}
    }
  ]
}

*Response Format for all versions:

{
  "versions": [
    {
        "version_id": "v1",
        "timestamp": "2023-06-15T10:30:00Z",
        "config": {...}
    },
    {
        "version_id": "v2",
        "timestamp": "2023-06-16T14:45:00Z",
        "config": {...}
    },
    ...
  ]
}

Rollback/Roll-forward to Desired Version

• Endpoint: POST _opendistro/_security/api/config/rollback/version/{version_id}
• Access Control: Admin/Security Manager permissions required
• Response Format:

{
   "status": "OK",
   "message": "config rolled back to version v1."
}