Onboard / Integrate Anomaly Detection API into ODFE-cli #39
Comments
|
As backend_roles are very important the the security model of using Anomaly Detection (when using filter_by_backend_roles), please circle back with the folks managing the security model. For the CLI to interact with Anomaly Detection objects - there will need to be better control on the backend_roles associated with the in-scope objects. Additionally - there will likely need to be additional permissions made available such that the calling API can bypass the backend_roles filter, such that Anomaly Detection objects can be administered globally. |
|
@ryn9 trying to understand little bit more here. Do you mean cli users calling Anomaly Detection Apis should bypass backend_roles and given full access? |
|
I am saying that some type of permission mechanism needs to be put in place to allow specific users or roles to bypass the backend_roles filters. The intent of this permission mechanism would be for admin users and api's to admin these objects without having the adhere to the backend_role restrictions. |
|
Ideally we would like to not have special permissions for cli. odfe-cli would take the credentials of the user and sign the request and backend determines what needs to be done with this user. If user is looking to have full access, then odfe-cli expects them to provide the credentials of admin or user credentials that has full access. Does this sound ok? |
|
I am hoping that odfe-cli does not end up with special permissions :) I am trying to highlight that without improvements to the filter_by_backend_roles mechanism, the odfe-cli (or any external api calling to the cluster) is often going to be problematic - as often the api caller will not have backend_roles that users would. See this other issue for further discussion on the topic - opendistro-for-elasticsearch/alerting#302 |
|
@ryn9 thank you. We will look into this. |
|
Thanks @ryn9 for reaching out. Ideally we do not want odfe-cli to have special permissions. I would like to understand what permission model would ideally support your use case. |
As I was saying please reference opendistro-for-elasticsearch/alerting#302 The alerting and anomaly permission models, with filter_by_backend_roles in place, works quite a bit differently than the rest of the permission system. "super-admin" access may actually not get you access to these items, in accordance to the backend filter. Additionally - administering these objects with a user that has many backend roles may have unintended consequences - such as sharing alerting and anomaly objects with unintended parties. This is not specially a odfe-cli. |
|
Sure, I worked on building the permissions feature for both Anomaly detection and Alerting. We did consider having an admin view if somebody wanted and this was via 'super-admin' |
|
@saratvemulapalli as far as I am aware the super-admin function is available only via the elasticsearch.yml setting: opendistro_security.authcz.admin_dn, which is not available in AWS ES. As such, I am unable to use it / test it. |
|
@ryn9 thats a good point. I was always in the context of ODFE. We'll take this feedback and work on a permission model for AWS ES. |
|
Created an issue to track: opendistro-for-elasticsearch/anomaly-detection#384 |
Much like the task to "Onboard / Integrate Monitor CLI", please look to Onboard / Integrate the Anomaly Detection API
The text was updated successfully, but these errors were encountered: