Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Should resource-sharing information be stored on a dedicated index or on the resource index inside the documents? #5014

Open
1 task
DarshitChanpura opened this issue Jan 9, 2025 · 1 comment
Open
1 task

[Question] Should resource-sharing information be stored on a dedicated index or on the resource index inside the documents? #5014

DarshitChanpura opened this issue Jan 9, 2025 · 1 comment
Assignees
@DarshitChanpura
Labels
resource-permissions Label to track all items related to resource permissions triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@DarshitChanpura
Copy link
Member

Please read original proposal: #4500 in-case you need context on the feature itself.

Proposal

With the recent changes in design approach of the Resource Sharing and Permissions feature, we've reached at a fork in the path where we must choose from 2 paths forward for storing resource-sharing data. Below, I've listed these two approaches in more detail:

Approach 1 : Dedicated index

This approach emphasizes storing resource sharing information on a dedicated index .opensearch-resource-sharing. A document will look something like:

{
    "_index": ".opensearch-resource-sharing",
    "_id": "ki95HkHK8H5Gm9O5T23i",
    "_score": 1.0,
    "_source": {
        "resource_id": "ej10HpQB9Y5Gm9L4T17p",
        "source_idx": ".sample-resource-plugin"
        "created_by": {
          "user": "darshit"
        },
        "share_with": {
          "restricted": {
             "users": ["craig", "derek"],
             "roles": [],
             "backend_roles": []
          }
        }
    }
}

This approach present a more simplistic path towards achieving resource-level access-control with some performance overhead.

  1. Pros:
    1. This approach maintains separation of concerns .
    2. With this approach no additional protections need to be put in place to ensure that the resource-sharing related data is not unintentionally exposed to the user.
  2. Cons:
    1. This approach requires a separate index call to this document when applying DLS which would add a performance overhead (significance yet to be determined)

Approach 2: Same Index

This approach emphasizes that the resource-sharing information will be stored in the resource document to keep it closer to the resource intended to have access-control. This would look something like:

{
    "_index": ".sample-resource-plugin",
    "_id": "ej10HpQB9Y5Gm9L4T17p",
    "_score": 1.0,
    "_source": {
        "name": "sample_test",
        "description": "Sample test resource for ResourcePlugin",
        "attributes": {
            "a": "b"
        },
        "created_by": {
          "user": "darshit"
        },
        "share_with": {
          "restricted": {
             "users": ["craig", "derek"],
             "roles": [],
             "backend_roles": []
          }
        }
    }
}

Although this approach looks similar to the current model where plugins store the user information in their own index, the biggest difference is that now security-plugin will be aware of this data and has control over it.

NOTE: With this approach, opensearch-project/OpenSearch#15778 becomes a requirement to enforce zero-trust policy and ensure that there is no unintended data-exposure.

  1. Pros:
    1. No additional calls required when performing DLS to filter out non-accessible resources from the final result. Hence, no significant performance overhead.
  2. Cons:
    1. This approach requires that proper barriers be put in place to prevent plugins from modifying the resource-sharing data.
      1. This should be only allowed for super-admin, security plugin and the owner of the resource.
    2. Proper scrubbers must be put in place so that users who are not the owners of a resource but still have access to it, must not see who else this resource is shared with.
      1. Resource owners, suepr-admin and security-plugin must still be able to view these details.

Intention

  • To seek inputs on which approach should be selected.
@DarshitChanpura DarshitChanpura added the resource-permissions Label to track all items related to resource permissions label Jan 9, 2025
@DarshitChanpura DarshitChanpura self-assigned this Jan 9, 2025
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jan 9, 2025
@nibix
Copy link
Collaborator

nibix commented Jan 13, 2025

One question: Is it clear that a resource maps always exactly to one document in an index?

@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DarshitChanpura DarshitChanpura

Labels
resource-permissions Label to track all items related to resource permissions triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cwperks @nibix @DarshitChanpura