-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource permission management #3890
Comments
@peternied Does the new permission section also need Does the |
@cwperks Thanks for the questions
I avoided adding To your question specifically, for the permission calculation in the prototype I used is Rest/Transport action name allowed && is the resource id in the list of allowed items. While this prevents granular this or that kinds of permissions in a single role, maybe multiple roles is the better solution than making a single role support the more complex matrix with the traditional cluster permissions. Example rolesread_only_view:
cluster_permissions:
- cluster:views:list
- cluster:views:get
- cluster:views:search
resource_permissions:
- resource_type: view
resource_ids: ["songs", "albums"] read_write_views:
cluster_permissions:
- cluster:views:search
- cluster:views:list
- cluster:views:create
- cluster:views:get
- cluster:views:delete
- cluster:views:update
resource_permissions:
- resource_type: view
resource_ids: ["*"] Note: if you can create views its strange not to have wildcard resource access |
My concern about wildcard matches is that it is too easy to create something and unexpected people have permissions because of a poorly constructed match string. When the only options are specific vs everything its much easier to interpret an access control list from a glance. |
[Triage] Hi @peternied, thank you for filing this issue. This is a RFC so we can mark this triaged and label as help wanted (for community input). |
Description
With resource based permissions for views, the authorization system within the Security Plugin will need to handle requests that provide resource type / id data against the security roles. How these grants are written has an impact on the administrative user experience.
This issue contains an initial proposal built in a proof of concept, but is not hard requirements for the feature.
[Proposal 1] Resource Permission Grants
With requests include resource type and identifiers the security plugin will need to allow for grants to these new types. Modify the security role to include this information under a section
resource_permissions
so it can be checked and then the request can be permitted.Exit Criteria
The text was updated successfully, but these errors were encountered: