Feature Request: Multiple roles and field anonymization #771
Labels
enhancement
New feature or request
Comments
|
Hi @ZhiXingHeYiApple - if I'm not asking too much, do you mind trying again with the latest OpenSearch to see if the newest version meets your needs? The Opensearch Project has superseded ODFE. I'm going to go ahead and close this one out, but please feel free to reopen. |
|
This issue should have been resolved along with the #1735. |
gaobinlong
pushed a commit
to gaobinlong/security
that referenced
this issue
Aug 30, 2023
…arch-project#771) * Create release notes for rc-1 * Bump plugin version to 1.0.0.0-rc1 * Add PR#763, opensearch-project#771 and opensearch-project#770 to release notes rc1 * Build security backend rc1 * change the version in release notes * Change plugin version to rc1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
Now when I use the latest version(1.10.1) of opendisto elasticsearch, I find field masking can not work well, as with document-level security, if a user is member of multiple roles it is important to understand how the field anonymization (FA) settings for these roles are combined.
In case of FA, the FA field definitions of the roles are combined with AND.
But if a user has a role that defines FA restrictions on an index, and another role that does not place any FA restrictions on the same index, the restrictions defined in the first role still apply. Is it possible to implement feature like
search guard, which change that behaviour so that a role that places no restrictions on an index removes any restrictions from other roles. That can be enabled in elasticsearch.yml:Search Guard - Multiple roles and field anonymization
thanks!
The text was updated successfully, but these errors were encountered: