Skip to content

update read access to specific indices #5590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

update read access to specific indices #5590

wants to merge 3 commits into from
+7 −1

Conversation

@fen-qin
Copy link
Contributor

@fen-qin fen-qin commented Aug 26, 2025

Description

For AOS 3.3, search relevance workbench will support OpenSearch Dashboards visualization which requires direct access to "search-relevance-experiment-results". Update the read_access to allowlist the index permission.

Issues Resolved

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

  • no, this change is for AOS 3.3, no backport needed

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

  • spin up local cluster with security enabled
  • create internal user
curl -k -X PUT "https://localhost:9200/_plugins/_security/api/internalusers/mfenqin_readaccess" \
  -u admin:MyStrongPassword123! \
  -H 'Content-Type: application/json' \
  -d '{
    "password": "ReadAccess123!",
    "backend_roles": [],
    "attributes": {}
  }'
  • create a role with updated index permission
curl -k -X PUT "https://localhost:9200/_plugins/_security/api/roles/search_relevance_read_access_enhanced" \
  -u admin:MyStrongPassword123! \
  -H 'Content-Type: application/json' \
  -d '{
    "cluster_permissions": [
      "cluster:admin/opensearch/search_relevance/experiment/get",
      "cluster:admin/opensearch/search_relevance/judgment/get",
      "cluster:admin/opensearch/search_relevance/queryset/get",
      "cluster:admin/opensearch/search_relevance/search_configuration/get"
    ],
    "index_permissions": [
      {
        "index_patterns": ["search-relevance-*"],
        "allowed_actions": [
          "indices:admin/mappings/get",
          "indices:data/read/search*",
          "indices:data/read/get*"
        ]
      }
    ]
  }'
  • create role mapping to assign the role to the new user
curl -k -X PUT "https://localhost:9200/_plugins/_security/api/rolesmapping/search_relevance_read_access_enhanced" \
  -u admin:MyStrongPassword123! \
  -H 'Content-Type: application/json' \
  -d '{
    "users": ["mfenqin_readaccess"]
  }'
  • screeshot, able to access OpenSearch Dashboards with mfenqin_readaccess role
Screenshot 2025-08-25 at 5 14 24 PM

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov
Copy link

codecov bot commented Aug 26, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.28%. Comparing base (b07702d) to head (0cbd4c6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5590      +/-   ##
==========================================
- Coverage   73.30%   73.28%   -0.03%     
==========================================
  Files         435      435              
  Lines       26485    26491       +6     
  Branches     3945     3945              
==========================================
- Hits        19416    19415       -1     
- Misses       5188     5195       +7     
  Partials     1881     1881

see 9 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cwperks
Copy link
Member

cwperks commented Aug 26, 2025

@fen-qin please fix the code hygiene failures by ensuring that permissions are ordered alphabetically.

@fen-qin fen-qin force-pushed the search_relevance_role_updates branch 2 times, most recently from 891b6ce to 1333ed9 Compare August 26, 2025 17:23
@fen-qin
Copy link
Contributor Author

fen-qin commented Aug 26, 2025

@fen-qin please fix the code hygiene failures by ensuring that permissions are ordered alphabetically.

@cwperks, tried to fix the style and ordering issue by running the following commands:

  • node check-permissions-order.js ./config/roles.yml --fix
  • ./gradlew :spotlessApply
    would you like to take a look again ? CI workflows failed but I don't think they are related to config changes.

@RyanL1997
Copy link
Collaborator

RyanL1997 commented Aug 26, 2025

CI failures are caused by the disabling the old sonatype repo. SQL repo is also facing the same issue.

@RyanL1997
Copy link
Collaborator

RyanL1997 commented Aug 26, 2025

actually, it looks like the artifact server is unintentionally down

@cwperks
Copy link
Member

cwperks commented Aug 26, 2025

I'll raise a PR to remove old sonatype from maven repo options

nibix
nibix reviewed Aug 28, 2025
View reviewed changes
nibix
nibix reviewed Aug 28, 2025
View reviewed changes
@fen-qin fen-qin force-pushed the search_relevance_role_updates branch from 20b53f3 to ceb5751 Compare August 28, 2025 17:14
@fen-qin fen-qin force-pushed the search_relevance_role_updates branch from ceb5751 to d218884 Compare August 28, 2025 17:16
@fen-qin fen-qin requested a review from nibix August 28, 2025 18:43
@shikharj05
Copy link
Collaborator

shikharj05 commented Sep 8, 2025

@fen-qin can you add a changelog entry?

DarshitChanpura
DarshitChanpura previously approved these changes Nov 4, 2025
View reviewed changes
@DarshitChanpura DarshitChanpura dismissed their stale review November 4, 2025 18:58

pending changelog entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura left review comments

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@peternied peternied Awaiting requested review from peternied

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@fen-qin @cwperks @RyanL1997 @shikharj05 @nibix @DarshitChanpura