-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project plan for anomaly detection features #43
Conversation
Signed-off-by: Peter Nied <petern@amazon.com>
@opensearch-project/security Could I get a review of this set of changes as well? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really good! I've made a few suggested tweaks.
|
||
#### Delayed action API [sdk#42](https://github.com/opensearch-project/opensearch-sdk/issues/42) | ||
When actions are triggered without an interactive user session OpenSearch will need to permit the action to occur or not. Create an API for these background tasks to get an identity associated with the session. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably want to mention Principal
identities here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about moving this detail into the associated issue? Its a great requirement that should be part of use cases and acceptance criteria.
Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Daniel Widdis <widdis@gmail.com>
Additional background avaliable from [Security#1895](https://github.com/opensearch-project/security/issues/1895) | ||
|
||
### User identity [OpenSearch#3846](https://github.com/opensearch-project/OpenSearch/issues/3846) :negative_squared_cross_mark: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AD exposes a bunch of actions.
For example: cluster:admin/opensearch/ad/detector/delete
[1] is a Transport Action API exposed by AD.
How do we plan to support authorization of user for extensions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the existing security plugin in place, no additional action is needed as these are already filtered. The assumption is that the security plugins hooks will still execute before the extensions hooks are triggered so the API calls can be intercepted as is already implemented.
If/When we rewrite the permissions evaluation system I think part of the backwards compatibility story will need to account for scenarios like this where no/minimal action is needed by plugin authors.
Signed-off-by: Peter Nied <petern@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @peternied for this.
Excited to see these pieces in action.
@dbwiddis / @owaiskazi19 I'd like to get this change merged, any thing you'd like to see updated beforehand? |
* Project plan for anomaly detection features Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Daniel Widdis <widdis@gmail.com>
Description
Project plan for anomaly detection features
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.