diff --git a/_dashboards/management/management-index.md b/_dashboards/management/management-index.md index 04a72622ae..575c6d6ff2 100644 --- a/_dashboards/management/management-index.md +++ b/_dashboards/management/management-index.md @@ -22,3 +22,4 @@ You can access the following applications in **Dashboards Management**: - **[Data Sources]({{site.url}}{{site.baseurl}}/dashboards/management/multi-data-sources/):** The Data Sources tool is used to configure and manage the data sources that OpenSearch uses to collect and analyze data. You can use the tool to specify the source configuration in your copy of the [OpenSearch Dashboards configuration file](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml). - **[Saved Objects](https://opensearch.org/blog/enhancement-multiple-data-source-import-saved-object/):** The Saved Objects tool helps you organize and manage your saved objects. Saved objects are files that store data, such as dashboards, visualizations, and maps, for later use. - **[Advanced Settings]({{site.url}}{{site.baseurl}}/dashboards/management/advanced-settings/):** The Advanced Settings tool gives you the flexibility to personalize the behavior of OpenSearch Dashboards. The tool is divided into settings sections, such as General, Accessibility, and Notifications, and you can use it to customize and optimize many of your Dashboards settings. +- **[Resource Access Management]({{site.url}}{{site.baseurl}}/dashboards/management/resource-sharing/):** The Resource Access Management tool provides fine-grained access control for plugin-defined resources such as ML model groups, anomaly detectors, and report definitions. You can share resources with specific users, roles, or backend roles and control their access levels. diff --git a/_dashboards/management/resource-sharing.md b/_dashboards/management/resource-sharing.md new file mode 100644 index 0000000000..b559e1714c --- /dev/null +++ b/_dashboards/management/resource-sharing.md @@ -0,0 +1,137 @@ +--- +layout: default +title: Resource access management +parent: Dashboards Management +nav_order: 55 +--- + +# Resource access management +**Introduced 3.3** +{: .label .label-purple } + +This is an experimental feature and is not recommended for use in a production environment. For updates on the progress of the feature or if you want to leave feedback, join the discussion on the [OpenSearch forum](https://forum.opensearch.org/). +{: .warning} + +Resource sharing in OpenSearch Dashboards provides fine-grained, document-level access control for plugin-defined resources such as ML model groups, anomaly detectors, report definitions, and other shareable objects. This feature extends OpenSearch's role-based access control by allowing resource owners to specify who can access a resource and what level of access they have, including read-only or read-write permissions. OpenSearch Dashboards offers a simple UI for everyday access management, while the Dev Tools console enables automation or batch operations for advanced workflows. + +If resource sharing features are not visible in OpenSearch Dashboards, contact your OpenSearch administrator to enable the capability and assign appropriate permissions. +{: .note} + +A **resource** is a document created by a plugin and stored in a protected system index, for example: + +- ML model groups and models +- Anomaly detectors +- Reporting definitions +- Flow framework workflows +- Any plugin-defined resource type + +The following table lists the default resource access, which is determined by the user's role and relationship to the resource. + +| User | Access | +|------------------|-----------------------------------------| +| Resource creator | Full access (view, edit, delete, share) | +| Super-admin | Full access | +| Other users | No access unless shared | + +Once a resource is shared with specific users, roles, or backend roles, it becomes visible to those users in OpenSearch Dashboards. OpenSearch Dashboards automatically filters resource lists based on your identity, permissions, and the resource sharing configuration. + +## Prerequisites + +To use resource sharing in OpenSearch Dashboards, you must fulfill the following prerequisites: + +* **Plugin-level cluster permissions**: Assigned by an administrator; required for creating resources. +* **Resource-level sharing access**: The resource must be explicitly shared with you unless you are the owner or a super-admin. +* **Security plugin settings enabled**: Administrators must enable the following in the configuration: + ```yaml + plugins.security.experimental.resource_sharing.enabled: true + plugins.security.experimental.resource_sharing.protected_types: [""] + plugins.security.system_indices.enabled: true + ``` + {% include copy.html %} + + For more information, see [Experimental feature flags]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/experimental/). + +# Sharing resources using OpenSearch Dashboards + +Follow these steps to share resources in OpenSearch Dashboards: + +1. Open a shareable resource: + + * In the left navigation, under the **Management** section, select **Resource Access Management** (visible only if resource sharing is enabled). + * From the resource type dropdown list, choose the resource type you want to view or manage. The **Resources** table automatically displays all resources you have access to. If no resources appear, create one or ask an administrator or resource owner to share it with you. + +1. Choose an access level. OpenSearch Dashboards dynamically retrieves available access levels (action groups) from OpenSearch, for example: + + * `ad_read_only` + * `ml_read_write` + * `flow_framework_full_access` + Access levels are plugin-specific and vary by resource type. + {: .note} + +1. Add users, roles, or backend roles: + * Specific users (for example, `alice`) + * Specific roles (for example, `data_viewer`) + * Specific backend roles (for example, `engineering_team`) + + Wildcards (`*`) are supported for the users field to make a resource publicly accessible at the chosen access level. + {: .note} + +1. Select **Save** to update the backend configuration. Changes are applied immediately. + + +## Viewing and managing access + +Follow these steps to view and manage access for a resource in OpenSearch Dashboards: + +1. Open the **Sharing** panel: + + * Navigate to the **Resource Access Management** app and select a resource from the **Resources** table. The panel displays: + * The resource owner. + * All users, roles, and backend roles with access. + * Their assigned access levels. + * Whether you have permission to reshare the resource. + +1. Determine sharing permissions. You can share a resource only if you meet one of the following conditions: + + * You are the owner of the resource. + * The owner shared the resource with you and granted share permission. + * You are a superadmin. + +1. Add or remove users, roles, or backend roles as needed. Removing access immediately hides the resource from the affected users. + +## Listing resources shared with you + +OpenSearch Dashboards automatically shows only the resources you have access to. No additional actions are required. + +Resource visibility is determined by: + +* **Ownership** – You are the owner of the resource. +* **Sharing configuration** – The resource has been explicitly shared with you. +* **Plugin cluster permissions** – You have the necessary permissions for the resource’s plugin. +* **Role or backend role membership** – Your roles grant access to the resource. +* **Public resources** – Resources shared with all users using wildcards (for example, `users: ["*"]`). + + +## Managing resource sharing using APIs + +You can manage resource sharing programmatically using REST APIs. These operations can only be performed if you are the owner, a superadmin, or have sharing access to the resource. You can use the command line or the **Dev Tools** console to send API requests. + +For complete API documentation including endpoints, parameters, and examples, see [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/). + +## Troubleshooting + +Use the following table to troubleshoot the following common issues. + +| Issue | Possible cause | Fix | +|----------------------------------------------|----------------------------------------|----------------------------------------------------------------------------| +| `Resource Access Management` app not visible | Feature disabled | Ask admin to enable `resource_sharing.enabled` | +| User can't create resource | Missing plugin API permissions | Ask admin to map to appropriate role | +| User can't access a resource | Resource is not shared with them | Ask owner to share it with them at appropriate access level | +| API returns 403 in Dev Tools | Resource is not shared with them | Ask owner to share it with them at appropriate access level | +| Resource not listed in OpenSearch Dashboards | Resource not marked as protected | Ask admin to mark resource as protected `resource_sharing.protected_types` | +| PATCH does nothing | Access level not defined for that type | Verify plugin’s action-groups | + +## Related documentation + +- [Resource sharing and access control]({{site.url}}{{site.baseurl}}/security/access-control/resources/) - Backend concepts, configuration, and setup +- [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/) - REST API reference for programmatic management \ No newline at end of file diff --git a/_security/access-control/anonymous-authentication.md b/_security/access-control/anonymous-authentication.md index cb2f951546..f5aecd9a00 100644 --- a/_security/access-control/anonymous-authentication.md +++ b/_security/access-control/anonymous-authentication.md @@ -2,7 +2,7 @@ layout: default title: Anonymous authentication parent: Access control -nav_order: 145 +nav_order: 130 --- # Anonymous authentication diff --git a/_security/access-control/api.md b/_security/access-control/api.md index c0b39ecbe2..03fa8bf362 100644 --- a/_security/access-control/api.md +++ b/_security/access-control/api.md @@ -11,8 +11,6 @@ redirect_from: The Security plugin REST API lets you programmatically create and manage users, roles, role mappings, action groups, and tenants. ---- - #### Table of contents 1. TOC {:toc} @@ -2008,3 +2006,11 @@ HTTP/1.1 200 OK content-type: application/json; charset=UTF-8 content-length: 45 ``` + +--- + +## Resource sharing +**Introduced 3.3** +{: .label .label-purple } + +For managing resource-level access control and sharing plugin-defined resources such as ML models and anomaly detectors, see [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/). \ No newline at end of file diff --git a/_security/access-control/default-action-groups.md b/_security/access-control/default-action-groups.md index c50ed40a1b..ee7bd40477 100644 --- a/_security/access-control/default-action-groups.md +++ b/_security/access-control/default-action-groups.md @@ -2,7 +2,7 @@ layout: default title: Default action groups parent: Access control -nav_order: 115 +nav_order: 80 redirect_from: - /security/access-control/default-action-groups/ - /security-plugin/access-control/default-action-groups/ diff --git a/_security/access-control/document-level-security.md b/_security/access-control/document-level-security.md index b4b5c3533d..5f4eb549f4 100644 --- a/_security/access-control/document-level-security.md +++ b/_security/access-control/document-level-security.md @@ -2,7 +2,7 @@ layout: default title: Document-level security parent: Access control -nav_order: 85 +nav_order: 90 redirect_from: - /security/access-control/document-level-security/ - /security-plugin/access-control/document-level-security/ diff --git a/_security/access-control/field-level-security.md b/_security/access-control/field-level-security.md index 79ea2dd556..9fe0368e82 100644 --- a/_security/access-control/field-level-security.md +++ b/_security/access-control/field-level-security.md @@ -2,7 +2,7 @@ layout: default title: Field-level security parent: Access control -nav_order: 90 +nav_order: 95 redirect_from: - /security/access-control/field-level-security/ - /security-plugin/access-control/field-level-security/ diff --git a/_security/access-control/field-masking.md b/_security/access-control/field-masking.md index fc7a8bed51..f8d377b925 100644 --- a/_security/access-control/field-masking.md +++ b/_security/access-control/field-masking.md @@ -2,7 +2,7 @@ layout: default title: Field masking parent: Access control -nav_order: 95 +nav_order: 100 redirect_from: - /security/access-control/field-masking/ - /security-plugin/access-control/field-masking/ diff --git a/_security/access-control/impersonation.md b/_security/access-control/impersonation.md index 4bf7ab689d..f4d51157db 100644 --- a/_security/access-control/impersonation.md +++ b/_security/access-control/impersonation.md @@ -2,7 +2,7 @@ layout: default title: User impersonation parent: Access control -nav_order: 100 +nav_order: 105 redirect_from: - /security/access-control/impersonation/ - /security-plugin/access-control/impersonation/ diff --git a/_security/access-control/permissions.md b/_security/access-control/permissions.md index 287bdb23cc..1c23348634 100644 --- a/_security/access-control/permissions.md +++ b/_security/access-control/permissions.md @@ -2,7 +2,7 @@ layout: default title: Permissions parent: Access control -nav_order: 110 +nav_order: 75 redirect_from: - /security-plugin/access-control/permissions/ --- diff --git a/_security/access-control/resource-sharing-api.md b/_security/access-control/resource-sharing-api.md new file mode 100644 index 0000000000..3db66ace18 --- /dev/null +++ b/_security/access-control/resource-sharing-api.md @@ -0,0 +1,486 @@ +--- +layout: default +title: Resource sharing APIs +parent: Resource sharing and access control +grand_parent: Access control +nav_order: 10 +--- + +# Resource sharing APIs +**Introduced 3.3** +{: .label .label-purple } + +This is an experimental feature and is not recommended for use in a production environment. For updates on the progress of the feature or if you want to leave feedback, join the discussion on the [OpenSearch forum](https://forum.opensearch.org/). +{: .warning} + +The Resource Sharing APIs provide programmatic access to manage fine-grained, document-level access control for plugin-defined resources. These APIs allow you to share resources, manage access permissions, and automate resource sharing workflows. + +You can manage resource sharing directly using these REST APIs. Operations can only be performed if you are the owner, a superadmin, or have sharing access to the resource. + +## Migrate legacy sharing metadata + +Imports legacy plugin-managed sharing metadata. This API is intended for administrators to run once during system migration. + +### Endpoint + +```json +POST _plugins/_security/api/resources/migrate +``` + +### Request body fields + +The following table lists the available request body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `source_index` | String | The source index containing legacy sharing metadata. Required. | +| `username_path` | String | A JSON path to the owner name (for example, `/owner/name`). Required. | +| `backend_roles_path` | String | A JSON path to backend roles (for example, `/owner/backend_roles`). Required. | +| `default_owner` | String | The default owner for resources without explicit ownership. Required. | +| `default_access_level` | Object | The default access levels by resource type. Add additional entries if the resource index contains multiple resource types. Required. | + +### Example request + +```json +POST _plugins/_security/api/resources/migrate +{ + "source_index": "legacy-sharing-index", + "username_path": "/owner/name", + "backend_roles_path": "/owner/backend_roles", + "default_owner": "admin", + "default_access_level": { + "ml-model-group": "read_only", + "anomaly-detector": "read_write" + } +} +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "summary": "Migration complete. migrated 10; skippedNoType 1; skippedExisting 0; failed 1", + "resourcesWithDefaultOwner": ["doc-17"], + "skippedResources": ["doc-22"] +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `summary` | String | A summary message describing the migration results, including counts of migrated, skipped, and failed resources. | +| `resourcesWithDefaultOwner` | Array | A list of resource IDs that were assigned the default owner because no owner information was found. | +| `skippedResources` | Array | A list of resource IDs that were skipped during migration (for example, missing type information or already migrated). | + +### Required permissions + +If you use the Security plugin, make sure you have the appropriate permissions: `restapi:admin/resource_sharing/migrate`. + +## Get sharing configuration + +Retrieves the current sharing configuration for a specific resource. + +### Endpoint + +```json +GET _plugins/_security/api/resource/share +``` + +### Query parameters + +The following table lists the available query parameters. + +| Parameter | Data type | Description | +| :--- | :--- | :--- | +| `resource_id` | String | The unique identifier of the resource. Required. | +| `resource_type` | String | The type of the resource (for example, `ml-model-group`). Required. | + +### Example request + +```json +GET _plugins/_security/api/resource/share?resource_id=model-group-123&resource_type=ml-model-group +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "sharing_info": { + "resource_id": "model-group-123", + "created_by": { + "user": "admin" + }, + "share_with": { + "read_only": { + "users": ["bob"], + "roles": ["data_viewer"], + "backend_roles": [] + }, + "read_write": { + "users": ["charlie"], + "roles": [], + "backend_roles": ["ml_team"] + } + } + } +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `sharing_info` | Object | Contains the complete sharing configuration for the resource. | +| `sharing_info.resource_id` | String | The unique identifier of the resource. | +| `sharing_info.created_by` | Object | Information about the resource creator. | +| `sharing_info.created_by.user` | String | The username of the resource creator. | +| `sharing_info.share_with` | Object | The sharing configuration organized by access level. | +| `sharing_info.share_with.` | Object | An access level (for example, `read_only`, `read_write`) containing lists of principals. | +| `sharing_info.share_with..users` | Array | A list of usernames with this access level. | +| `sharing_info.share_with..roles` | Array | A list of roles with this access level. | +| `sharing_info.share_with..backend_roles` | Array | A list of backend roles with this access level. | + +### Required permissions + +If you use the Security plugin, make sure you have the appropriate permissions: `cluster:admin/security/resource/share`. + +## Replace resource sharing configuration + +Completely replaces the sharing configuration for a resource. This operation overwrites all existing sharing settings. + +### Endpoint + +```json +PUT _plugins/_security/api/resource/share +``` + +### Request body fields + +The following table lists the available request body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `resource_id` | String | The unique identifier of the resource. Required. | +| `resource_type` | String | The type of the resource. Required. | +| `share_with` | Object | Sharing configuration organized by access level. Each access level can contain `users`, `roles`, and `backend_roles` arrays. Required. | + +### Example request: Share with specific users and roles + +```json +PUT _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "share_with": { + "read_only": { + "users": ["bob"], + "roles": ["data_viewer"] + }, + "read_write": { + "users": ["charlie"], + "backend_roles": ["ml_team"] + } + } +} +``` +{% include copy-curl.html %} + +### Example request: Make a resource private + +```json +PUT _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "share_with": {} +} +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "sharing_info": { + "resource_id": "model-group-123", + "created_by": { + "user": "admin" + }, + "share_with": { + "read_only": { + "users": ["bob"], + "roles": ["data_viewer"], + "backend_roles": [] + }, + "read_write": { + "users": ["charlie"], + "roles": [], + "backend_roles": ["ml_team"] + } + } + } +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `sharing_info` | Object | Contains the complete sharing configuration for the resource. | +| `sharing_info.resource_id` | String | The unique identifier of the resource. | +| `sharing_info.created_by` | Object | Information about the resource creator. | +| `sharing_info.created_by.user` | String | The username of the resource creator. | +| `sharing_info.share_with` | Object | The sharing configuration organized by access level. | +| `sharing_info.share_with.` | Object | An access level (for example, `read_only`, `read_write`) containing lists of principals. | +| `sharing_info.share_with..users` | Array | A list of usernames with this access level. | +| `sharing_info.share_with..roles` | Array | A list of roles with this access level. | +| `sharing_info.share_with..backend_roles` | Array | A list of backend roles with this access level. | + +### Required permissions + +If you use the Security plugin, make sure you have the appropriate permissions: `cluster:admin/security/resource/share`. + +## Update resource sharing configuration + +Adds or removes access without affecting existing sharing configuration. This operation is non-destructive and preserves current access settings. + +### Endpoint + +```json +PATCH _plugins/_security/api/resource/share +``` + +### Request body fields + +The following table lists the available request body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `resource_id` | String | The unique identifier of the resource. Required. | +| `resource_type` | String | The type of the resource. Required. | +| `add` | Object | Access to add, organized by access level. Optional. | +| `revoke` | Object | Access to remove, organized by access level. Optional. | + +### Example request: Add and revoke access simultaneously + +```json +PATCH _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "add": { + "read_only": { "users": ["dave"] } + }, + "revoke": { + "read_write": { "users": ["charlie"] } + } +} +``` +{% include copy-curl.html %} + +### Example request: Make a resource public + +```json +PATCH _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "add": { + "read_only": { "users": ["*"] } + } +} +``` +{% include copy-curl.html %} + +### Example request: Remove specific access + +```json +PATCH _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "revoke": { + "read_write": { "users": ["charlie"] } + } +} +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "sharing_info": { + "resource_id": "model-group-123", + "created_by": { + "user": "admin" + }, + "share_with": { + "read_only": { + "users": ["bob", "dave"], + "roles": ["data_viewer"], + "backend_roles": [] + }, + "read_write": {} + } + } +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `sharing_info` | Object | Contains the complete sharing configuration for the resource after modifications. | +| `sharing_info.resource_id` | String | The unique identifier of the resource. | +| `sharing_info.created_by` | Object | Information about the resource creator. | +| `sharing_info.created_by.user` | String | The username of the resource creator. | +| `sharing_info.share_with` | Object | The updated sharing configuration organized by access level. | +| `sharing_info.share_with.` | Object | An access level containing lists of principals after add/revoke operations. | +| `sharing_info.share_with..users` | Array | A list of usernames with this access level. | +| `sharing_info.share_with..roles` | Array | A list of roles with this access level. | +| `sharing_info.share_with..backend_roles` | Array | A list of backend roles with this access level. | + +### Required permissions + +If you use the Security plugin, make sure you have the appropriate permissions: `cluster:admin/security/resource/share`. + +## List accessible resources + +Returns all resources of a specific type that you have access to view or manage. + +### Endpoint + +```json +GET _plugins/_security/api/resource/list +``` + +### Query parameters + +The following table lists the available query parameters. + +| Parameter | Data type | Description | +| :--- | :--- | :--- | +| `resource_type` | String | The type of resources to list. Required. | + +### Example request + +```json +GET _plugins/_security/api/resource/list?resource_type=ml-model-group +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "resources": [ + { + "resource_id": "model-group-123", + "created_by": { + "user": "admin", + "tenant": "default" + }, + "share_with": { + "read_only": { + "users": ["bob"] + } + }, + "can_share": true + }, + { + "resource_id": "model-group-456", + "created_by": { + "user": "alice", + "tenant": "default" + }, + "can_share": false + } + ] +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `resources` | Array | A list of resources accessible to the authenticated user. | +| `resources[].resource_id` | String | The unique identifier of the resource. | +| `resources[].created_by` | Object | Information about the resource creator. | +| `resources[].created_by.user` | String | The username of the resource creator. | +| `resources[].created_by.tenant` | String | The tenant associated with the resource creator (if applicable). | +| `resources[].share_with` | Object | The sharing configuration for this resource. This field may not be present if the resource has not been shared yet. | +| `resources[].share_with.` | Object | An access level containing lists of principals. | +| `resources[].share_with..users` | Array | A list of usernames with this access level. | +| `resources[].can_share` | Boolean | Indicates whether the authenticated user has permission to share this resource. | + +### Required permissions + +This API requires authenticated access but does not require specific cluster permissions. + +## List resource types + +Returns all available shareable resource types and their supported access levels. OpenSearch Dashboards uses this API to determine supported access levels per resource type. + +### Endpoint + +```json +GET _plugins/_security/api/resource/types +``` + +### Example request + +```json +GET _plugins/_security/api/resource/types +``` +{% include copy-curl.html %} + +### Example response + +```json +{ + "types": [ + { + "type": "ml-model-group", + "action_groups": ["ml_read_only", "ml_read_write", "ml_full_access"] + }, + { + "type": "anomaly-detector", + "action_groups": ["ad_read_only", "ad_full_access"] + } + ] +} +``` + +### Response body fields + +The following table lists all response body fields. + +| Field | Data type | Description | +| :--- | :--- | :--- | +| `types` | Array | A list of resource types available in the system. | +| `types[].type` | String | The name of the resource type. | +| `types[].action_groups` | Array | A list of available action groups (access levels) for this resource type. | + +### Required permissions + +This API requires authenticated access but does not require specific cluster permissions. + + +## Related documentation + +- [Resource sharing and access control]({{site.url}}{{site.baseurl}}/security/access-control/resources/) - Backend concepts, configuration, and setup +- [Resource access management]({{site.url}}{{site.baseurl}}/dashboards/management/resource-sharing/) - UI workflows and user guidance \ No newline at end of file diff --git a/_security/access-control/resources.md b/_security/access-control/resources.md new file mode 100644 index 0000000000..24ef03b6c8 --- /dev/null +++ b/_security/access-control/resources.md @@ -0,0 +1,219 @@ +--- +layout: default +title: Resource sharing and access control +parent: Access control +nav_order: 110 +has_children: true +has_toc: false +--- + +# Resource sharing and access control + +**Introduced 3.3** +{: .label .label-purple } + +This is an experimental feature and is not recommended for use in a production environment. For updates on the progress of the feature or if you want to leave feedback, join the discussion on the [OpenSearch forum](https://forum.opensearch.org/). +{: .warning} + +The resource sharing and access control framework in the OpenSearch Security plugin provides *document-level*, fine-grained access management for plugin-defined resources. It extends OpenSearch's existing role-based access control by letting resource owners explicitly share individual resources with other principals. + +A _resource_ is a document stored in a plugin's system index. Resource sharing information is stored in a central security-managed system index. + +Resource sharing requires coordination between plugin developers, administrators, and users. Plugin developers must first implement resource sharing support in their plugins and define the resource types that can be shared (such as `ml-model-group` or `anomaly-detector`). Once plugins with resource sharing support are installed, administrators enable the feature cluster-wide and configure the resource types that use resource-level authorization. Finally, users can create and share resources through the UI or APIs, provided they have the necessary cluster permissions. + +This documentation is intended for **users** and **administrators** who want to configure and use resource sharing. If you are a **plugin developer** implementing resource sharing support for your plugin, see the [developer documentation](https://github.com/opensearch-project/security/blob/main/RESOURCE_SHARING_AND_ACCESS_CONTROL.md). + +Resource sharing enables the following operations: + +- **Resource owners** can share or revoke access to their resources. +- **Resource owners** can allow users with share permission to redistribute access. +- **Administrators** with superadmin privileges can view and manage all shareable resources. +- **All users** can search resource indexes with automatic per-user filtering applied by the Security plugin. + +## Configuring resource sharing + +Resource sharing is disabled by default. To configure resource sharing, follow these steps. + +Before configuring resource sharing, ensure that the plugins you want to use with resource sharing have implemented resource sharing support. If you need to add resource sharing support to a plugin, see the [developer documentation](https://github.com/opensearch-project/security/blob/main/RESOURCE_SHARING_AND_ACCESS_CONTROL.md). +{: .note} + +### Step 1: Enable resource sharing + +To enable resource sharing, add the following settings to the `opensearch.yml` file: + +```yaml +plugins.security.experimental.resource_sharing.enabled: true +plugins.security.system_indices.enabled: true +``` +{% include copy.html %} + +For more information, see [Experimental feature flags]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/experimental/). + +In OpenSearch 3.3, these settings can be updated only through `opensearch.yml` and require a cluster restart. + +Starting with OpenSearch 3.4, you can update both resource sharing settings dynamically without restarting the cluster: + +```json +PUT _cluster/settings +{ + "transient": { + "plugins.security.experimental.resource_sharing.enabled": true, + "plugins.security.experimental.resource_sharing.protected_types": ["sample-resource"] + } +} +``` +{% include copy-curl.html %} + +### Step 2: Configure protected resource types + +Specify the resource types that use resource-level authorization by listing them in the protected types configuration. This setting determines the plugin-defined resources that use the sharing and access control framework: + +```yaml +plugins.security.experimental.resource_sharing.protected_types: ["sample-resource", "ml-model"] +``` +{% include copy.html %} + +The resource types you specify must match exactly the resource types supported by your installed plugins. To discover the resource types available in your cluster, follow these steps: + +1. **Enable resource sharing** with an empty `protected_types` configuration initially. +2. **Use the [List resource types API]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/#list-resource-types)** to discover all available resource types from your installed plugins. +3. **Update your `protected_types` configuration** with the resource types you want to enable. + +## Example resource types + +The following are example resource types available for resource sharing: + +- **ML Commons plugin:** + - `ml-model-group` - Machine learning model groups + +- **Anomaly Detection plugin:** + - `anomaly-detector` - Anomaly detection jobs + - `forecaster` - Time series forecasting jobs + +Example configuration after discovering available types: + +```yaml +plugins.security.experimental.resource_sharing.protected_types: ["ml-model-group", "anomaly-detector", "forecaster"] +``` +{% include copy.html %} + +## Required permissions + +To access shared resources through plugin APIs, users need cluster-level permissions for those specific plugins. Administrators should configure appropriate roles in `roles.yml`. The following example shows the configuration for a `sample-resource-plugin`: + +```yaml +sample_full_access: + cluster_permissions: + - 'cluster:admin/sample-resource-plugin/*' + +sample_read_access: + cluster_permissions: + - 'cluster:admin/sample-resource-plugin/get' +``` +{% include copy.html %} + +Resource sharing does not automatically grant API access. To access a resource using the API, users must have both: + +1. Cluster permissions for the plugin APIs. +2. Resources shared with them through the sharing APIs. + +## Data model + +All sharing metadata (listed in the following table) is stored in a dedicated *security-owned* system index. + +| Field | Description | +|:---|:---| +| `resource_id` | The unique identifier of the resource. | +| `created_by` | The resource creator username (and tenant, if applicable). | +| `share_with` | The mapping of action groups to allowed principals. | +| `source_idx` | The resource index managed by the plugin. | + +This example shows a resource with ID `model-group-123` created by the user `bob` in the `analytics` tenant. The resource is shared with specific users, roles, and backend roles with read-only access: + +```json +{ + "resource_id": "model-group-123", + "created_by": { + "user": "bob", + "tenant": "analytics" + }, + "share_with": { + "read_only": { + "users": ["alice"], + "roles": ["data_viewer"], + "backend_roles": ["analytics_backend"] + } + } +} +``` +{% include copy.html %} + +In this example: + +- At read-only level: + + - Users: `alice` can access the resource. + + - Roles: Any user assigned the `data_viewer` role can access the resource. + + - Backend roles: Any user mapped to the `analytics_backend` backend role can access the resource. + +To make this resource public, set `users` to `["*"]`: + +```json +PATCH _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "add": { + "read_only": { "users": ["*"] } + } +} +``` +{% include copy-curl.html %} + +To keep a resource private, make the `share_with` object empty: + +```json +PUT _plugins/_security/api/resource/share +{ + "resource_id": "model-group-123", + "resource_type": "ml-model-group", + "share_with": {} +} +``` +{% include copy-curl.html %} + +## REST APIs + +You can use resource sharing API operations to share resources, manage access permissions, and automate resource sharing workflows. + +For complete API documentation, see [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/). + +## Requirements and limitations + +To ensure proper resource sharing and access control, the following requirements and limitations apply: + +* Only resource owners, superadmins, or users explicitly granted sharing permissions can share or revoke access. +* All resources must reside in system indexes. +* System index protection must be enabled. +* Users still require plugin-level cluster permissions, including permission to create resources. +* Action groups must be defined in the plugin configuration. + + +## Best practices + +When managing resource sharing, administrators should follow these best practices: + +- Enable resource sharing on new clusters before usage. + +- Keep system index protection enabled. + +- Share resources minimally and explicitly to maintain security and control. + +## Related documentation + +- [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/) - REST API reference for programmatic management +- [Resource access management]({{site.url}}{{site.baseurl}}/dashboards/management/resource-sharing/) - UI workflows and user guidance +- [Sample resource plugin](https://github.com/opensearch-project/security/tree/main/src/test/java/org/opensearch/security/resources/sample) - Implementation examples in the security plugin repository +- [Developer documentation](https://github.com/opensearch-project/security/blob/main/RESOURCE_SHARING_AND_ACCESS_CONTROL.md) - Detailed technical documentation for plugin developers, users, and administrators diff --git a/_security/access-control/rest-layer-authz.md b/_security/access-control/rest-layer-authz.md index b882cf04e0..1c2c2cd06f 100644 --- a/_security/access-control/rest-layer-authz.md +++ b/_security/access-control/rest-layer-authz.md @@ -2,7 +2,7 @@ layout: default title: REST layer authorization parent: Access control -nav_order: 80 +nav_order: 85 --- diff --git a/_security/access-control/users-roles.md b/_security/access-control/users-roles.md index 2910477182..d5e115d5a2 100644 --- a/_security/access-control/users-roles.md +++ b/_security/access-control/users-roles.md @@ -2,7 +2,7 @@ layout: default title: Defining users and roles parent: Access control -nav_order: 85 +nav_order: 70 redirect_from: - /security/access-control/users-roles/ - /security-plugin/access-control/users-roles/