Limit Service Account Permission
Opened this issue · 0 comments
RyanL1997 commented
Limit Service Account Permission
Exit Criteria
When systemindex permission: enable
service accounts not have acces to non system index
Check List
- modify authz workflow to filter out all permissions other than index permissions with system index grant
- add/modify test case that confirms cluster-wide permissions are not accessible
- add/modify test case where index permissions without system index grant is filtered out
- disable the system index permission
- enable the system index permission, but trying to access to non-system index
- add/modify test case where index permissions with system index grant is allowed (happy path)
Service Account Permissions Manual Testing Flow
Since the service account will have a random generated password, it is nice to hardcode a static password in UserService. The following test will use TestSevAccPassword123##admin-extension
1. Spin up a custer
Spin up a cluster with plugins.security.system_indices.permission.enabled: true in opensearch.yml
2. Create a role called access_all
curl -X PUT "https://localhost:9200/_plugins/_security/api/roles/testrole?pretty" -u "admin:admin" -H 'Content-Type: application/json' -k -d '
{
"description" : "Allow full access to all indices and all cluster APIs",
"cluster_permissions" : [
"*"
],
"index_permissions" : [
{
"index_patterns" : [
"*"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"*",
"system:admin/system_index"
]
}
],
"tenant_permissions" : [
{
"tenant_patterns" : [
"*"
],
"allowed_actions" : [
"kibana_all_write"
]
}
]
}'3. Create a service account with the above role mapped
curl -XPUT "https://localhost:9200/_plugins/_security/api/internalusers/admin-extension" -H 'Content-Type: application/json' -d'
{
"opendistro_security_roles": ["testrole"],
"backend_roles": [],
"attributes": {
"enabled": "true",
"service": "true"
}
}' -u "admin:admin" --insecure | jq4. Create two indices (one system index + one non system index) with admin credential
non system index:
curl -X PUT "https://localhost:9200/test_index" -u "admin:admin" -H "Content-Type: application/json" -d '{
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0
},
"mappings": {
"properties": {
"message": {
"type": "text"
}
}
}
}' -ksystem index:
curl -X PUT "https://localhost:9200/.test-sys-index" -u "admin:admin" -H "Content-Type: application/json" -d '{
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0
},
"mappings": {
"properties": {
"message": {
"type": "text"
}
}
}
}' -kcan be verified by:
curl -X GET "https://localhost:9200/_cat/indices?v&pretty" -u "admin:admin" -k5. [maybe optional] Write into both indices with admin credential
test_index:
curl -X POST "https://localhost:9200/test_index/_doc?pretty" -u "admin:admin" -H 'Content-Type: application/json' -d '
{
"name": "John Doe",
"age": 30,
"email": "john.doe@example.com"
}
' -k.test-sys-index:
curl -X POST "https://localhost:9200/.test-sys-index/_doc?pretty" -u "admin:admin" -H 'Content-Type: application/json' -d '
{
"name": "John Doe",
"age": 30,
"email": "john.doe@example.com"
}
' -k6. Add .test-sys-index into the system indices list
Add .test-sys-index into the system indices list in opensearch.yml. After that reboot the cluster.
7. Try to read both indices with service account user credential
Success (system index):
curl -XGET "https://localhost:9200/.test-sys-index" -u "admin-extension:admin-extension" -H 'Content-Type: application/json' -k | jqFail (non system index):
curl -XGET "https://localhost:9200/test_index" -u "admin-extension:admin-extension" -H 'Content-Type: application/json' -k | jq