You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem?
We currently have AllowList.yml. However this isn't generally feasible for many use cases. A more reasonable use case is when a cluster admin wants to explicitly deny permission to a certain few endpoints. We should provide a mechanism to allow for this, instead of blocking all endpoints except for a few. What solution would you like?
An equivalent to AllowList.yml, but for denial. What alternatives have you considered?
None Do you have any additional context?
No
The text was updated successfully, but these errors were encountered:
cwperks
added
triaged
Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
and removed
untriaged
Require the attention of the repository maintainers and may need to be prioritized
labels
Oct 28, 2024
[Triage] Thank you for filing this issue @derek-ho. Can you provide an example configuration?
Typically with security its preferred to deny all by default and explicitly allow routes then the opposite. In what situations would a denylist be preferred than an allowlist?
cwperks
removed
the
triaged
Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
label
Oct 28, 2024
@cwperks the main impetus for this issue is this thread on the slack: https://opensearch.slack.com/archives/C051Y637FKK/p1729457231761789. I think a common use case may be that a cluster admin wants to enable searching on data, but doesn't want users to perform actions like changing any cluster settings. That would be difficult today, where the only avenue is allowlisting, which means they would need to enumerate all common cluster operations instead of explicitly denying the ones they want to.
Is your feature request related to a problem?
We currently have AllowList.yml. However this isn't generally feasible for many use cases. A more reasonable use case is when a cluster admin wants to explicitly deny permission to a certain few endpoints. We should provide a mechanism to allow for this, instead of blocking all endpoints except for a few.
What solution would you like?
An equivalent to AllowList.yml, but for denial.
What alternatives have you considered?
None
Do you have any additional context?
No
The text was updated successfully, but these errors were encountered: