Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Create DenyList.yml #4842

Open
derek-ho opened this issue Oct 24, 2024 · 2 comments
Open

[FEATURE] Create DenyList.yml #4842

derek-ho opened this issue Oct 24, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@derek-ho
Copy link
Collaborator

Is your feature request related to a problem?
We currently have AllowList.yml. However this isn't generally feasible for many use cases. A more reasonable use case is when a cluster admin wants to explicitly deny permission to a certain few endpoints. We should provide a mechanism to allow for this, instead of blocking all endpoints except for a few.
What solution would you like?
An equivalent to AllowList.yml, but for denial.
What alternatives have you considered?
None
Do you have any additional context?
No

@derek-ho derek-ho added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Oct 24, 2024
@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Oct 28, 2024
@cwperks
Copy link
Member

cwperks commented Oct 28, 2024

[Triage] Thank you for filing this issue @derek-ho. Can you provide an example configuration?

Typically with security its preferred to deny all by default and explicitly allow routes then the opposite. In what situations would a denylist be preferred than an allowlist?

@cwperks cwperks removed the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 28, 2024
@derek-ho
Copy link
Collaborator Author

@cwperks the main impetus for this issue is this thread on the slack: https://opensearch.slack.com/archives/C051Y637FKK/p1729457231761789. I think a common use case may be that a cluster admin wants to enable searching on data, but doesn't want users to perform actions like changing any cluster settings. That would be difficult today, where the only avenue is allowlisting, which means they would need to enumerate all common cluster operations instead of explicitly denying the ones they want to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants