Limit Service Account Permission

[RyanL1997]

Limit Service Account Permission

Exit Criteria

When systemindex permission: enable
service accounts not have acces to non system index

Check List

• modify authz workflow to filter out all permissions other than index permissions with system index grant
• add/modify test case that confirms cluster-wide permissions are not accessible
• add/modify test case where index permissions without system index grant is filtered out
  • disable the system index permission
  • enable the system index permission, but trying to access to non-system index
• add/modify test case where index permissions with system index grant is allowed (happy path)

Service Account Permissions Manual Testing Flow

Since the service account will have a random generated password, it is nice to hardcode a static password in UserService. The following test will use TestSevAccPassword123## admin-extension

1. Spin up a custer

Spin up a cluster with plugins.security.system_indices.permission.enabled: true in opensearch.yml

2. Create a role called access_all

curl -X PUT "https://localhost:9200/_plugins/_security/api/roles/testrole?pretty" -u "admin:admin" -H 'Content-Type: application/json' -k -d '
{
    "description" : "Allow full access to all indices and all cluster APIs",
    "cluster_permissions" : [
      "*"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "*",
          "system:admin/system_index"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "*"
        ],
        "allowed_actions" : [
          "kibana_all_write"
        ]
      }
    ]
}'

3. Create a service account with the above role mapped

curl -XPUT "https://localhost:9200/_plugins/_security/api/internalusers/admin-extension" -H 'Content-Type: application/json' -d'
{
 "opendistro_security_roles": ["testrole"],
 "backend_roles": [],
 "attributes": {
  "enabled": "true",
  "service": "true"
 }
}' -u "admin:admin" --insecure | jq

4. Create two indices (one system index + one non system index) with admin credential

non system index:

curl -X PUT "https://localhost:9200/test_index" -u "admin:admin" -H "Content-Type: application/json" -d '{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "message": {
        "type": "text"
      }
    }
  }
}' -k

system index:

curl -X PUT "https://localhost:9200/.test-sys-index" -u "admin:admin" -H "Content-Type: application/json" -d '{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "message": {
        "type": "text"
      }
    }
  }
}' -k

can be verified by:

curl -X GET "https://localhost:9200/_cat/indices?v&pretty" -u "admin:admin" -k

5. [maybe optional] Write into both indices with admin credential

test_index:

curl -X POST "https://localhost:9200/test_index/_doc?pretty" -u "admin:admin" -H 'Content-Type: application/json' -d '
{
  "name": "John Doe",
  "age": 30,
  "email": "[email protected]"
}
' -k

.test-sys-index:

curl -X POST "https://localhost:9200/.test-sys-index/_doc?pretty" -u "admin:admin" -H 'Content-Type: application/json' -d '
{
  "name": "John Doe",
  "age": 30,
  "email": "[email protected]"
}
' -k

6. Add .test-sys-index into the system indices list

Add .test-sys-index into the system indices list in opensearch.yml. After that reboot the cluster.

7. Try to read both indices with service account user credential

Success (system index):

curl -XGET "https://localhost:9200/.test-sys-index" -u "admin-extension:admin-extension" -H 'Content-Type: application/json' -k | jq

Fail (non system index):

curl -XGET "https://localhost:9200/test_index" -u "admin-extension:admin-extension" -H 'Content-Type: application/json' -k | jq