Adds documentation for REST admin API permissions feature #4257
Conversation
DarshitChanpura
requested review from
cwillum,
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
ananzh,
seanneumann,
AMoo-Miki and
natebower
as code owners
_security/access-control/api.md
Outdated
| @@ -36,6 +36,37 @@ plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...] | |||
| ``` | |||
| {% include copy.html %} | |||
|
|
|||
| You can also control access to specific rest APIs via roles. Here is an example role which allows access to all endpoints supported by this feature currently: | |||
There was a problem hiding this comment.
| You can also control access to specific rest APIs via roles. Here is an example role which allows access to all endpoints supported by this feature currently: | |
| You can also control access to specific rest APIs using roles. Here is an example `cluster_permissions` lists which allows access to all endpoints supported by this feature: |
DarshitChanpura
force-pushed
the
restadmin-permissions
branch
from
4e08f8c
to
66b8836
Compare
|
@cwillum @Naarcha-AWS Would you please re-review this? |
There was a problem hiding this comment.
@DarshitChanpura A huge thanks for taking charge on this and getting the documentation going. See my comments and let me know if you want to talk about adding a new doc PR to include a table in Permissions that describes the new REST permissions.
_security/access-control/api.md
Outdated
| @@ -36,6 +36,37 @@ plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...] | |||
| ``` | |||
| {% include copy.html %} | |||
|
|
|||
| You can also control access to specific rest APIs using roles. Here is an example list `cluster_permissions` that you can attach to a role which will allow access to all endpoints supported by this feature: | |||
There was a problem hiding this comment.
| You can also control access to specific rest APIs using roles. Here is an example list `cluster_permissions` that you can attach to a role which will allow access to all endpoints supported by this feature: | |
| Roles also allow you to control access to specific REST APIs. You can add individual or multiple cluster permissions to a role and grant users access to associated APIs when they are mapped to the role. The following list of cluster permissions includes the endpoints that correspond to the Security REST APIs: |
It would also be nice to have these in table format with descriptions for each so users know exactly which APIs can be accessed when one is added to the role. Something like the table in Security Analytics permissions.
What do you think about cutting a new PR off this issue? Otherwise, we could create a new doc issue.
_security/access-control/api.md
Outdated
| @@ -36,6 +36,37 @@ plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...] | |||
| ``` | |||
| {% include copy.html %} | |||
|
|
|||
| You can also control access to specific rest APIs using roles. Here is an example list `cluster_permissions` that you can attach to a role which will allow access to all endpoints supported by this feature: | |||
| ```yml | |||
There was a problem hiding this comment.
Since this section is all about APIs, I think we should simply list these in bullets, not provide a YAML config example.
- restapi:admin/actiongroups
- restapi:admin/allowlist
- restapi:admin/internalusers
- restapi:admin/nodesdn
- restapi:admin/roles
- restapi:admin/rolesmapping
- restapi:admin/ssl/certs/info
- restapi:admin/ssl/certs/reload
- restapi:admin/tenants
_security/access-control/api.md
Outdated
| - 'restapi:admin/ssl/certs/reload' | ||
| - 'restapi:admin/tenants' | ||
| ``` | ||
| You can add/remove these as required to your role definition. It currently supports access control to these 9 endpoints: |
There was a problem hiding this comment.
Again, it might be more helpful to describe the corresponding APIs rather than list the endpoints, which are obvious in the cluster permissions. Rather than list them here, maybe we can have them in a table in the "Cluster permissions" documentation, like I mentioned above?
| Permission | Description |
|---|---|
| restapi:admin/actiongroups | Permission to get, delete, create, and patch actions groups |
| restapi:admin/allowlist | Permission to add any endpoints and HTTP requests to a list of allowed endpoints and requests. |
| restapi:admin/nodesdn | Permission to add, retrieve, update, or delete any distinguished names from an allow list and enable communication between clusters and/or nodes. |
I know we have an allowlist.yml config file. But I don't know how you would use the REST API to configure that. I don't see that API in this section.
There was a problem hiding this comment.
its to dynamically update allowlist via APIs
| @@ -393,3 +393,19 @@ These permissions apply to an index or index pattern. You might want a user to h | |||
| - indices:monitor/shard_stores | |||
| - indices:monitor/stats | |||
| - indices:monitor/upgrade | |||
|
|
|||
|
|
|||
| ## Rest Permissions | |||
There was a problem hiding this comment.
| ## Rest Permissions | |
| ## REST Permissions |
Are these Security specific?
If yes, maybe "Security REST permissions".
There was a problem hiding this comment.
Yes, since these APIs are security specific, so are these permissions. However, style check fails if I say REST instead of Rest
There was a problem hiding this comment.
If this stands for "Representational State Transfer" API, you can disregard the style check and capitalize. But if this refers to the rest layer (versus transit layer), it's my fault and it should stay Security rest permissions. Thanks.
| @@ -1336,6 +1369,29 @@ PUT _plugins/_security/api/nodesdn/<cluster-name> | |||
| } | |||
| ``` | |||
|
|
|||
| ### Update all distinguished names | |||
There was a problem hiding this comment.
How does this differ from "Update distinguished names" using a PUT call? Just a brief blurb describing the API.
_security/access-control/api.md
Outdated
| @@ -1336,6 +1369,29 @@ PUT _plugins/_security/api/nodesdn/<cluster-name> | |||
| } | |||
| ``` | |||
|
|
|||
| ### Update all distinguished names | |||
| #### Request | |||
There was a problem hiding this comment.
Can we add a table before the Request for request fields? They might be obvious to most people (I'm not in that group). But if we can add some more description ...
Request fields
You can specify the following fields when updating all DNs.
| Field | Type | Description |
|---|---|---|
op |
String | Operation to be performed. Options include remove, ... Required. |
path |
String | Path to the target distinguished name to be updated. Required. |
Are these fields defined some way to update all? Does the 0 in the path update all?
And then "#### Request" would follow after this heading.
Update: just wanted to add the resource that this comment is based on. We created an API style guide end of last year to help us format API documentation and keep it consistent. API Style Guide
_security/access-control/api.md
Outdated
| } | ||
| ``` | ||
|
|
||
| ### Reload http certificates |
There was a problem hiding this comment.
upon replacing with capitals, style check failed.
There was a problem hiding this comment.
If it refers to "HyperText Transfer Protocol", capitalization is good. When http points to a setting or something else in the code, we leave it without capitalization to show how it's represented as a component of the code.
We're still working out the kinks with the style check. Thanks.
| ## Rest Permissions | ||
|
|
||
| These permissions apply to rest APIs to control access to the endpoints. Granting access to any of these will allow access to change the crucial operational components of Security plugin. | ||
| NOTE: Allowing access to these endpoints can trigger operational changes in the cluster. Proceed with caution. |
There was a problem hiding this comment.
| NOTE: Allowing access to these endpoints can trigger operational changes in the cluster. Proceed with caution. | |
| Allowing access to these endpoints has the potential to trigger operational changes in the cluster. Proceed with caution. | |
| {: .warning } |
You can add the Liquid tag below and it will format this as a warning. Since you can really mess things up, I think warning is suitable.
|
|
||
| These permissions apply to rest APIs to control access to the endpoints. Granting access to any of these will allow access to change the crucial operational components of Security plugin. | ||
| NOTE: Allowing access to these endpoints can trigger operational changes in the cluster. Proceed with caution. | ||
|
|
There was a problem hiding this comment.
If these are cluster permissions, let's format them like the others in the Permissions documentation and add them in the section above index permissions, Cluster permissions. So, the whole enchilada:
Security REST API permissions
Allowing access to these endpoints has the potential to trigger operational changes in the cluster. Proceed with caution.
{: .warning }
See API for more information about Security REST APIs.
- cluster:restapi:admin/actiongroups
- cluster:restapi:admin/allowlist
- cluster:restapi:admin/internalusers
- cluster:restapi:admin/nodesdn
- cluster:restapi:admin/roles
- cluster:restapi:admin/rolesmapping
- cluster:restapi:admin/ssl/certs/info
- cluster:restapi:admin/ssl/certs/reload
- cluster:restapi:admin/tenants
There was a problem hiding this comment.
these permissions are not prefixed with cluster:, so these should be fine.
|
@DarshitChanpura Was thinking about this. It will take a little time to format this according to the doc team's style guide, which isn't your job. I'll look into how we do a hand off (or something similar) at the start of next week. Thanks again for getting this into documentation. |
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
restadmin-permissions
branch
from
fbc179d
to
7750487
Compare
_security/access-control/api.md
Outdated
|
|
||
| | **Permission** | **APIs Granted** | **Description** | | ||
| |:-------------------------------|:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | restapi:admin/actiongroups | `/actiongroup` & `/actiongroups` | Permission to get, delete, create, and patch actions groups (including bulk updates) | |
There was a problem hiding this comment.
| | restapi:admin/actiongroups | `/actiongroup` & `/actiongroups` | Permission to get, delete, create, and patch actions groups (including bulk updates) | | |
| | restapi:admin/actiongroups | `/actiongroup` & `/actiongroups` | Permission to get, delete, create, and patch actions groups (including bulk updates). | |
_security/access-control/api.md
Outdated
| Roles also allow you to control access to specific REST APIs. You can add individual or multiple cluster permissions to a role and grant users access to associated APIs when they are mapped to the role. The following list of cluster permissions includes the endpoints that correspond to the Security REST APIs: | ||
|
|
||
| | **Permission** | **APIs Granted** | **Description** | | ||
| |:-------------------------------|:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------| |
There was a problem hiding this comment.
You don't need to add extra spaces or "filler" dashes to make tables render properly in the markdown. And the headings should automatically be boldface, too, without having to add the double asterisks. This should do it:
| Permission | APIs Granted | Description |
| :--- | :--- | :--- |
| Permission 1 | allowlist | Does this and that |
| Permission | APIs Granted | Description |
|---|---|---|
| Permission 1 | allowlist |
Does this and that |
There was a problem hiding this comment.
These were auto-generated by my IDE. I guess for better readability
_security/access-control/api.md
Outdated
| |:-------------------------------|:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | restapi:admin/actiongroups | `/actiongroup` & `/actiongroups` | Permission to get, delete, create, and patch actions groups (including bulk updates) | | ||
| | restapi:admin/allowlist | `/allowlist` | Permission to add any endpoints and HTTP requests to a list of allowed endpoints and requests. | | ||
| | restapi:admin/internalusers | `/internaluser` & `/user` | Permission to add, retrieve, modify and delete any user in the cluster | |
There was a problem hiding this comment.
It's a hassle. But we follow the "Oxford comma" rule: a comma between all elements of a list. As below.
| | restapi:admin/internalusers | `/internaluser` & `/user` | Permission to add, retrieve, modify and delete any user in the cluster | | |
| | restapi:admin/internalusers | `/internaluser` & `/user` | Permission to add, retrieve, modify, and delete any user in the cluster. | |
Global comment.
_security/access-control/api.md
Outdated
| | restapi:admin/allowlist | `/allowlist` | Permission to add any endpoints and HTTP requests to a list of allowed endpoints and requests. | | ||
| | restapi:admin/internalusers | `/internaluser` & `/user` | Permission to add, retrieve, modify and delete any user in the cluster | | ||
| | restapi:admin/nodesdn | `/nodesdn` | Permission to add, retrieve, update, or delete any distinguished names from an allow list and enable communication between clusters and/or nodes. | | ||
| | restapi:admin/roles | `/roles` | Permission to add, retrieve, modify and delete any roles in the cluster | |
There was a problem hiding this comment.
| | restapi:admin/roles | `/roles` | Permission to add, retrieve, modify and delete any roles in the cluster | | |
| | restapi:admin/roles | `/roles` | Permission to add, retrieve, modify, and delete any roles in the cluster. | |
_security/access-control/api.md
Outdated
| | restapi:admin/internalusers | `/internaluser` & `/user` | Permission to add, retrieve, modify and delete any user in the cluster | | ||
| | restapi:admin/nodesdn | `/nodesdn` | Permission to add, retrieve, update, or delete any distinguished names from an allow list and enable communication between clusters and/or nodes. | | ||
| | restapi:admin/roles | `/roles` | Permission to add, retrieve, modify and delete any roles in the cluster | | ||
| | restapi:admin/rolesmapping | `/rolesmapping` | Permission to add, retrieve, modify and delete any roles-mapping | |
There was a problem hiding this comment.
| | restapi:admin/rolesmapping | `/rolesmapping` | Permission to add, retrieve, modify and delete any roles-mapping | | |
| | restapi:admin/rolesmapping | `/rolesmapping` | Permission to add, retrieve, modify, and delete any roles-mapping. | |
| { | ||
| "op":"remove", | ||
| "path":"/cluster1/nodes_dn/0" | ||
| } |
There was a problem hiding this comment.
Is it possible to add a mock value to the example:
"value": "CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM", "CN=George Wall,CN=admin,DC=corp,DC=Fabrikam,DC=COM",
There was a problem hiding this comment.
yes, but since this is a remove operation we don't need it. If we want to add a sample value, I will change the example
_security/access-control/api.md
Outdated
|
|
||
| | Field | Data Type | Description | | ||
| |:--------|:----------|:----------------------------------------------------------------------------------| | ||
| | status | string | Indicates the status of the operation. Possible values: "OK" or an error message. | |
There was a problem hiding this comment.
| | status | string | Indicates the status of the operation. Possible values: "OK" or an error message. | | |
| | status | String | Indicates the status of the operation. Possible values: "OK" or an error message. | |
_security/access-control/api.md
Outdated
| | Field | Data Type | Description | | ||
| |:--------|:----------|:----------------------------------------------------------------------------------| | ||
| | status | string | Indicates the status of the operation. Possible values: "OK" or an error message. | | ||
| | message | string | Additional information about the operation. | |
There was a problem hiding this comment.
| | message | string | Additional information about the operation. | | |
| | message | String | Additional information about the operation. | |
| } | ||
| ``` | ||
|
|
||
| #### Response fields |
There was a problem hiding this comment.
I think it's fine to leave this table. But the example response is probably self explanatory for this. It can stay or go.
There was a problem hiding this comment.
I followed the API Style Guide. Let's keep it?
|
|
||
| ## Security REST permissions | ||
|
|
||
| These permissions apply to rest APIs to control access to the endpoints. Granting access to any of these will allow access to change the crucial operational components of Security plugin. |
There was a problem hiding this comment.
| These permissions apply to rest APIs to control access to the endpoints. Granting access to any of these will allow access to change the crucial operational components of Security plugin. | |
| These permissions apply to REST APIs to control access to the endpoints. Granting access to any of these will allow a user permission to change fundamental operational components of the Security plugin. |
OK?
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
| { | ||
| "op":"remove", | ||
| "path":"/cluster1/nodes_dn/0" | ||
| } |
|
@DarshitChanpura Merging now. Thanks! |
cwillum
added
security
release-notes
kolchfa-aws
changed the title
…-project#4257) * Adds documentation for rest admin api permissions feature Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Address PR feedback Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Address CI check failure Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Addresses PR feedback Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes grammar and styles Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
* Adds documentation for rest admin api permissions feature Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Address PR feedback Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Address CI check failure Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Addresses PR feedback Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes grammar and styles Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Issues Resolved
Resolves #4256
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.