[FEATURE] Dual control in Opensearch and Opensearch Dashboards

[chaitrahegde115]

Is your feature request related to a problem?
There is a security requirement for supporting dual control.

What solution would you like?
`Explanation - Separation of duties may be also achieved by dual control, in which carrying out a single task requires approval of two authorized persons.

Here as far as I know separation of duties can be achieved via Roles. Additionally is there any plan to support dual control in Opensearch where a critical task requires approval of two authorized persons?`

[peternied]

@chaitrahegde115 Thanks for creating this feature request. Could you provide more context to your scenario, maybe an example of the kinds of scenario you have today - and how you'd like to see that scenario work after this feature has been added?

[scrawfor99]

[Triage] Hi @chaitrahegde115, thank you for filing this feature request. As a follow-up please provide your input to what @peternied commented last week. Could you provide further explanation to the feature you are requesting and what type of implementations you would like to see? Thank you.

[chaitrahegde115]

Hi,
On a high level consider I have a crucial data stored in some indices of Opensearch. If a user has index level permission(apart from admin user) if he tries to delete the index then it allows user to delete that index. If there is dual control, then it should ask admin user / similar to admin user to authenticate the process of deletion performed by that user.

[peternied]

@chaitrahegde115 Thanks for the additional detail. I don't think this feature is in scope for the current vision of the security plugin, but I do see the overlap and we could be interested in reviewing a more detailed design or draft pull request if you'd like to build out this feature.

[davidlago]

Closing for now, let's reopen once a more detailed proposal takes shape.