Is your feature request related to a problem?
We are using filtering by backend roles to control access to alerting objects. As the documentation describes, the plugin has a hard-coded condition for controlling how user backend roles are evaluated to determine access:
Now when users view alerting resources in OpenSearch Dashboards (or make REST API calls), they only see monitors and destinations that are created by users who share at least one backend role
We can see this condition coded into the plugin here: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt#L125.
Instead of allowing users who share one backend role to see each other's object, we would like to enforce that users can only see monitors and destinations for users who share all backend roles.
What solution would you like?
I would like a setting to be added that allows users to control how access by backend role is enforced for alerting objects.
The setting could be called filter_by_backend_roles_access_strategy (or something) could have the possible values:
intersect - This is the current behavior where users must share at least one backend role to see each other's monitors and destinationsall - This would be the new behavior where users must share all backend roles to see each other's monitors and destinations.
I imagine that this new setting could be added to https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/settings/AlertingSettings.kt.
Based on the value of this setting, the logic in the code around https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt#L125 would change.
What alternatives have you considered?
If the alerting plugin used tenant aware storage for monitors and destinations, then this change would not be necessary. See opensearch-project/alerting-dashboards-plugin#708
Do you have any additional context?
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem?
We are using filtering by backend roles to control access to alerting objects. As the documentation describes, the plugin has a hard-coded condition for controlling how user backend roles are evaluated to determine access:
We can see this condition coded into the plugin here: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt#L125.
Instead of allowing users who share one backend role to see each other's object, we would like to enforce that users can only see monitors and destinations for users who share all backend roles.
What solution would you like?
I would like a setting to be added that allows users to control how access by backend role is enforced for alerting objects.
The setting could be called
filter_by_backend_roles_access_strategy(or something) could have the possible values:intersect- This is the current behavior where users must share at least one backend role to see each other's monitors and destinationsall- This would be the new behavior where users must share all backend roles to see each other's monitors and destinations.I imagine that this new setting could be added to https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/settings/AlertingSettings.kt.
Based on the value of this setting, the logic in the code around https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt#L125 would change.
What alternatives have you considered?
If the alerting plugin used tenant aware storage for monitors and destinations, then this change would not be necessary. See opensearch-project/alerting-dashboards-plugin#708
Do you have any additional context?
Add any other context or screenshots about the feature request here.