-
Notifications
You must be signed in to change notification settings - Fork 871
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support authorised access to Data Sources #6328
Comments
@bandinib-amzn could you help to take a look? |
In general, data access policy should be managed by the remote database themselves. Who(principal) could have what permission/access to what data is not part of datasource and won't be part of datasource. We do respect existing access policy. Hope this helped clarification Share identity and principal only happens when both OSD and datasource are using same identity Provider. Most of time is might not feasible e.g. OSD might use OIDC for sso, backend might use user/password |
|
Hey @seraphjiang
Maybe I'm misunderstanding but this doesn't seem to be working for me on Opensearch 2.11.1 then. On the cluster with
which is correct - the user I'm logged in as on the remote cluster doesn't have permission to do that. Note that I am logged into both Opensearch Dashboards instances with the same principal using OIDC. I think you can also see this behaviour at: https://playground.opensearch.org/app/dev_tools#/console If you go there and run
where |
In order to support pass through credential from upstream to downstream securely. OSD need to encrypt the credential and downstream need to be able to decrypt the credential. We could see if there is more needs for this feature request |
Is your feature request related to a problem? Please describe.
The Data Sources feature is great, however, it currently doesn't seem to be possible to control an individual user's access to data in remote data sources.
Describe the solution you'd like
It would be great if access to remote Opensearch data sources was granted based on the principal of the logged in user and any roles they have mapped in the remote cluster.
Describe alternatives you've considered
Using the current solution, which uses the roles that are mapped to the user configured on the data source. However, we need to be able to restrict a user's access to be the same as if they were actually logged into the remote cluster.
Additional context
N/A
The text was updated successfully, but these errors were encountered: