[BLOG] Under the hood: Designing resource-level access control in OpenSearch #4032
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
requested review from
AMoo-Miki,
CEHENKLE,
elfisher,
kolchfa-aws,
krisfreedain,
natebower,
nateynateynate,
nknize and
peterzhuamazon
as code owners
|
Thank you for submitting a blog post! The blog post review process is: Submit a PR -> (Optional) Peer review -> Doc review -> Editorial review -> Marketing review -> Published. |
|
Hi @DarshitChanpura, It looks like you're adding a new blog post but don't have an issue mentioned. Please link this PR to an open issue using one of these keywords in the PR description:
If an issue hasn't been created yet, please create one and then link it to this PR. |
DarshitChanpura
changed the title
DarshitChanpura
changed the title
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
kolchfa-aws
added
Editorial review
natebower
reviewed
Dec 15, 2025
|
|
||
| * Sharing detectors with specific users and roles. | ||
| * Displaying accessible resources and resharing permissions for the current user. | ||
| * Listing all available resource types and their corresponding access levels. |
Collaborator
There was a problem hiding this comment.
Suggested change
| * Listing all available resource types and their corresponding access levels. | |
| * Listing all available resource types and their corresponding access levels |
|
|
||
| ## Try resource sharing and share your feedback | ||
|
|
||
| Resource sharing and access control is available as an experimental feature in OpenSearch 3.3 and later. If you're developing a plugin and want to adopt resource sharing, start with performing these steps: |
Collaborator
There was a problem hiding this comment.
Suggested change
| Resource sharing and access control is available as an experimental feature in OpenSearch 3.3 and later. If you're developing a plugin and want to adopt resource sharing, start with performing these steps: | |
| Resource sharing and access control is available as an experimental feature in OpenSearch 3.3 and later. If you're developing a plugin and want to adopt resource sharing, start by performing these steps: |
|
|
||
| Resource sharing and access control is available as an experimental feature in OpenSearch 3.3 and later. If you're developing a plugin and want to adopt resource sharing, start with performing these steps: | ||
|
|
||
| 1. Implement `ResourceSharingExtension` and register your plugin as a resource plugin. |
Collaborator
There was a problem hiding this comment.
Suggested change
| 1. Implement `ResourceSharingExtension` and register your plugin as a resource plugin. | |
| 1. Implement the `ResourceSharingExtension` and register your plugin as a resource plugin. |
| 4. Use `isFeatureEnabledForType` and `verifyAccess` in your handlers. | ||
| 5. Enable the feature for your resource type in a test cluster and iterate. | ||
|
|
||
| After this, your plugin can inherit a complete, centralized sharing model with consistent behavior across the OpenSearch platform. |
Collaborator
There was a problem hiding this comment.
Suggested change
| After this, your plugin can inherit a complete, centralized sharing model with consistent behavior across the OpenSearch platform. | |
| After this, your plugin can inherit a complete, centralized sharing model with consistent behavior across OpenSearch. |
|
|
||
| After this, your plugin can inherit a complete, centralized sharing model with consistent behavior across the OpenSearch platform. | ||
|
|
||
| Your input helps us improve the feature before it becomes generally available. Please share your experiences, questions, and suggestions on the [OpenSearch Forum](https://forum.opensearch.org/). No newline at end of file |
Collaborator
There was a problem hiding this comment.
Suggested change
| Your input helps us improve the feature before it becomes generally available. Please share your experiences, questions, and suggestions on the [OpenSearch Forum](https://forum.opensearch.org/). | |
| Your input helps to improve the feature before it becomes generally available, so feel free to share your experiences, questions, and suggestions on the [OpenSearch forum](https://forum.opensearch.org/). |
Signed-off-by: Nathan Bower <[email protected]>
natebower
approved these changes
Dec 15, 2025
Collaborator
natebower
left a comment
natebower
left a comment
There was a problem hiding this comment.
Thanks @DarshitChanpura! LGTM
@pajuric This should be ready to publish.
natebower
added
Done and ready to publish
cwperks
reviewed
Dec 23, 2025
| } | ||
| ``` | ||
|
|
||
| ### 2. Explicit checks using the ResourceSharingClient |
Member
There was a problem hiding this comment.
@DarshitChanpura I'd rather not publish the blog with this. Let's focus on natively supporting it so that any public docs show the strategic method of integrating.
|
@DarshitChanpura @cwperks - Per the note above, I am holding this until you resolve. Please let me know when you are ready to publish and we'll work on getting back into the schedule. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Follow up to #4011, this blog explores technical part of this feature, design decisions and onboarding plugins.
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the BSD-3-Clause License.