[BUG] How to create a role in OpenSearch that excludes specific indices from read permissions

[lgb861213]

Describe the bug

I need to create a role in OpenSearch that can read all indices EXCEPT those containing a specific string (like "test") in their names. However, OpenSearch's permission system seems to be primarily based on "allow" mechanisms without a direct "deny" capability.

Related component

Indexing

To Reproduce

opensearch version that is 2.19

Expected behavior

opensearch version that is 2.19

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[andrross]

@opensearch-project/admin Can this be transferred to the security repo?

[andrross]

Catch All Triage - 1 2

@cwperks Can you take a look?

[cwperks]

@lgb861213 FYI Role definitions allow use of regex in the index_patterns portion. Have you tried that?

See https://github.com/opensearch-project/security/blob/main/src/test/resources/roles.yml#L27 as an example