Model User Roles within ChaosSearch
The following table describes some high level ChaosSearch groups/user roles that can be deployed at a customer that uses the file name prefix model. The process to map or associate these groups to users/subaccounts will vary based on the customer's authentication methods and IdP, and is managed by the customer. These roles can be modified and additional roles created in the future as required by the customer.
| Type | Description | Scope | Accompanying RBAC Policy Permissions Template |
|---|---|---|---|
| superadmin | This group has all privileges on all tabs. Visibility and permitted actions are not constrained by any prefix. | One overall | rbac-template-120821-superadmin.json |
| admin | This group has access to the Storage, Refinery, and Analytics areas. This group can perform any and all actions available. Within each area, the visibility and permitted actions are restricted to the team's predetermined prefix. | One group per customer team | rbac-template-120821-admin.json |
| normal | This group has access to the Refinery and Analytics areas. This group can perform any and all actions available. Within each area, visibility and permitted actions are restricted to the team's predetermined prefix. | One group per customer team | rbac-template-120821-normal.json |
| readonly | This group has access to the Analytics area. This group can run queries and access dashboards, but cannot create or edit any OpenSearch Dashboards objects. Visibility and permitted actions are restricted to the team's predetermined prefix. | One group per customer team | rbac-template-120821-readonly.json |
Modifying the Group Bucket and Prefix Settings
Within the sample RBAC policy definitions, there are references and placeholder strings for buckets, object groups, indexes, views, and OpenSearch Dashboards saved objects. Customer administrators should update the references for the correct values that they have planned for their environment and group setup. In the accompanying templates, search for the terms bucketnamechangeme and prefixchangeme. The following table lists the references and the context where they are defined.
| Type | Reference |
|---|---|
| Buckets in Conditions | "s3:bucket/attributes.name": "bucketnamechangeme" |
| Buckets in Resources | "arn:aws:s3:::bucketnamechangeme" |
| Object Groups in Conditions | "chaos:object_group/attributes.name": "prefixchangeme-" |
| Object Groups in Resources | "crn:object_group:::prefixchangeme-*" |
| Views in Conditions | "chaos:view/attributes.name": "prefixchangeme-" |
| Views in Resources | "crn:view:::prefixchangeme-*" |
| Indexes in Conditions (note the starting underscore) | "chaos:index/attributes.name": "_prefixchangeme-" |
| Monitors in Resources | "crn:monitor:::prefixchangeme-*" |
| Alerts in Resources | "crn:alert:::prefixchangeme-*" |
| Destinations in Resources | "crn:destination:::prefixchangeme-*" |
| OpenSearch Dashboards (Kibana) Saved Objects In Conditions | "chaos:document/attributes.title": "prefixchangeme" |
rbac-template-120821-superadmin.json
[
{
"Actions": [
"*"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
}
]
rbac-template-120821-admin.json
[
{
"Actions": [
"ui:analytics",
"ui:refinery",
"ui:storage"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:*",
"chaos:replica:*",
"chaos:query:*"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:*",
"elastic:*",
"elastic-opendistro:*",
"kibana:*",
"kibana:query",
"kibana:saved-objects:create",
"kibana:saved-objects:update",
"kibana:saved-objects:delete",
"kibana:saved-objects:read",
"kibana-management:*",
"kibana-management:import:*",
"kibana-management:export:*",
"kibana-settings:read",
"kibana-opendistro:*",
"kibana-opendistro:alerting",
"kibana-opendistro:alerting:alerts:read",
"kibana-opendistro:alerting:alerts:update",
"kibana-opendistro:alerting:destinations:create",
"kibana-opendistro:alerting:destinations:update",
"kibana-opendistro:alerting:destinations:delete",
"kibana-opendistro:alerting:destinations:read",
"kibana-opendistro:alerting:monitors:create",
"kibana-opendistro:alerting:monitors:update",
"kibana-opendistro:alerting:monitors:delete",
"kibana-opendistro:alerting:monitors:execute",
"kibana-opendistro:alerting:monitors:read"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*",
"crn:monitor:::prefixchangeme-*",
"crn:alert:::prefixchangeme-*",
"crn:destination:::prefixchangeme-*",
"crn:view:::.opendistro*",
"crn:view:::.opendistro-alerting-alerts"
],
"Version": "1.0"
},
{
"Actions": [
"kibana:*",
"kibana:saved-objects:read"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:document/attributes.title": "prefixchangeme"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:view:::.kibana"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
}
]
},
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:object_group:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:view:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:index/attributes.name": "_prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBucket",
"s3:chaos:field_caps",
"s3:chaos:field_samples",
"s3:chaos:metadata",
"s3:chaos:partition_keys"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefixchangeme-"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:view:create"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:view:update"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:GetObject",
"s3:aws:GetObjectTagging",
"s3:aws:GetBucketTagging",
"s3:chaos:metadata"
],
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::bucketnamechangeme",
"arn:aws:s3:::bucketnamechangeme/*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBucket",
"s3:chaos:field_samples"
],
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::bucketnamechangeme",
"arn:aws:s3:::bucketnamechangeme/*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:object_group:create"
],
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::bucketnamechangeme",
"crn:object_group:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:object_group:update"
],
"Effect": "Allow",
"Resources": [
"crn:object_group:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:model"
],
"Effect": "Allow",
"Resources": [
"crn:object_group:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:inspect"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:discover"
],
"Condition": {
"Conditions": [
{
"Equals": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:user:credentials",
"chaos:user:apikeys",
"kibana-settings:write"
],
"Effect": "Deny",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:DeleteBucket"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefixchangeme"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
}
]
rbac-template-120821-normal.json
[
{
"Actions": [
"ui:analytics",
"ui:refinery"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:*",
"chaos:replica:*",
"chaos:query:*"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:*",
"elastic:*",
"elastic-opendistro:*",
"kibana:*",
"kibana:query",
"kibana:saved-objects:create",
"kibana:saved-objects:update",
"kibana:saved-objects:delete",
"kibana:saved-objects:read",
"kibana-management:*",
"kibana-management:import:*",
"kibana-management:export:*",
"kibana-settings:read",
"kibana-opendistro:*",
"kibana-opendistro:alerting",
"kibana-opendistro:alerting:alerts:read",
"kibana-opendistro:alerting:alerts:update",
"kibana-opendistro:alerting:destinations:create",
"kibana-opendistro:alerting:destinations:update",
"kibana-opendistro:alerting:destinations:delete",
"kibana-opendistro:alerting:destinations:read",
"kibana-opendistro:alerting:monitors:create",
"kibana-opendistro:alerting:monitors:update",
"kibana-opendistro:alerting:monitors:delete",
"kibana-opendistro:alerting:monitors:execute",
"kibana-opendistro:alerting:monitors:read"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*",
"crn:monitor:::prefixchangeme-*",
"crn:alert:::prefixchangeme-*",
"crn:destination:::prefixchangeme-*",
"crn:view:::.opendistro*",
"crn:view:::.opendistro-alerting-alerts"
],
"Version": "1.0"
},
{
"Actions": [
"kibana:*",
"kibana:saved-objects:read"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:document/attributes.title": "prefixchangeme"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:view:::.kibana"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
}
]
},
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:object_group:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:view:::*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBuckets"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:index/attributes.name": "_prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:ListBucket",
"s3:chaos:field_caps",
"s3:chaos:field_samples",
"s3:chaos:metadata",
"s3:chaos:partition_keys"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefixchangeme-"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:view:create"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:view:update"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:GetObject",
"s3:aws:GetObjectTagging",
"s3:aws:GetBucketTagging",
"s3:chaos:metadata"
],
"Effect": "Allow",
"Resources": [
"arn:aws:s3:::bucketnamechangeme",
"arn:aws:s3:::bucketnamechangeme/*"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:user:credentials",
"chaos:user:apikeys",
"kibana-settings:write"
],
"Effect": "Deny",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:DeleteBucket"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucketnamechangeme"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
}
]
rbac-template-120821-readonly.json
[
{
"Actions": [
"ui:analytics"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:*",
"chaos:replica:*",
"chaos:query:*"
],
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:*",
"elastic:*",
"elastic-opendistro:*",
"kibana:*",
"kibana:query",
"kibana:saved-objects:read",
"kibana-management:*",
"kibana-management:export:*",
"kibana-settings:read",
"kibana-opendistro:*",
"kibana-opendistro:alerting",
"kibana-opendistro:alerting:alerts:read",
"kibana-opendistro:alerting:destinations:read",
"kibana-opendistro:alerting:monitors:execute",
"kibana-opendistro:alerting:monitors:read"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefixchangeme-*",
"crn:monitor:::prefixchangeme-*",
"crn:alert:::prefixchangeme-*",
"crn:destination:::prefixchangeme-*",
"crn:view:::.opendistro*",
"crn:view:::.opendistro-alerting-alerts"
],
"Version": "1.0"
},
{
"Actions": [
"kibana:*",
"kibana:saved-objects:read"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"chaos:document/attributes.title": "prefixchangeme-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"crn:view:::.kibana"
],
"Version": "1.0"
},
{
"Actions": [
"chaos:user:credentials",
"chaos:user:apikeys",
"kibana:saved-objects:create",
"kibana:saved-objects:update",
"kibana:saved-objects:delete",
"kibana-opendistro:alerting:alerts:update",
"kibana-opendistro:alerting:destinations:create",
"kibana-opendistro:alerting:destinations:update",
"kibana-opendistro:alerting:destinations:delete",
"kibana-opendistro:alerting:monitors:create",
"kibana-opendistro:alerting:monitors:update",
"kibana-opendistro:alerting:monitors:delete",
"kibana-settings:write",
"kibana-management:import:*"
],
"Effect": "Deny",
"Resources": [
"*"
],
"Version": "1.0"
}
]
Updated about 1 year ago