[Question] Should system index permissions check allow access to system indices with .* pattern?

[DarshitChanpura]

The system index permissions check introduced via #2887 adds check for * and <prefix>*.

Access to all system indices is currently not allowed with *. A prefix is required to granted access to all system indices matching that prefix.

With <prefix>* pattern, access will be granted to all indices (including system indices) that begin with a dot ..

Currently all system indices reserved by plugins (see the list here) begin with a ., this would essentially make * pattern access control ineffective.

The goal of this issue is to seek votes whether to allow access to system indices with .* pattern.

[DarshitChanpura]

The proposal is to also block access to system indices when index pattern is provided as .*.

Please vote 👍 (do not allow access with .* pattern) or 👎 (to keep as is, and allow access to system index with .* pattern)

[peternied]

👎 We are discussing the API surface area which should have a crystal clear definition for well formed. We don't have verification like this is any other security config definitions, it is a new precedence if we add special cases like this.

Handling specials cases such as this in the Dashboards UX to where we could add a warning message - might be a place we can help administrators make informed decisions.

[davidlago]

This ☝️ and in the docs. The dot notation affords no special protections, it is just a convention.

[DarshitChanpura]

After engaging in internal discussion, the answer to this question is:

We will not add extra checks for .* patterns. However this will be documented to the customers to proceed with caution via opensearch-project/documentation-website#4849