Skip to content

OpenSearch Cedarling demo plugin v2

Jump to bottom
Michael Schwartz edited this page Jul 6, 2025 · 17 revisions

Summary

The demo plugin is aimed at integrating token-based access control into OpenSearch. Specifically it is focused on filtering search results obtained in response to search queries sent to any of the endpoints listed here. Filtering takes place based on the Cedarling policy provided in the plugin settings.

Example

Assumptions

  • Assume the OpenSearch index Students is made up of the following documents:
[
  { "name": "Jim", "grad_year": 2022 },
  { "name": "Joe", "grad_year": 2023 },
  { "name": "Jude", "grad_year": 2024 }
]
  • Say we want to restrict access so nobody can see the entries belonging to year 2024 onwards, except when the IDP user involved has role SupremeRuler

Cedar Schema

Achema includes a Students resource:

{
    "shape": {
        "type": "Record",
        "attributes": {
            "name": {
                "type": "String"
            },
            "grad_year": {
                "type": "Long"
            }
        }
    }
}

Cedar Policy

@id("alumni_restricted_access")
permit(
    principal is Jans::User,
    action in Jans::Action::"Search",
    resource is Jans::Student
)
when {
    resource.grad_year < 2024 || 
    principal has "role" && principal.role.contains("SupremeRuler") 
};

Cedarling configuration

In the Cedarling Policy Store, make sure to map the User role claim using the role_mapping configuration specified in the docs. Make sure the CEDARLING_USER_AUTHZ bootstrap property is enabled.

How to use it in practice

With the plugin installed and configured in this manner, issuing a search to /Students/_search with parameters:

{
    "query":{
        "match_all":{
        }
    },
    "ext": {
        "tbac": {
            "tokens": {
                "access_token": "...",
                "id_token": "...",
                "userinfo_token": "..."
            },
            "context": { ... }
        }
    }
}

will result in:

{
  ...
  "hits" : {
    "total" : {
      "value" : 3,
      "relation" : "eq"
    },
    "hits" : [
      {
        "_index" : "student",
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "name" : "Jim",
          "grad_year" : 2022
        }
      },
      {
        "_index" : "student",
        "_id" : "2",
        "_score" : 1.0,
        "_source" : {
          "name" : "Joe",
          "grad_year" : 2023
        }
      }
    ]
  },
  "ext" : {
    "cedarling" : {
      "average_decision_time" : 0.1,
      "authorized_hits_count" : 2
    }
  }
}

as long as the underlying IDP user is not a SupremeRuler.

Clone this wiki locally