Skip to content

OpenSearch Cedarling demo plugin v2

Jump to bottom
Michael Schwartz edited this page Aug 27, 2025 · 17 revisions

Summary

The demo plugin implements token-based access control ("TBAC") into OpenSearch. When the database starts, the plugin initializes a local Cedar engine, which fetches its policy store, and downloads the federation metadata of the token issuers it trusts. The plugin enforces security by filtering queries sent to the search endpoints /<index>/_search and /_search to prevent the return of unauthorized data.

Example

Assumptions

  • Assume the OpenSearch index students is made up of the following documents:
[
  { "name": "Jim", "grad_year": 2022 },
  { "name": "Joe", "grad_year": 2023 },
  { "name": "Jude", "grad_year": 2026 }
]
  • Say we want to restrict access so nobody can see the entries belonging to year 2026 onwards, except when the IDP user involved has role AdmissionsCounselor

Cedar Schema

Schema includes a students resource:

{
    "shape": {
        "type": "Record",
        "attributes": {
            "name": {
                "type": "String"
            },
            "grad_year": {
                "type": "Long"
            }
        }
    }
}

Cedar Policy

@id("Show all students, and also applicants to admissions counselors")
permit(
    principal,
    action in Jans::Action::"Search",
    resource is Jans::student
)
when {
  resource.grad_year < 2026 ||
  principal in Jans::Role::"AdmissionsCounselor"
};

Cedarling configuration

  • Make sure the CEDARLING_USER_AUTHZ bootstrap property is enabled.

  • In the Cedarling Policy Store, in the trusted_issuer section, set the role_mapping to role as specified in the docs. You can map to a different JWT claim if necessary for your IDP.

"role_mapping": "role"

How to use it in practice

With the plugin installed and configured in this manner, issuing a search to /students/_search with parameters:

{
    "query":{
        "match_all":{
        }
    },
    "ext": {
        "tbac": {
            "tokens": {
                "access_token": "...",
                "id_token": "...",
                "userinfo_token": "..."
            },
            "context": { ... }
        }
    }
}

As long as the underlying IDP user is not an AdmissionsCounselor will result in:

{
  ...
  "hits" : {
    "total" : {
      "value" : 3,
      "relation" : "eq"
    },
    "hits" : [
      {
        "_index" : "student",
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "name" : "Jim",
          "grad_year" : 2022
        }
      },
      {
        "_index" : "student",
        "_id" : "2",
        "_score" : 1.0,
        "_source" : {
          "name" : "Joe",
          "grad_year" : 2023
        }
      }
    ]
  },
  "ext" : {
    "cedarling" : {
      "average_decision_time" : 3,
      "authorized_hits_count" : 2
    }
  }
}

Clone this wiki locally