Description
As part of Security for Extensions there will be 2 types of tokens ferried to an extension to be utilized to make REST Requests back to the OpenSearch cluster. These 2 types of tokens are:
- On-Behalf-Of tokens - these are short-lived access tokens issued on behalf of the currently authenticated user
- Service Account token - This would be a single token issued and ferried over during extension bootstrap and utilized by the extension to make requests on its own behalf, for instance writing to a reserved (system) index
The SDKClient contains methods for initializing clients in an extension for making REST requests back to OpenSearch and the tokens described above will need to be utilized by the clients.
For Extensions Developers, it will need to be clear how to use each type of token described above. In order to make it clearer which token is utilized, I propose to create 2 separate REST Clients:
- Extension REST Client - This REST Client would always utilize the static service account token (static meaning that there is a single instance of the token at a time.)
- User REST Client - This REST Client would be initialized at the start of handling a REST Request and would be used to make REST Requests back to OpenSearch on behalf of the authenticated user. Initialization means that the REST Client is provided default HTTP Headers and it would populate the
Authorizationheader with the auth token provided to the REST Handler.
Additional considerations for the REST Clients and Security is that they will need to be setup to use the https:// protocol instead of the default http://. Note that it is possible to disable https in the security plugin (but not transport TLS), so the setting that controls https/http in the security plugin also needs to be ferried over to an extension to determine what scheme to use.