Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security for Extensions] Consume access tokens passed from core and utilize in REST Clients #887

Open
Tracked by #2573
cwperks opened this issue Jul 17, 2023 · 2 comments
Open
Tracked by #2573

[Security for Extensions] Consume access tokens passed from core and utilize in REST Clients #887

cwperks opened this issue Jul 17, 2023 · 2 comments
Assignees
@cwperks
Labels
enhancement New feature or request

Comments

@cwperks
Copy link
Member

cwperks commented Jul 17, 2023
edited
Loading

As part of Security for Extensions there will be 2 types of tokens ferried to an extension to be utilized to make REST Requests back to the OpenSearch cluster. These 2 types of tokens are:

  • On-Behalf-Of tokens - these are short-lived access tokens issued on behalf of the currently authenticated user
  • Service Account token - This would be a single token issued and ferried over during extension bootstrap and utilized by the extension to make requests on its own behalf, for instance writing to a reserved (system) index

The SDKClient contains methods for initializing clients in an extension for making REST requests back to OpenSearch and the tokens described above will need to be utilized by the clients.

For Extensions Developers, it will need to be clear how to use each type of token described above. In order to make it clearer which token is utilized, I propose to create 2 separate REST Clients:

  1. Extension REST Client - This REST Client would always utilize the static service account token (static meaning that there is a single instance of the token at a time.)
  2. User REST Client - This REST Client would be initialized at the start of handling a REST Request and would be used to make REST Requests back to OpenSearch on behalf of the authenticated user. Initialization means that the REST Client is provided default HTTP Headers and it would populate the Authorization header with the auth token provided to the REST Handler.

Additional considerations for the REST Clients and Security is that they will need to be setup to use the https:// protocol instead of the default http://. Note that it is possible to disable https in the security plugin (but not transport TLS), so the setting that controls https/http in the security plugin also needs to be ferried over to an extension to determine what scheme to use.
@cwperks cwperks added enhancement New feature or request untriaged labels Jul 17, 2023
@cwperks cwperks self-assigned this Jul 17, 2023
@cwperks cwperks mentioned this issue Jul 21, 2023
Draft
@peternied peternied mentioned this issue Aug 16, 2023
Closed
35 tasks
@peternied
Copy link
Member

@cwperks Did we want to consider this item for the next security sprint, is it ready for that or out of scope?

@cwperks
Copy link
Member Author

cwperks commented Aug 23, 2023

@peternied Its related to this issue: opensearch-project/security#3176

There is a checkbox in there to update this PR to reflect how Service Account Tokens are ferried to an extension. In the implementation in this PR it ferries the token over in a separate transport action that is sent directly after a success extension initialization request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwperks cwperks

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peternied @cwperks @minalsha