This release enables customers to use JSON Web Tokens (JWT) for authe…

…ntication on their Amazon OpenSearch Service domains.
aws · Jun 19, 2024 · 94712ac · 94712ac
1 parent 6f89ea7
commit 94712ac
Show file tree

Hide file tree

Showing 14 changed files with 625 additions and 8 deletions.
diff --git a/generator/ServiceModels/opensearch/opensearch-2021-01-01.api.json b/generator/ServiceModels/opensearch/opensearch-2021-01-01.api.json
@@ -8,7 +8,8 @@
     "serviceFullName":"Amazon OpenSearch Service",
     "serviceId":"OpenSearch",
     "signatureVersion":"v4",
-    "uid":"opensearch-2021-01-01"
+    "uid":"opensearch-2021-01-01",
+    "auth":["aws.auth#sigv4"]
   },
   "operations":{
     "AcceptInboundConnection":{
@@ -1148,6 +1149,7 @@
         "Enabled":{"shape":"Boolean"},
         "InternalUserDatabaseEnabled":{"shape":"Boolean"},
         "SAMLOptions":{"shape":"SAMLOptionsOutput"},
+        "JWTOptions":{"shape":"JWTOptionsOutput"},
         "AnonymousAuthDisableDate":{"shape":"DisableTimestamp"},
         "AnonymousAuthEnabled":{"shape":"Boolean"}
       }
@@ -1159,6 +1161,7 @@
         "InternalUserDatabaseEnabled":{"shape":"Boolean"},
         "MasterUserOptions":{"shape":"MasterUserOptions"},
         "SAMLOptions":{"shape":"SAMLOptionsInput"},
+        "JWTOptions":{"shape":"JWTOptionsInput"},
         "AnonymousAuthEnabled":{"shape":"Boolean"}
       }
     },
@@ -2907,6 +2910,24 @@
       "type":"list",
       "member":{"shape":"Issue"}
     },
+    "JWTOptionsInput":{
+      "type":"structure",
+      "members":{
+        "Enabled":{"shape":"Boolean"},
+        "SubjectKey":{"shape":"SubjectKey"},
+        "RolesKey":{"shape":"RolesKey"},
+        "PublicKey":{"shape":"String"}
+      }
+    },
+    "JWTOptionsOutput":{
+      "type":"structure",
+      "members":{
+        "Enabled":{"shape":"Boolean"},
+        "SubjectKey":{"shape":"String"},
+        "RolesKey":{"shape":"String"},
+        "PublicKey":{"shape":"String"}
+      }
+    },
     "KmsKeyId":{
       "type":"string",
       "max":500,
@@ -3906,6 +3927,11 @@
       "min":20,
       "pattern":"arn:(aws|aws\\-cn|aws\\-us\\-gov|aws\\-iso|aws\\-iso\\-b):iam::[0-9]+:role\\/.*"
     },
+    "RolesKey":{
+      "type":"string",
+      "max":64,
+      "min":1
+    },
     "RollbackOnDisable":{
       "type":"string",
       "enum":[
@@ -4178,6 +4204,11 @@
       "type":"list",
       "member":{"shape":"String"}
     },
+    "SubjectKey":{
+      "type":"string",
+      "max":64,
+      "min":1
+    },
     "TLSSecurityPolicy":{
       "type":"string",
       "enum":[

diff --git a/generator/ServiceModels/opensearch/opensearch-2021-01-01.docs.json b/generator/ServiceModels/opensearch/opensearch-2021-01-01.docs.json
@@ -388,6 +388,8 @@
         "InstanceTypeDetails$AppLogsEnabled": "<p>Whether logging is supported for the instance type.</p>",
         "InstanceTypeDetails$AdvancedSecurityEnabled": "<p>Whether fine-grained access control is supported for the instance type.</p>",
         "InstanceTypeDetails$WarmEnabled": "<p>Whether UltraWarm is supported for the instance type.</p>",
+        "JWTOptionsInput$Enabled": "<p>True to enable JWT authentication and authorization for a domain.</p>",
+        "JWTOptionsOutput$Enabled": "<p>True if JWT use is enabled.</p>",
         "ListInstanceTypeDetailsRequest$RetrieveAZs": "<p>An optional parameter that specifies the Availability Zones for the domain.</p>",
         "LogPublishingOption$Enabled": "<p>Whether the log should be published.</p>",
         "NodeToNodeEncryptionOptions$Enabled": "<p>True to enable node-to-node encryption.</p>",
@@ -687,8 +689,8 @@
       "base": null,
       "refs": {
         "DataSourceDetails$Status": "<p>The status of the data source.</p>",
-        "GetDataSourceResponse$Status": "<p>The status of the data source response.</p>",
-        "UpdateDataSourceRequest$Status": "<p>The status of the data source update request.</p>"
+        "GetDataSourceResponse$Status": "<p>The status of the data source.</p>",
+        "UpdateDataSourceRequest$Status": "<p>The status of the data source update.</p>"
       }
     },
     "DataSourceType": {
@@ -1585,6 +1587,18 @@
         "UpgradeStepItem$Issues": "<p>A list of strings containing detailed information about the errors encountered in a particular step.</p>"
       }
     },
+    "JWTOptionsInput": {
+      "base": "<p>The JWT authentication and authorization configuration for an Amazon OpenSearch Service domain.</p>",
+      "refs": {
+        "AdvancedSecurityOptionsInput$JWTOptions": "<p>Container for information about the JWT configuration of the Amazon OpenSearch Service. </p>"
+      }
+    },
+    "JWTOptionsOutput": {
+      "base": "<p>Describes the JWT options configured for the domain.</p>",
+      "refs": {
+        "AdvancedSecurityOptions$JWTOptions": "<p>Container for information about the JWT configuration of the Amazon OpenSearch Service.</p>"
+      }
+    },
     "KmsKeyId": {
       "base": null,
       "refs": {
@@ -2355,6 +2369,12 @@
         "S3GlueDataCatalog$RoleArn": "<p>&gt;The Amazon Resource Name (ARN) for the S3 Glue Data Catalog.</p>"
       }
     },
+    "RolesKey": {
+      "base": null,
+      "refs": {
+        "JWTOptionsInput$RolesKey": "<p>Element of the JWT assertion to use for roles.</p>"
+      }
+    },
     "RollbackOnDisable": {
       "base": "<p>The rollback state while disabling Auto-Tune for the domain.</p>",
       "refs": {
@@ -2626,6 +2646,10 @@
         "EndpointsMap$key": null,
         "GetPackageVersionHistoryResponse$NextToken": "<p>When <code>nextToken</code> is returned, there are more results available. The value of <code>nextToken</code> is a unique pagination token for each page. Send the request again using the returned token to retrieve the next page.</p>",
         "GetUpgradeHistoryResponse$NextToken": "<p>When <code>nextToken</code> is returned, there are more results available. The value of <code>nextToken</code> is a unique pagination token for each page. Send the request again using the returned token to retrieve the next page.</p>",
+        "JWTOptionsInput$PublicKey": "<p>Element of the JWT assertion used by the cluster to verify JWT signatures.</p>",
+        "JWTOptionsOutput$SubjectKey": "<p>The key used for matching the JWT subject attribute.</p>",
+        "JWTOptionsOutput$RolesKey": "<p>The key used for matching the JWT roles attribute.</p>",
+        "JWTOptionsOutput$PublicKey": "<p>The key used to verify the signature of incoming JWT requests.</p>",
         "ListDomainsForPackageResponse$NextToken": "<p>When <code>nextToken</code> is returned, there are more results available. The value of <code>nextToken</code> is a unique pagination token for each page. Send the request again using the returned token to retrieve the next page.</p>",
         "ListPackagesForDomainResponse$NextToken": "<p>When <code>nextToken</code> is returned, there are more results available. The value of <code>nextToken</code> is a unique pagination token for each page. Send the request again using the returned token to retrieve the next page.</p>",
         "ModifyingProperties$Name": "<p>The name of the property that is currently being modified.</p>",
@@ -2669,6 +2693,12 @@
         "VPCOptions$SecurityGroupIds": "<p>The list of security group IDs associated with the VPC endpoints for the domain. If you do not provide a security group ID, OpenSearch Service uses the default security group for the VPC.</p>"
       }
     },
+    "SubjectKey": {
+      "base": null,
+      "refs": {
+        "JWTOptionsInput$SubjectKey": "<p>Element of the JWT assertion to use for the user name.</p>"
+      }
+    },
     "TLSSecurityPolicy": {
       "base": null,
       "refs": {

diff --git a/generator/ServiceModels/opensearch/opensearch-2021-01-01.normal.json b/generator/ServiceModels/opensearch/opensearch-2021-01-01.normal.json
@@ -8,7 +8,8 @@
     "serviceFullName":"Amazon OpenSearch Service",
     "serviceId":"OpenSearch",
     "signatureVersion":"v4",
-    "uid":"opensearch-2021-01-01"
+    "uid":"opensearch-2021-01-01",
+    "auth":["aws.auth#sigv4"]
   },
   "operations":{
     "AcceptInboundConnection":{
@@ -1282,6 +1283,10 @@
           "shape":"SAMLOptionsOutput",
           "documentation":"<p>Container for information about the SAML configuration for OpenSearch Dashboards.</p>"
         },
+        "JWTOptions":{
+          "shape":"JWTOptionsOutput",
+          "documentation":"<p>Container for information about the JWT configuration of the Amazon OpenSearch Service.</p>"
+        },
         "AnonymousAuthDisableDate":{
           "shape":"DisableTimestamp",
           "documentation":"<p>Date and time when the migration period will be disabled. Only necessary when <a href=\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling-existing\">enabling fine-grained access control on an existing domain</a>.</p>"
@@ -1312,6 +1317,10 @@
           "shape":"SAMLOptionsInput",
           "documentation":"<p>Container for information about the SAML configuration for OpenSearch Dashboards.</p>"
         },
+        "JWTOptions":{
+          "shape":"JWTOptionsInput",
+          "documentation":"<p>Container for information about the JWT configuration of the Amazon OpenSearch Service. </p>"
+        },
         "AnonymousAuthEnabled":{
           "shape":"Boolean",
           "documentation":"<p>True to enable a 30-day migration period during which administrators can create role mappings. Only necessary when <a href=\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling-existing\">enabling fine-grained access control on an existing domain</a>.</p>"
@@ -3904,7 +3913,7 @@
         },
         "Status":{
           "shape":"DataSourceStatus",
-          "documentation":"<p>The status of the data source response.</p>"
+          "documentation":"<p>The status of the data source.</p>"
         }
       },
       "documentation":"<p>The result of a <code>GetDataSource</code> operation.</p>"
@@ -4280,6 +4289,50 @@
       "type":"list",
       "member":{"shape":"Issue"}
     },
+    "JWTOptionsInput":{
+      "type":"structure",
+      "members":{
+        "Enabled":{
+          "shape":"Boolean",
+          "documentation":"<p>True to enable JWT authentication and authorization for a domain.</p>"
+        },
+        "SubjectKey":{
+          "shape":"SubjectKey",
+          "documentation":"<p>Element of the JWT assertion to use for the user name.</p>"
+        },
+        "RolesKey":{
+          "shape":"RolesKey",
+          "documentation":"<p>Element of the JWT assertion to use for roles.</p>"
+        },
+        "PublicKey":{
+          "shape":"String",
+          "documentation":"<p>Element of the JWT assertion used by the cluster to verify JWT signatures.</p>"
+        }
+      },
+      "documentation":"<p>The JWT authentication and authorization configuration for an Amazon OpenSearch Service domain.</p>"
+    },
+    "JWTOptionsOutput":{
+      "type":"structure",
+      "members":{
+        "Enabled":{
+          "shape":"Boolean",
+          "documentation":"<p>True if JWT use is enabled.</p>"
+        },
+        "SubjectKey":{
+          "shape":"String",
+          "documentation":"<p>The key used for matching the JWT subject attribute.</p>"
+        },
+        "RolesKey":{
+          "shape":"String",
+          "documentation":"<p>The key used for matching the JWT roles attribute.</p>"
+        },
+        "PublicKey":{
+          "shape":"String",
+          "documentation":"<p>The key used to verify the signature of incoming JWT requests.</p>"
+        }
+      },
+      "documentation":"<p>Describes the JWT options configured for the domain.</p>"
+    },
     "KmsKeyId":{
       "type":"string",
       "max":500,
@@ -5704,6 +5757,11 @@
       "min":20,
       "pattern":"arn:(aws|aws\\-cn|aws\\-us\\-gov|aws\\-iso|aws\\-iso\\-b):iam::[0-9]+:role\\/.*"
     },
+    "RolesKey":{
+      "type":"string",
+      "max":64,
+      "min":1
+    },
     "RollbackOnDisable":{
       "type":"string",
       "documentation":"<p>The rollback state while disabling Auto-Tune for the domain.</p>",
@@ -6176,6 +6234,11 @@
       "type":"list",
       "member":{"shape":"String"}
     },
+    "SubjectKey":{
+      "type":"string",
+      "max":64,
+      "min":1
+    },
     "TLSSecurityPolicy":{
       "type":"string",
       "enum":[
@@ -6262,7 +6325,7 @@
         },
         "Status":{
           "shape":"DataSourceStatus",
-          "documentation":"<p>The status of the data source update request.</p>"
+          "documentation":"<p>The status of the data source update.</p>"
         }
       },
       "documentation":"<p>Container for the parameters to the <code>UpdateDataSource</code> operation.</p>"

diff --git a/sdk/code-analysis/ServiceAnalysis/OpenSearchService/Generated/PropertyValueRules.xml b/sdk/code-analysis/ServiceAnalysis/OpenSearchService/Generated/PropertyValueRules.xml
@@ -858,6 +858,16 @@
     <max>256</max>
     <pattern>[a-z][a-z0-9\-]+</pattern>
   </property-value-rule>
+  <property-value-rule>
+    <property>Amazon.OpenSearchService.Model.JWTOptionsInput.RolesKey</property>
+    <min>1</min>
+    <max>64</max>
+  </property-value-rule>
+  <property-value-rule>
+    <property>Amazon.OpenSearchService.Model.JWTOptionsInput.SubjectKey</property>
+    <min>1</min>
+    <max>64</max>
+  </property-value-rule>
   <property-value-rule>
     <property>Amazon.OpenSearchService.Model.LogPublishingOption.CloudWatchLogsLogGroupArn</property>
     <min>20</min>

diff --git a/sdk/src/Services/OpenSearchService/Generated/Model/AdvancedSecurityOptions.cs b/sdk/src/Services/OpenSearchService/Generated/Model/AdvancedSecurityOptions.cs
@@ -38,6 +38,7 @@ public partial class AdvancedSecurityOptions
         private bool? _anonymousAuthEnabled;
         private bool? _enabled;
         private bool? _internalUserDatabaseEnabled;
+        private JWTOptionsOutput _jwtOptions;
         private SAMLOptionsOutput _samlOptions;
 
         /// <summary>
@@ -115,6 +116,24 @@ internal bool IsSetInternalUserDatabaseEnabled()
             return this._internalUserDatabaseEnabled.HasValue; 
         }
 
+        /// <summary>
+        /// Gets and sets the property JWTOptions. 
+        /// <para>
+        /// Container for information about the JWT configuration of the Amazon OpenSearch Service.
+        /// </para>
+        /// </summary>
+        public JWTOptionsOutput JWTOptions
+        {
+            get { return this._jwtOptions; }
+            set { this._jwtOptions = value; }
+        }
+
+        // Check to see if JWTOptions property is set
+        internal bool IsSetJWTOptions()
+        {
+            return this._jwtOptions != null;
+        }
+
         /// <summary>
         /// Gets and sets the property SAMLOptions. 
         /// <para>

diff --git a/sdk/src/Services/OpenSearchService/Generated/Model/AdvancedSecurityOptionsInput.cs b/sdk/src/Services/OpenSearchService/Generated/Model/AdvancedSecurityOptionsInput.cs
@@ -39,6 +39,7 @@ public partial class AdvancedSecurityOptionsInput
         private bool? _anonymousAuthEnabled;
         private bool? _enabled;
         private bool? _internalUserDatabaseEnabled;
+        private JWTOptionsInput _jwtOptions;
         private MasterUserOptions _masterUserOptions;
         private SAMLOptionsInput _samlOptions;
 
@@ -98,6 +99,25 @@ internal bool IsSetInternalUserDatabaseEnabled()
             return this._internalUserDatabaseEnabled.HasValue; 
         }
 
+        /// <summary>
+        /// Gets and sets the property JWTOptions. 
+        /// <para>
+        /// Container for information about the JWT configuration of the Amazon OpenSearch Service.
+        /// 
+        /// </para>
+        /// </summary>
+        public JWTOptionsInput JWTOptions
+        {
+            get { return this._jwtOptions; }
+            set { this._jwtOptions = value; }
+        }
+
+        // Check to see if JWTOptions property is set
+        internal bool IsSetJWTOptions()
+        {
+            return this._jwtOptions != null;
+        }
+
         /// <summary>
         /// Gets and sets the property MasterUserOptions. 
         /// <para>

diff --git a/sdk/src/Services/OpenSearchService/Generated/Model/GetDataSourceResponse.cs b/sdk/src/Services/OpenSearchService/Generated/Model/GetDataSourceResponse.cs
@@ -98,7 +98,7 @@ internal bool IsSetName()
         /// <summary>
         /// Gets and sets the property Status. 
         /// <para>
-        /// The status of the data source response.
+        /// The status of the data source.
         /// </para>
         /// </summary>
         public DataSourceStatus Status

diff --git a/...enerated/Model/Internal/MarshallTransformations/AdvancedSecurityOptionsInputMarshaller.cs b/...enerated/Model/Internal/MarshallTransformations/AdvancedSecurityOptionsInputMarshaller.cs
@@ -66,6 +66,17 @@ public void Marshall(AdvancedSecurityOptionsInput requestObject, JsonMarshallerC
                 context.Writer.Write(requestObject.InternalUserDatabaseEnabled);
             }
 
+            if(requestObject.IsSetJWTOptions())
+            {
+                context.Writer.WritePropertyName("JWTOptions");
+                context.Writer.WriteObjectStart();
+
+                var marshaller = JWTOptionsInputMarshaller.Instance;
+                marshaller.Marshall(requestObject.JWTOptions, context);
+
+                context.Writer.WriteObjectEnd();
+            }
+
             if(requestObject.IsSetMasterUserOptions())
             {
                 context.Writer.WritePropertyName("MasterUserOptions");

diff --git a/...e/Generated/Model/Internal/MarshallTransformations/AdvancedSecurityOptionsUnmarshaller.cs b/...e/Generated/Model/Internal/MarshallTransformations/AdvancedSecurityOptionsUnmarshaller.cs
@@ -90,6 +90,12 @@ public AdvancedSecurityOptions Unmarshall(JsonUnmarshallerContext context)
                     unmarshalledObject.InternalUserDatabaseEnabled = unmarshaller.Unmarshall(context);
                     continue;
                 }
+                if (context.TestExpression("JWTOptions", targetDepth))
+                {
+                    var unmarshaller = JWTOptionsOutputUnmarshaller.Instance;
+                    unmarshalledObject.JWTOptions = unmarshaller.Unmarshall(context);
+                    continue;
+                }
                 if (context.TestExpression("SAMLOptions", targetDepth))
                 {
                     var unmarshaller = SAMLOptionsOutputUnmarshaller.Instance;