Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] OpenSearch should support authentication and authorization natively #4514

Open
7 tasks
peternied opened this issue Sep 14, 2022 · 0 comments
Open
7 tasks

[Security] OpenSearch should support authentication and authorization natively #4514

peternied opened this issue Sep 14, 2022 · 0 comments
Labels
discuss Issues intended to help drive brainstorming and decision making enhancement Enhancement or improvement to existing feature or request security Anything security related

Comments

@peternied
Copy link
Member

Is your feature request related to a problem? Please describe.
Plugins have some permissions boundaries established by the java security manager, but those only enforce a subset of actions that a plugin can do. Public interfaces within the OpenSearch core systems are accessible by plugins without any access control systems.

Knowing which systems have security considerations or not is non-trivial during plugin development, and represents a maintenance problems, if new granularity is added over time and plugins don't update to support these gaps in functionality are security bugs.

Describe the solution you'd like
Support authentication and authorization within OpenSearch access control systems. Use that system to apply universally on all OpenSearch components, plugins, and the new up and coming extensions.

Describe alternatives you've considered
The Security plugin is available, and it offers solutions for several features that align with this overall goal. Individual components might be worthwhile adopting, as the security system was built independently of OpenSearch the enforcement processes and ability to restrict access are optional by nature.

Additional context
I think some of the to move towards this ultimate state looks like,

  • OpenSearch should be able to track a Subject through its system
  • OpenSearch should disable or enable support for authentication and authorization via config
  • OpenSearch internal process have different subjects for different actions
  • OpenSearch should have a user registry describable via config
  • OpenSearch users should be able to authenticate with 'Basic' HTTP Authentication
  • OpenSearch requests should know the Subject of the caller
  • OpenSearch should have a way to describe the permissions available to

Terminology

From definition following NIST glossary. https://csrc.nist.gov/glossary

  • Subject - An individual, process, or device that causes information to flow among objects or change to the system state.
  • Authentication- Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.
  • Authorization - The process of verifying that a requested action or service is approved for a specific entity.
@peternied peternied added enhancement Enhancement or improvement to existing feature or request discuss Issues intended to help drive brainstorming and decision making untriaged labels Sep 14, 2022
peternied added a commit to peternied/OpenSearch-1 that referenced this issue Sep 14, 2022
@peternied
Identity and Auth Manager
d77d3a0 
Adding a noop implementation of an authentication manager for use
tracking identity information within the OpenSearch systems.

Also see
- opensearch-project#4514
- opensearch-project#3846
- https://github.com/opensearch-project/opensearch-sdk-java/blob/main/SECURITY.md
peternied added a commit to peternied/OpenSearch-1 that referenced this issue Sep 14, 2022
@peternied
Identity and Auth Manager
3dabda8 
Adding a noop implementation of an authentication manager for use
tracking identity information within the OpenSearch systems.

Also see
- opensearch-project#4514
- opensearch-project#3846
- https://github.com/opensearch-project/opensearch-sdk-java/blob/main/SECURITY.md
@peternied peternied mentioned this issue Sep 14, 2022
Merged
6 tasks
peternied added a commit to peternied/OpenSearch-1 that referenced this issue Sep 14, 2022
@peternied
Identity and Auth Manager
d5d6f9c 
Adding a noop implementation of an authentication manager for use
tracking identity information within the OpenSearch systems.

Also see
- opensearch-project#4514
- opensearch-project#3846
- https://github.com/opensearch-project/opensearch-sdk-java/blob/main/SECURITY.md

Signed-off-by: Peter Nied <petern@amazon.com>
@tlfeng tlfeng added security Anything security related and removed untriaged labels Sep 15, 2022
peternied added a commit to peternied/OpenSearch-1 that referenced this issue Sep 16, 2022
@peternied
Identity and Auth Manager
151200a 
Adding a noop implementation of an authentication manager for use
tracking identity information within the OpenSearch systems.

Also see
- opensearch-project#4514
- opensearch-project#3846
- https://github.com/opensearch-project/opensearch-sdk-java/blob/main/SECURITY.md

Signed-off-by: Peter Nied <petern@amazon.com>
peternied added a commit that referenced this issue Sep 16, 2022
@peternied
[Feature/Identity] Initial interface for native authentication support (
8a92e57 
#4515)

* Identity and Auth Manager

Adding a noop implementation of an authentication manager for use
tracking identity information within the OpenSearch systems.

Also see
- #4514
- #3846
- https://github.com/opensearch-project/opensearch-sdk-java/blob/main/SECURITY.md

Signed-off-by: Peter Nied <petern@amazon.com>
@krishna-ggk krishna-ggk mentioned this issue Nov 2, 2022
Closed
@saratvemulapalli saratvemulapalli mentioned this issue Dec 7, 2022
Closed
@peternied peternied mentioned this issue Jan 4, 2023
Open
@cwillum cwillum mentioned this issue Jan 11, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss Issues intended to help drive brainstorming and decision making enhancement Enhancement or improvement to existing feature or request security Anything security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peternied @tlfeng