Add documentation for authorization on the REST layer #4544
Conversation
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
2 - In progress
cwillum
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
ananzh,
seanneumann,
AMoo-Miki and
natebower
as code owners
|
Just collecting the dots at this point. Thus the draft status. |
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
v2.10.0
1 - Backlog
|
Received news that this will most likely get pushed to 2.10. |
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
|
@DarshitChanpura Could you have a look at this for technical accuracy, language, and completeness? I'm not sure if I got some of the language-concept agreement right in some cases. Thanks. |
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
removed
the
1 - Backlog
There was a problem hiding this comment.
Some minor changes requested. Thank you @cwillum for putting this together.
|
|
||
| # REST layer authorization | ||
|
|
||
| Authorization on the REST layer provides an added level of security for plugin and extension API requests by offering a mechanism for authorization checks on the REST layer. This level of security sits atop the transport layer and provides a complementary method of authorization without replacing, modifying, or in any way changing the same process on the transport layer. REST layer authorization was initially created to address the need for an authorization check for extensions, which do not communicate on the transport layer. However, the feature is also supported for existing plugins and will be available for future plugins created to operate with OpenSearch. |
There was a problem hiding this comment.
| Authorization on the REST layer provides an added level of security for plugin and extension API requests by offering a mechanism for authorization checks on the REST layer. This level of security sits atop the transport layer and provides a complementary method of authorization without replacing, modifying, or in any way changing the same process on the transport layer. REST layer authorization was initially created to address the need for an authorization check for extensions, which do not communicate on the transport layer. However, the feature is also supported for existing plugins and will be available for future plugins created to operate with OpenSearch. | |
| Authorization on the REST layer provides an added level of security for plugin and extension API requests by offering a mechanism for authorization checks on the REST layer. This level of security sits atop the transport layer and provides a complementary method of authorization without replacing, modifying, or in any way changing the same process on the transport layer. REST layer authorization was initially created to address the need for an authorization check for extensions, which do not communicate on the transport layer. However, the feature is also available for developers to utilize while creating future plugins to operate with OpenSearch. |
Current plugins have not been migrated to utilize this feature. But, the feature is available for current plugins to migrate their APIs to support authorization.
|
|
||
| For users that work with REST layer authorization, the methods of assigning roles and mapping users and roles, and the general usage of plugins and extensions, remain the same: the only additional requirement being that users become familiar with a new scheme for permissions. Developers, on the other hand, will need to understand the ideas behind `NamedRoute` and how the new route scheme is constructed. For detailed information, see [Authorization at REST Layer for plugins](https://github.com/opensearch-project/security/blob/main/REST_AUTHZ_FOR_PLUGINS.md). | ||
|
|
||
| The benefits to developers when using the REST layer for authorization mean that they do not need to build transport layer actions and get authorization for them to adhere to security procedures. As a result, this decreases the code-writing burden and time invested in creating a single action. As an alternative, they can create REST API actions and authorize them on the REST layer. |
There was a problem hiding this comment.
| The benefits to developers when using the REST layer for authorization mean that they do not need to build transport layer actions and get authorization for them to adhere to security procedures. As a result, this decreases the code-writing burden and time invested in creating a single action. As an alternative, they can create REST API actions and authorize them on the REST layer. | |
| The benefits to developers when using the REST layer for authorization mean that they can authorize requests at REST layer and filter out unauthorized requests. As a result, this decreases the processing burden on transport layer while allowing granular control over access to APIs. |
We are not replacing transport authz, we are just adding a layer on top.
|
|
||
| `_/detectors/<detectorId>/profile` | ||
|
|
||
| To create a NamedRoute from this, the `routeNamePrefix` value in the `settings.yml` file for the resource `ad` is added to the route to complete a unique name. The result is shown in the following example: |
There was a problem hiding this comment.
This is true only for extensions. For plugins, developers will have to declare the permission names.
There was a problem hiding this comment.
@DarshitChanpura (1) What exact part of "this" is true for creating a permission name for extensions? Is it this whole piece: "... the routeNamePrefix value in the settings.yml file for the resource ad is added to the route to complete a unique name."?
(2) Is there any guidance for declaring a permission name for plugins? Are there required elements in the name like that for a permission name for an extension? Or do you just invent anything you want?
There was a problem hiding this comment.
Apologies for confusion. By "this" I mean the routeNamePrefix is a setting only configured in extension. This setting doesn't exist in plugins.
There is no guidance as of now in defining permissions. But we can make a suggestion to have it something like: <plugin/extension-name>:<route> (i.e. ad:detectors/get)
Let me know if this helps.
There was a problem hiding this comment.
@DarshitChanpura Thanks for the clarification. I've adjusted that wording to include current understanding for extensions and plugins. I've also addressed the other two comments/suggestions. I think this should be ready for documentation team review when 2.11 comes along. I'll comment that it's on hold for that. And if there are any changes between now and then, we can always revise the current draft before the release.
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
6 - Done but waiting to merge
|
The work is essentially done for this PR. I considered adding the status tag "Done but waiting to merge". But it will need documentation team review and editorial review before merging for 2.11. I'm leaving it alone for now in case the Security team wants any additional changes before then. |
cwillum
added
4 - Doc Review
|
Stepping this up to doc review. |
Signed-off-by: cwillum <cwmmoore@amazon.com>
|
|
||
| For users that work with REST layer authorization, the methods of assigning roles and mapping users and roles, and the general usage of plugins and extensions, remain the same: the only additional requirement being that users become familiar with a new scheme for permissions. | ||
|
|
||
| Developers, on the other hand, will need to understand the ideas behind `NamedRoute` and how the new route scheme is constructed. For detailed information, see [Authorization at REST Layer for plugins](https://github.com/opensearch-project/security/blob/main/REST_AUTHZ_FOR_PLUGINS.md). |
There was a problem hiding this comment.
It's probably worth noting that up to this point, we used "on" the REST layer as opposed to "at". We should probably be consistent throughout.
There was a problem hiding this comment.
RE: Authorization at REST Layer for plugins
Yeah, I can't do anything about the name of that resource. It's created by Security team developers. But point taken.
Signed-off-by: cwillum <cwmmoore@amazon.com>
* fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: Melissa Vagi <vagimeli@amazon.com>
…ject#4544) * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com>
* fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4381 authz on rest layer Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com>
Description
To support extensions, authorization of API actions can now be carried out on the REST layer, necessarily for extensions and optionally for new and existing plugins. This PR documents details surrounding the enhancement.
Issues Resolved
Fixes #4381
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.