Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use auth tokens passed from core and introduce extension and user REST clients #892

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Use auth tokens passed from core and introduce extension and user REST clients #892

wants to merge 8 commits into from

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Jul 21, 2023

Description

Companion example PR for integ testing in security: cwperks/security#6
Companion example PR for integ testing in core: cwperks/OpenSearch#94

This PR introduces an extensionRestClient and userRestClient that an extension developer can utilize to make REST Requests with Auth Tokens back to an OpenSearch Cluster.

  • The extensionRestClient is part of the extensionsRunner and is available extension-wide. This REST Client uses a Service Account Token to make requests to an OpenSearch cluster on an extension's own behalf. A common example of an extension making requests to OpenSearch on its own behalf is when interacting with a system index that the extension has reserved.

  • The userRestClient is instantiated in handleRequest of BaseExtensionRestHandler and is available to use in all extension REST Handlers. This REST client is utilized to make requests back to opensearch on behalf of the original authenticated user utilizing an On-Behalf-Of token. The On-Behalf-Of token is a short lived access token (JWT) that includes an audience claim that is populated with the destination extension's unique ID. The On-Behalf-Of token lets an extension act as the original user. @peternied is also working on mechanisms for cluster admins to impose further restrictions on these tokens. Details can be found here

The last thing this PR introduces is another security setting to be placed in the extension's settings file: ssl.http.enabled

This setting is used to determine the scheme (http or https) of the REST Client. This is a boolean setting.

Issues Resolved

#887

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks
Proof of concept of extension reserved indices
12a74d2 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into service-account-token
5c9dfc8
@cwperks
Handle obo token
ab837b6 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP on user and extension client in the SDK
3f2ee2a 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Use auth tokens passed frmo core and introduce extension and user RES…
27f0100 
…T clients

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks mentioned this pull request Aug 14, 2023
Closed
4 tasks
peternied
peternied reviewed Aug 16, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took a quick look - thanks for getting this setup, seems decent to me. Maybe there are a couple of things that could be cleaned up by influencing https://github.com/opensearch-project/OpenSearch/pull/8526/files

src/main/java/org/opensearch/sdk/SDKClient.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/sdk/handlers/ExtensionsRestRequestHandler.java
@@ -68,11 +73,19 @@ public RestExecuteOnExtensionResponse handleRestExecuteOnExtensionRequest(Extens
);
}

String oboToken = request.getRequestIssuerIdentity();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this should be called an onBehalfOfToken both here and on the request object?

What do you think about making the type Optional<> ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I think this needs to be updated in core. I can create a PR for that.

@peternied peternied mentioned this pull request Aug 16, 2023
Closed
35 tasks
@cwperks cwperks mentioned this pull request Aug 31, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied left review comments

@joshpalis joshpalis Awaiting requested review from joshpalis joshpalis will be requested when the pull request is marked ready for review joshpalis is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 will be requested when the pull request is marked ready for review owaiskazi19 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan ryanbogan will be requested when the pull request is marked ready for review ryanbogan is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli will be requested when the pull request is marked ready for review saratvemulapalli is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis will be requested when the pull request is marked ready for review dbwiddis is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport 1.x repeat-contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cwperks @peternied