Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE][ODBC] Support SIGV4 along with Basic Auth #5

Open
joshuali925 opened this issue Jun 28, 2022 · 8 comments
Open

[FEATURE][ODBC] Support SIGV4 along with Basic Auth #5

joshuali925 opened this issue Jun 28, 2022 · 8 comments
Labels
enhancement New feature or request

Comments

@joshuali925
Copy link
Member

Is your feature request related to a problem?
Currently there are three auth types in ODBC driver: basic, sigv4, none.
Users can provide their FGAC credentials (username and password) using basic auth, and sigv4 will read opensearchodbc aws profile which contains IAM credentials.

There is a domain that uses both types of authentication. opensearch.log shows 401 authn error for basic and none auth types, and 403 authz error for sigv4 auth type. Looks like sigv4 got passed the aws validation, but since there were no username and password send, it did not go through the FGAC validation.

Feel free to edit/comment if the above assumption is wrong.

What solution would you like?
Provide an option in ODBC driver to allow user use their aws credentials with basic auth (username and password).

What alternatives have you considered?
A clear and concise description of any alternative solutions or features you've considered.

Do you have any additional context?
Add any other context or screenshots about the feature request here.
@joshuali925 joshuali925 added the enhancement New feature or request label Jun 28, 2022
@acarbonetto
Copy link
Collaborator

Related bug: #20

@MaxKsyunz
Copy link
Collaborator

@joshuali925 do JDBC driver or other clients support using both SIGv4 and FGAC at the same time?

@joshuali925
Copy link
Member Author

@MaxKsyunz i don't think so, according to its readme auth can only be one of NONE, BASIC, AWS_SIGV4

@MaxKsyunz
Copy link
Collaborator

MaxKsyunz commented Jun 29, 2022
edited

@joshuali925 do you think there's value in supporting this scenario across more clients?
cc @CEHENKLE

@joshuali925
Copy link
Member Author

@MaxKsyunz I'm assuming that for a cluster that uses IAM and FGAC, clients needs to get both information from the user in order to connect. If this is true, then i think yes because otherwise the clients using either SIGV4 or FGAC won't be able to connect to the cluster.

@MaxKsyunz
Copy link
Collaborator

@joshuali925 I'd like to understand this use case better. Here's what I got so far:

  1. There is a domain with a resource-based access policy that uses a particular IAM.
  2. There is an OpenSearch cluster with several roles set up.

Is the problem that

  1. the security plugin is not aware of the SIGv4 key and cannot map it the IAM to a particular role, or
  2. there's a need to use IAM to authenticate application's access to the domain and another authority to authenticate end-users of the application?

@joshuali925
Copy link
Member Author

@MaxKsyunz The use case is that there is a domain which needs both AWS credentials and username password to access, and we cannot use ODBC to connect to it

For the problem i'm also not sure. i put my assumptions in the description but I felt my understanding of how auth works in this case is probably not accurate

@acarbonetto
Copy link
Collaborator

@MaxKsyunz doesn't look like all clients support SIGv4 yet. opensearch-project/opensearch-clients#22

@dai-chen dai-chen transferred this issue from opensearch-project/sql Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuali925 @MaxKsyunz @acarbonetto