-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt/Decrypt template credentials #197
Conversation
Signed-off-by: Joshua Palis <[email protected]>
…itions to workflow step json Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
…RemoteModelStep and RegisterLocalModelStep Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
…credential Signed-off-by: Joshua Palis <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass. Looks great, but I think way too much of "encryption utils" are publicly accessible if not needed.
The methods dealing with master key index in two different classes should probably be refactored to be in the same class.
src/test/java/org/opensearch/flowframework/common/EncryptorUtilsTests.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good. Most of comments are related to logging here.
src/main/java/org/opensearch/flowframework/indices/FlowFrameworkIndicesHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/CreateWorkflowTransportAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/CreateWorkflowTransportAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/indices/FlowFrameworkIndicesHandler.java
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/common/CommonValue.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/indices/FlowFrameworkIndicesHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/transport/CreateWorkflowTransportAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/flowframework/util/EncryptorUtils.java
Outdated
Show resolved
Hide resolved
…es error messages as well. Added create time field to config index, ensured that updates are also encrypted Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Signed-off-by: Joshua Palis <[email protected]>
Signed-off-by: Joshua Palis <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for adding this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM2!
* added RegisterRemoteModelStep and tests Signed-off-by: Joshua Palis <[email protected]> * Adding RegisterLocalModelStep, fixing tests, adding input/ouput definitions to workflow step json Signed-off-by: Joshua Palis <[email protected]> * Fixing javadoc warnings, fixing log message Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments,making description field optional for RegisterRemoteModelStep and RegisterLocalModelStep Signed-off-by: Joshua Palis <[email protected]> * moving modelConfig builder before adding allConfig Signed-off-by: Joshua Palis <[email protected]> * initial implementation Signed-off-by: Joshua Palis <[email protected]> * Fixing create workflow transport action Signed-off-by: Joshua Palis <[email protected]> * Removing duplicate register_remote_model validator Signed-off-by: Joshua Palis <[email protected]> * Adding bouncy castle dependency to resolve encryption issue Signed-off-by: Joshua Palis <[email protected]> * Fixing CreateWorkflowTransportActionTests Signed-off-by: Joshua Palis <[email protected]> * Adding initial unit tests for encryptor utils Signed-off-by: Joshua Palis <[email protected]> * Implemented encryption/decryption for workflow node user inputs with credential Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments Signed-off-by: Joshua Palis <[email protected]> * Suppressing unchecked warning, making credential strings constants Signed-off-by: Joshua Palis <[email protected]> * Removing setMasterKey from initializeMasterKey method Signed-off-by: Joshua Palis <[email protected]> * Adding final template encryption decryption test Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments, changing master key index name to config, fixes error messages as well. Added create time field to config index, ensured that updates are also encrypted Signed-off-by: Joshua Palis <[email protected]> * Added TODO Signed-off-by: Joshua Palis <[email protected]> * changing getMasterKeyIndexMapping method name Signed-off-by: Joshua Palis <[email protected]> * Removing unnecessary aws sdk dependency Signed-off-by: Joshua Palis <[email protected]> --------- Signed-off-by: Joshua Palis <[email protected]> (cherry picked from commit 772fbbd) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* added RegisterRemoteModelStep and tests Signed-off-by: Joshua Palis <[email protected]> * Adding RegisterLocalModelStep, fixing tests, adding input/ouput definitions to workflow step json Signed-off-by: Joshua Palis <[email protected]> * Fixing javadoc warnings, fixing log message Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments,making description field optional for RegisterRemoteModelStep and RegisterLocalModelStep Signed-off-by: Joshua Palis <[email protected]> * moving modelConfig builder before adding allConfig Signed-off-by: Joshua Palis <[email protected]> * initial implementation Signed-off-by: Joshua Palis <[email protected]> * Fixing create workflow transport action Signed-off-by: Joshua Palis <[email protected]> * Removing duplicate register_remote_model validator Signed-off-by: Joshua Palis <[email protected]> * Adding bouncy castle dependency to resolve encryption issue Signed-off-by: Joshua Palis <[email protected]> * Fixing CreateWorkflowTransportActionTests Signed-off-by: Joshua Palis <[email protected]> * Adding initial unit tests for encryptor utils Signed-off-by: Joshua Palis <[email protected]> * Implemented encryption/decryption for workflow node user inputs with credential Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments Signed-off-by: Joshua Palis <[email protected]> * Suppressing unchecked warning, making credential strings constants Signed-off-by: Joshua Palis <[email protected]> * Removing setMasterKey from initializeMasterKey method Signed-off-by: Joshua Palis <[email protected]> * Adding final template encryption decryption test Signed-off-by: Joshua Palis <[email protected]> * Addressing PR comments, changing master key index name to config, fixes error messages as well. Added create time field to config index, ensured that updates are also encrypted Signed-off-by: Joshua Palis <[email protected]> * Added TODO Signed-off-by: Joshua Palis <[email protected]> * changing getMasterKeyIndexMapping method name Signed-off-by: Joshua Palis <[email protected]> * Removing unnecessary aws sdk dependency Signed-off-by: Joshua Palis <[email protected]> --------- Signed-off-by: Joshua Palis <[email protected]> (cherry picked from commit 772fbbd) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Encrypt/Decrypt template credentials (#197) * added RegisterRemoteModelStep and tests * Adding RegisterLocalModelStep, fixing tests, adding input/ouput definitions to workflow step json * Fixing javadoc warnings, fixing log message * Addressing PR comments,making description field optional for RegisterRemoteModelStep and RegisterLocalModelStep * moving modelConfig builder before adding allConfig * initial implementation * Fixing create workflow transport action * Removing duplicate register_remote_model validator * Adding bouncy castle dependency to resolve encryption issue * Fixing CreateWorkflowTransportActionTests * Adding initial unit tests for encryptor utils * Implemented encryption/decryption for workflow node user inputs with credential * Addressing PR comments * Suppressing unchecked warning, making credential strings constants * Removing setMasterKey from initializeMasterKey method * Adding final template encryption decryption test * Addressing PR comments, changing master key index name to config, fixes error messages as well. Added create time field to config index, ensured that updates are also encrypted * Added TODO * changing getMasterKeyIndexMapping method name * Removing unnecessary aws sdk dependency --------- (cherry picked from commit 772fbbd) Signed-off-by: Joshua Palis <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…ls (#217) Encrypt/Decrypt template credentials (#197) * added RegisterRemoteModelStep and tests * Adding RegisterLocalModelStep, fixing tests, adding input/ouput definitions to workflow step json * Fixing javadoc warnings, fixing log message * Addressing PR comments,making description field optional for RegisterRemoteModelStep and RegisterLocalModelStep * moving modelConfig builder before adding allConfig * initial implementation * Fixing create workflow transport action * Removing duplicate register_remote_model validator * Adding bouncy castle dependency to resolve encryption issue * Fixing CreateWorkflowTransportActionTests * Adding initial unit tests for encryptor utils * Implemented encryption/decryption for workflow node user inputs with credential * Addressing PR comments * Suppressing unchecked warning, making credential strings constants * Removing setMasterKey from initializeMasterKey method * Adding final template encryption decryption test * Addressing PR comments, changing master key index name to config, fixes error messages as well. Added create time field to config index, ensured that updates are also encrypted * Added TODO * changing getMasterKeyIndexMapping method name * Removing unnecessary aws sdk dependency --------- (cherry picked from commit 772fbbd) Signed-off-by: Joshua Palis <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
This PR achieves multiple things:
.plugins-flow-framework-config
which is instantiated during the initialcreate workflow
requestcredential
prior to indexing into the.plugin-ai-global-context
and decryption when reading the template from the index for use in provisioning.Using the following use case template (note the
12345
credential for creating a connector)Prior to indexing into the
.plugin-ai-global-context
, we iterate through the template workflow node user inputs and look for thecredential
field, encrypting all the fields here :When provisioning, we read the template from the system index, decrypt the template, and then provision.
Logs show the provisioning process completed successfully, with template credentials reading the original value
12345
Issues Resolved
#75
Part of issue #88
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.