-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[META] On-Behalf-Of Authentication #2573
Comments
Another useful snippet for this is: PrivilegesEvaluator#L198-L210
This is the information currently read in by common-utils and parsed into the common-utils User object inside of plugins. |
union
union
There is also a concept of This function inside of ConfigModel[V6|V7] is where the mapping takes place: ConfigModelV7#L1206-L1269 Edit: Just figured out the concept of |
@peternied For on-behalf-of tokens its important that the roles in the token refer to the mapped roles of the user which corresponds to the same mappedRoles in the PrivilegesEvaluator here. The mapped roles are ultimately what is used to evaluate privileges and in order to accurately compute the mapped roles the IP Address of the called is required which would only be available in the node that receives the REST Request and issues an on-behalf-of token. For the Create Token endpoint the handler for the endpoint should likewise call As we were scoping out work for extensions we identified that many plugins rely on backend roles and one way of communicating backend roles to an extension is through a claim in the token. While it may not be necessarily required to have backend_roles as a claim in an on-behalf-of token, if they are to be used for extensions then that is the chosen mechanism for communicating that data to an extension. |
Created an issue to track the work to add backend roles to the Create obo token endpoint: #2865 I included the change in this branch: https://github.com/RyanL1997/security/compare/add-oboauthcbackend-registry...cwperks:security:add-oboauthcbackend-registry-security-roles?expand=1 |
Description
When security is installed, extensions will need an auth token in order to interact with the OpenSearch cluster. This auth token will be in the form of a JWT. Extensions are a replacement for plugins, so any information from a user that plugins utilize today should be contained as a claim in the JWT sent to an extension.
Example header + payload:
Useful reference class to see how JWTs are generated within the security plugin on successful SAML authentication: https://github.com/opensearch-project/security/blob/main/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
For the initial extensions design, these tokens will allow the extension to interact with the OpenSearch cluster using the same privileges as the initiating user.
For the initial implementation, the JWTs can be signed with an HMAC 512 hash by default. If any encryption is performed, then the extension will require a mechanism for decrypting the JWE to view the payload of the JWT. The signing key should be configured in the security configuration. Maybe in the
config.dynamic
portion ofconfig.yml
?Design
Implementation
Integration
extensions/extensions.yml
setting to enable backward compatible plugin mode for extensions #2616Release Criteria
Follow-up
The text was updated successfully, but these errors were encountered: