Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[META] On-Behalf-Of Authentication #2573

Closed
32 of 35 tasks
RyanL1997 opened this issue Mar 21, 2023 · 4 comments
Closed
32 of 35 tasks

[META] On-Behalf-Of Authentication #2573

RyanL1997 opened this issue Mar 21, 2023 · 4 comments
Assignees
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@RyanL1997
Copy link
Collaborator

RyanL1997 commented Mar 21, 2023

Description

When security is installed, extensions will need an auth token in order to interact with the OpenSearch cluster. This auth token will be in the form of a JWT. Extensions are a replacement for plugins, so any information from a user that plugins utilize today should be contained as a claim in the JWT sent to an extension.

Example header + payload:

Header:
{"alg":"HS512"}

Payload:
{
  "iss": "<cluster_name>",
  "iat":1676908684,
  "exp":1676908744,
  "sub":"<principal_identifier_token>",
  "er":"<encrypted_mapped_roles>", # r for roles
  "br": "<encrypted_backend_roles>", # br for backend_roles
  "aud": "extension/{extensionUniqueId}"
}

Useful reference class to see how JWTs are generated within the security plugin on successful SAML authentication: https://github.com/opensearch-project/security/blob/main/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java

For the initial extensions design, these tokens will allow the extension to interact with the OpenSearch cluster using the same privileges as the initiating user.

For the initial implementation, the JWTs can be signed with an HMAC 512 hash by default. If any encryption is performed, then the extension will require a mechanism for decrypting the JWE to view the payload of the JWT. The signing key should be configured in the security configuration. Maybe in the config.dynamic portion of config.yml?

Design

Implementation

Integration

Release Criteria

Follow-up

@RyanL1997 RyanL1997 converted this from a draft issue Mar 21, 2023
@RyanL1997 RyanL1997 self-assigned this Mar 21, 2023
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 21, 2023
@RyanL1997 RyanL1997 changed the title Generate an auth token for an Extension Request [META] Generate an auth token for an Extension Request Mar 21, 2023
@cwperks
Copy link
Member

cwperks commented Mar 21, 2023

Another useful snippet for this is: PrivilegesEvaluator#L198-L210

private void setUserInfoInThreadContext(User user, Set<String> mappedRoles) {
    if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) {
        StringJoiner joiner = new StringJoiner("|");
        joiner.add(user.getName());
        joiner.add(String.join(",", user.getRoles()));
        joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles)));
        String requestedTenant = user.getRequestedTenant();
        if (!Strings.isNullOrEmpty(requestedTenant)) {
            joiner.add(requestedTenant);
        }
        threadContext.putTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString());
    }
}

This is the information currently read in by common-utils and parsed into the common-utils User object inside of plugins.

@cwperks
Copy link
Member

cwperks commented Mar 21, 2023

mappedRoles are:

  1. Direct roles mappings of a user to an OpenSearch role

union

  1. Backend role resolution - Backend roles resolve to OpenSearch roles via roles_mapping and mapRoles is where the resolution takes place

union

  1. Host resolution - There is a feature in roles_mappings to map requests originating from ip addresses/hostnames to opensearch roles

There is also a concept of and_Backend_Roles which I am currently unsure of their usage.

This function inside of ConfigModel[V6|V7] is where the mapping takes place: ConfigModelV7#L1206-L1269

Edit: Just figured out the concept of and_backend_roles. The user must have all of the backend roles in that list to be mapped to the roles. Note: This could be used in conjunction with backend_roles, but the lists should not be overlapping at all.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Mar 27, 2023
@peternied peternied changed the title [META] Generate an auth token for an Extension Request [META] Generate OnBehalfOf tokens for an Extension Request Jun 8, 2023
@cwperks
Copy link
Member

cwperks commented Jun 15, 2023

@peternied For on-behalf-of tokens its important that the roles in the token refer to the mapped roles of the user which corresponds to the same mappedRoles in the PrivilegesEvaluator here. The mapped roles are ultimately what is used to evaluate privileges and in order to accurately compute the mapped roles the IP Address of the called is required which would only be available in the node that receives the REST Request and issues an on-behalf-of token.

For the Create Token endpoint the handler for the endpoint should likewise call mapRoles so that it has access to the correct caller's information when computing the mapped roles to embed in the token.

As we were scoping out work for extensions we identified that many plugins rely on backend roles and one way of communicating backend roles to an extension is through a claim in the token. While it may not be necessarily required to have backend_roles as a claim in an on-behalf-of token, if they are to be used for extensions then that is the chosen mechanism for communicating that data to an extension.

@cwperks
Copy link
Member

cwperks commented Jun 15, 2023

Created an issue to track the work to add backend roles to the Create obo token endpoint: #2865

I included the change in this branch: https://github.com/RyanL1997/security/compare/add-oboauthcbackend-registry...cwperks:security:add-oboauthcbackend-registry-security-roles?expand=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
Status: 2.12.0 (Launched)
Status: Done
Development

No branches or pull requests

4 participants