Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Handle the edge cases of On-behalf-of Authentication #2891

Closed
2 of 3 tasks
Tracked by #2573
RyanL1997 opened this issue Jun 22, 2023 · 5 comments
Closed
2 of 3 tasks
Tracked by #2573

[FEATURE] Handle the edge cases of On-behalf-of Authentication #2891

RyanL1997 opened this issue Jun 22, 2023 · 5 comments
Assignees
@RyanL1997
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@RyanL1997
Copy link
Collaborator

RyanL1997 commented Jun 22, 2023
edited
Loading

Problem

Since the OBO Token can perform on behalf of another user, it is necessary for us to frame the usages of this token.

Goal for closing this issue

**Implemented functionalities **

  • OBO Token cannot be used to issue another OBO token
  • OBO Token cannot be used to change the passwords

Follow up work of refactoring

  • Transfer the checking logic into individual functions [2] (e.g. a util class?)

Reference

[1] : https://github.com/opensearch-project/security/pull/3179/files/b31555926c59aafe9a310d64918002b91d51c676#diff-0550f691677d70fb9da2b6d5baf7d342bc670e0618a8598a259117818cb66f86R230
[2] : #3179 (comment)
@RyanL1997 RyanL1997 added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 22, 2023
@RyanL1997 RyanL1997 mentioned this issue Jun 22, 2023
Merged
3 tasks
@peternied peternied mentioned this issue Jun 15, 2023
Closed
35 tasks
@DarshitChanpura
Copy link
Member

[Triage] Thanks for filing the issue.

@DarshitChanpura DarshitChanpura added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 26, 2023
This was referenced Jul 10, 2023
Closed
Merged
@peternied
Copy link
Member

Capturing comment from the pull request, [comment]

I'm struggling to think what the correct criteria is for these restrictions, while the issue has called out the OBO tokens creation API, I think we should articulate the criteria for something to be acceptable vs not acceptable first. Lets try to build consensus around this idea first before implementing restrictions so we can be consistent.

What if instead of denying permissions to different APIs system, what if instead only let you create OBO tokens that expire at latest when the currently OBO token expires. This prevents the 'no expiration' in a more 'logical' way than the permissions denial.

@RyanL1997 RyanL1997 mentioned this issue Aug 10, 2023
Closed
@RyanL1997 RyanL1997 mentioned this issue Aug 23, 2023
Merged
3 tasks
@peternied
Copy link
Member

This issue was closed without any finding or description of the expectations, reopening.

@peternied peternied reopened this Aug 24, 2023
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Aug 24, 2023
@RyanL1997
Copy link
Collaborator Author

RyanL1997 commented Aug 24, 2023
edited
Loading

Transfer the conversation here (comment1, comment2).

Hi @peternied, I can re-edit the issue if we choose to refactor the logic into a public field. But still I think as we mentioned in the standup before, the main goal of this original issue is having the functionality of block these 2 endpoint, which has been implemented. But I agree that we can keep using this issue for capture the follow-up work.

@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Aug 28, 2023
@peternied
Copy link
Member

The work to create a util class isn't critical path, lets organically do this work or not.

@RyanL1997 RyanL1997 mentioned this issue Sep 27, 2023
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanL1997 RyanL1997

Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
Security for Extensions
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peternied @DarshitChanpura @RyanL1997