-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use auth tokens passed from core and introduce extension and user REST clients #892
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
…T clients Signed-off-by: Craig Perkins <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a quick look - thanks for getting this setup, seems decent to me. Maybe there are a couple of things that could be cleaned up by influencing https://github.com/opensearch-project/OpenSearch/pull/8526/files
@@ -68,11 +73,19 @@ public RestExecuteOnExtensionResponse handleRestExecuteOnExtensionRequest(Extens | |||
); | |||
} | |||
|
|||
String oboToken = request.getRequestIssuerIdentity(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like this should be called an onBehalfOfToken both here and on the request object?
What do you think about making the type Optional<>
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I think this needs to be updated in core. I can create a PR for that.
Signed-off-by: Craig Perkins <[email protected]>
Description
Companion example PR for integ testing in security: cwperks/security#6
Companion example PR for integ testing in core: cwperks/OpenSearch#94
This PR introduces an
extensionRestClient
anduserRestClient
that an extension developer can utilize to make REST Requests with Auth Tokens back to an OpenSearch Cluster.The
extensionRestClient
is part of theextensionsRunner
and is available extension-wide. This REST Client uses a Service Account Token to make requests to an OpenSearch cluster on an extension's own behalf. A common example of an extension making requests to OpenSearch on its own behalf is when interacting with a system index that the extension has reserved.The
userRestClient
is instantiated inhandleRequest
ofBaseExtensionRestHandler
and is available to use in all extension REST Handlers. This REST client is utilized to make requests back to opensearch on behalf of the original authenticated user utilizing an On-Behalf-Of token. The On-Behalf-Of token is a short lived access token (JWT) that includes an audience claim that is populated with the destination extension's unique ID. The On-Behalf-Of token lets an extension act as the original user. @peternied is also working on mechanisms for cluster admins to impose further restrictions on these tokens. Details can be found hereThe last thing this PR introduces is another security setting to be placed in the extension's settings file:
ssl.http.enabled
This setting is used to determine the scheme (
http
orhttps
) of the REST Client. This is a boolean setting.Issues Resolved
#887
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.