Skip to content

Use auth tokens passed from core and introduce extension and user REST clients#892

Draft
cwperks wants to merge 8 commits intoopensearch-project:mainfrom
cwperks:service-account-token
Draft

Use auth tokens passed from core and introduce extension and user REST clients#892
cwperks wants to merge 8 commits intoopensearch-project:mainfrom
cwperks:service-account-token

Conversation

@cwperks
Copy link
Member

@cwperks cwperks commented Jul 21, 2023

Description

Companion example PR for integ testing in security: cwperks/security#6
Companion example PR for integ testing in core: cwperks/OpenSearch#94

This PR introduces an extensionRestClient and userRestClient that an extension developer can utilize to make REST Requests with Auth Tokens back to an OpenSearch Cluster.

  • The extensionRestClient is part of the extensionsRunner and is available extension-wide. This REST Client uses a Service Account Token to make requests to an OpenSearch cluster on an extension's own behalf. A common example of an extension making requests to OpenSearch on its own behalf is when interacting with a system index that the extension has reserved.

  • The userRestClient is instantiated in handleRequest of BaseExtensionRestHandler and is available to use in all extension REST Handlers. This REST client is utilized to make requests back to opensearch on behalf of the original authenticated user utilizing an On-Behalf-Of token. The On-Behalf-Of token is a short lived access token (JWT) that includes an audience claim that is populated with the destination extension's unique ID. The On-Behalf-Of token lets an extension act as the original user. @peternied is also working on mechanisms for cluster admins to impose further restrictions on these tokens. Details can be found here

The last thing this PR introduces is another security setting to be placed in the extension's settings file: ssl.http.enabled

This setting is used to determine the scheme (http or https) of the REST Client. This is a boolean setting.

Issues Resolved

#887

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

cwperks added 5 commits July 14, 2023 16:59
@cwperks
Proof of concept of extension reserved indices
12a74d2 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into service-account-token
5c9dfc8
@cwperks
Handle obo token
ab837b6 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP on user and extension client in the SDK
3f2ee2a 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Use auth tokens passed frmo core and introduce extension and user RES…
27f0100 
…T clients

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks mentioned this pull request Aug 14, 2023
Closed
4 tasks
peternied
peternied reviewed Aug 16, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took a quick look - thanks for getting this setup, seems decent to me. Maybe there are a couple of things that could be cleaned up by influencing https://github.com/opensearch-project/OpenSearch/pull/8526/files

src/main/java/org/opensearch/sdk/handlers/ExtensionsRestRequestHandler.java
);
}

String oboToken = request.getRequestIssuerIdentity();
Copy link
Member

@peternied peternied Aug 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this should be called an onBehalfOfToken both here and on the request object?

What do you think about making the type Optional<> ?

Copy link
Member Author

@cwperks cwperks Aug 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I think this needs to be updated in core. I can create a PR for that.

@peternied peternied mentioned this pull request Aug 16, 2023
Closed
35 tasks
cwperks added 2 commits August 18, 2023 11:37
@cwperks
Merge branch 'main' into service-account-token
fd519eb
@cwperks
Update ActionListener
19fff3e 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks mentioned this pull request Aug 31, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshpalis joshpalis Awaiting requested review from joshpalis joshpalis will be requested when the pull request is marked ready for review joshpalis is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 will be requested when the pull request is marked ready for review owaiskazi19 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan ryanbogan will be requested when the pull request is marked ready for review ryanbogan is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli will be requested when the pull request is marked ready for review saratvemulapalli is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis will be requested when the pull request is marked ready for review dbwiddis is a code owner

1 more reviewer

@peternied peternied peternied left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport 1.x repeat-contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cwperks @peternied