-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the authenticate token method from TokenManager and from the Subject interface #10614
Remove the authenticate token method from TokenManager and from the Subject interface #10614
Conversation
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Compatibility status:Checks if related components are compatible with change 218824e Incompatible componentsIncompatible components: [https://github.com/opensearch-project/ml-commons.git] Skipped componentsCompatible componentsCompatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git] |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
server/src/main/java/org/opensearch/plugins/IdentityPlugin.java
Outdated
Show resolved
Hide resolved
3bfd7df
to
5132a52
Compare
Gradle Check (Jenkins) Run Completed with:
|
90c3f95
to
5132a52
Compare
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Codecov Report
@@ Coverage Diff @@
## main #10614 +/- ##
============================================
+ Coverage 71.03% 71.16% +0.12%
- Complexity 58414 58520 +106
============================================
Files 4853 4853
Lines 275670 275663 -7
Branches 40118 40116 -2
============================================
+ Hits 195831 196183 +352
+ Misses 63455 63090 -365
- Partials 16384 16390 +6
|
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-10614-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e8ba35cff433b3dc0d821d04326b2bf261beab06
# Push it to GitHub
git push --set-upstream origin backport/backport-10614-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
…nsearch-project#10614) Remove the authenticate token method from TokenManager interface Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Siddhant Deshmukh <deshsid@amazon.com>
…nsearch-project#10614) Remove the authenticate token method from TokenManager interface Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
…nsearch-project#10614) Remove the authenticate token method from TokenManager interface Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
#11052) * Implement on behalf of token passing for extensions (#8679) * Provide service accounts tokens to extensions (#9618) This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. * Cherry pick #10614 and #10664 Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Peter Nied <peternied@hotmail.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
…nsearch-project#10614) Remove the authenticate token method from TokenManager interface Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Description
This change removes the unused
authenticateToken
method from theTokenManager
interface and theSubject
interface used in theIdentityPlugin
. This is being removed because it is both unused and adds an operational tax onto allIdentityPlugin
implementations. It then adds anauthenticateToken(Subject subject, AuthToken token)
method into the IdentityPlugin interface.Instead of expecting the TokenManager and Subject implementations to provide an authentication method, we should instead require proper handling of auth tokens by anything making use of the tokens the manager provides. For example, instead of offering
TokenManager.authenticateToken(a_bearer_auth_token)
we should expect that the service making use of the bearer token sends the request with the proper header and that the standard auth backend handling is able to then serve this request.With these changes we can support both of these conditions since the IdentityPlugin is now responsible for attempting to authenticate a Subject using an authorization token.
Check List
New functionality includes testing.All tests passCommit changes are listed out in CHANGELOG.md file (See: Changelog)Public documentation issue/PR createdBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.