Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the authenticate token method from TokenManager and from the Subject interface #10614

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Oct 13, 2023

Description

This change removes the unused authenticateToken method from the TokenManager interface and the Subject interface used in the IdentityPlugin. This is being removed because it is both unused and adds an operational tax onto all IdentityPlugin implementations. It then adds an authenticateToken(Subject subject, AuthToken token) method into the IdentityPlugin interface.

Instead of expecting the TokenManager and Subject implementations to provide an authentication method, we should instead require proper handling of auth tokens by anything making use of the tokens the manager provides. For example, instead of offering TokenManager.authenticateToken(a_bearer_auth_token) we should expect that the service making use of the bearer token sends the request with the proper header and that the standard auth backend handling is able to then serve this request.

With these changes we can support both of these conditions since the IdentityPlugin is now responsible for attempting to authenticate a Subject using an authorization token.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford stephen-crawford changed the title [SKIP CHANGELOG] Remove the authenticate token method from TokenManager [SKIP CHANGELOG] Remove the authenticate token method from TokenManager and from the Subject interface Oct 13, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 13, 2023

Compatibility status:

Checks if related components are compatible with change 218824e

Incompatible components

Incompatible components: [https://github.com/opensearch-project/ml-commons.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford stephen-crawford force-pushed the removeAuthenticateTokenMethod branch from 3bfd7df to 5132a52 Compare October 13, 2023 20:09
@stephen-crawford stephen-crawford changed the title Remove the authenticate token method from TokenManager and from the Subject interface [SKIP CHANGELOG] Remove the authenticate token method from TokenManager and from the Subject interface Oct 13, 2023
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

stephen-crawford and others added 2 commits October 16, 2023 12:50
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.snapshots.DedicatedClusterSnapshotRestoreIT.testIndexDeletionDuringSnapshotCreationInQueue

@codecov
Copy link

codecov bot commented Oct 16, 2023

Codecov Report

Merging #10614 (218824e) into main (dd63559) will increase coverage by 0.12%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main   #10614      +/-   ##
============================================
+ Coverage     71.03%   71.16%   +0.12%     
- Complexity    58414    58520     +106     
============================================
  Files          4853     4853              
  Lines        275670   275663       -7     
  Branches      40118    40116       -2     
============================================
+ Hits         195831   196183     +352     
+ Misses        63455    63090     -365     
- Partials      16384    16390       +6     
Files Coverage Δ
...g/opensearch/identity/shiro/ShiroTokenManager.java 93.33% <ø> (+9.01%) ⬆️
...org/opensearch/identity/noop/NoopTokenManager.java 100.00% <ø> (+14.28%) ⬆️

... and 443 files with indirect coverage changes

@stephen-crawford stephen-crawford changed the title [SKIP CHANGELOG] Remove the authenticate token method from TokenManager and from the Subject interface Remove the authenticate token method from TokenManager and from the Subject interface Oct 16, 2023
@peternied peternied merged commit e8ba35c into opensearch-project:main Oct 16, 2023
20 of 21 checks passed
@peternied peternied deleted the removeAuthenticateTokenMethod branch October 16, 2023 21:15
@peternied peternied added the backport 2.x Backport to 2.x branch label Oct 16, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-10614-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e8ba35cff433b3dc0d821d04326b2bf261beab06
# Push it to GitHub
git push --set-upstream origin backport/backport-10614-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-10614-to-2.x.

deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Oct 19, 2023
…nsearch-project#10614)

Remove the authenticate token method from TokenManager interface

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Siddhant Deshmukh <deshsid@amazon.com>
austintlee pushed a commit to austintlee/OpenSearch that referenced this pull request Oct 23, 2023
…nsearch-project#10614)

Remove the authenticate token method from TokenManager interface

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
RyanL1997 pushed a commit to RyanL1997/OpenSearch that referenced this pull request Nov 1, 2023
…nsearch-project#10614)

Remove the authenticate token method from TokenManager interface

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
peternied added a commit that referenced this pull request Nov 2, 2023
#11052)

* Implement on behalf of token passing for extensions (#8679)

* Provide service accounts tokens to extensions (#9618)

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

* Cherry pick #10614 and #10664

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
…nsearch-project#10614)

Remove the authenticate token method from TokenManager interface

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants