Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Service accounts and on-behalf-of authentication in 2.x #11052

Merged

Conversation

RyanL1997
Copy link
Contributor

@RyanL1997 RyanL1997 commented Nov 1, 2023

Implement on behalf of token passing for extensions

Description

This is a manual backport of feature Service Accounts and On-behalf-of Authentication for security plugin

Related Issues

PRs

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Copy link
Contributor

github-actions bot commented Nov 1, 2023

Gradle Check (Jenkins) Run Completed with:

Copy link
Contributor

github-actions bot commented Nov 1, 2023

Compatibility status:

Checks if related components are compatible with change 64504cb

Incompatible components

Incompatible components: [https://github.com/opensearch-project/performance-analyzer.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git]

Signed-off-by: Ryan Liang <jiallian@amazon.com>
Copy link
Contributor

github-actions bot commented Nov 1, 2023

Gradle Check (Jenkins) Run Completed with:

Copy link

codecov bot commented Nov 1, 2023

Codecov Report

Merging #11052 (64504cb) into 2.x (e297b21) will increase coverage by 0.11%.
Report is 1 commits behind head on 2.x.
The diff coverage is 74.50%.

@@             Coverage Diff              @@
##                2.x   #11052      +/-   ##
============================================
+ Coverage     70.86%   70.97%   +0.11%     
- Complexity    58864    58876      +12     
============================================
  Files          4850     4851       +1     
  Lines        277900   277932      +32     
  Branches      40735    40736       +1     
============================================
+ Hits         196937   197272     +335     
+ Misses        64238    63881     -357     
- Partials      16725    16779      +54     
Files Coverage Δ
...g/opensearch/identity/shiro/ShiroTokenManager.java 93.33% <100.00%> (+28.21%) ⬆️
...a/org/opensearch/extensions/ExtensionsManager.java 52.14% <100.00%> (+1.20%) ⬆️
...g/opensearch/extensions/NoopExtensionsManager.java 42.85% <100.00%> (ø)
...rch/extensions/rest/RestActionsRequestHandler.java 100.00% <100.00%> (ø)
...org/opensearch/identity/noop/NoopTokenManager.java 100.00% <100.00%> (+33.33%) ⬆️
...rg/opensearch/identity/tokens/BearerAuthToken.java 100.00% <100.00%> (ø)
...g/opensearch/identity/tokens/OnBehalfOfClaims.java 87.50% <87.50%> (ø)
server/src/main/java/org/opensearch/node/Node.java 85.22% <0.00%> (ø)
...ensearch/extensions/rest/ExtensionRestRequest.java 71.59% <33.33%> (-1.67%) ⬇️
...org/opensearch/identity/tokens/BasicAuthToken.java 80.00% <60.00%> (-7.50%) ⬇️
... and 2 more

... and 471 files with indirect coverage changes

stephen-crawford and others added 2 commits November 1, 2023 14:51
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Copy link
Contributor

github-actions bot commented Nov 1, 2023

Gradle Check (Jenkins) Run Completed with:

Copy link
Contributor

github-actions bot commented Nov 1, 2023

Gradle Check (Jenkins) Run Completed with:

Copy link
Contributor

github-actions bot commented Nov 2, 2023

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 force-pushed the tokenmanager-backport-2x branch from 354de07 to 64504cb Compare November 2, 2023 02:21
Copy link
Contributor

github-actions bot commented Nov 2, 2023

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.search.SearchWeightedRoutingIT.testMultiGetWithNetworkDisruption_FailOpenEnabled

@peternied peternied merged commit f1df1cd into opensearch-project:2.x Nov 2, 2023
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants