Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature/Identity] Identity use cases #5513

Merged
merged 1 commit into from
Jan 11, 2023

Conversation

peternied
Copy link
Member

Description

Adding details uses cases for identity, this is going to get long!

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peternied peternied added skip-changelog Identity PR/Issues associated with Authentication or Authorization labels Dec 9, 2022
@peternied peternied requested a review from reta as a code owner December 9, 2022 23:18
@peternied peternied marked this pull request as draft December 9, 2022 23:18
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These initial scenarios look good. As a follow-up we an add tests that support/validate these scenarios. Great stuff hashing these out @peternied !


### Scenario 10:

`GET /identity/whoami` returns the username of the authenticated account
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we support this?. If so, for unauthenticated request, it should return 403, correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There should be some way of identifying who the current user is, and this is more/less what is already in OpenSearch. I think we can dive in on the behavior for other scenarios as well as additional use cases


### Scenario 8:

Admin user can create an account via `POST /identity/user/{username}`. The response includes an automatically generated password for this user.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User should be able to edit their password. Should we add a scenario for password-recovery?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PUT /identity/user/{username}/password would work for any username if you had permission, would this cover your recovery scenario?

IDENTITY_USE_CASES.md Show resolved Hide resolved
IDENTITY_USE_CASES.md Show resolved Hide resolved

All REST API activity returns 403 without passing authentication information in the request

## Using Admin account
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want this to be the same level bold as the "Identity features enabled" and "Non-use compatibility" headers? Do you think it should be one level smaller to indicate that it is under the "Identity features enabled" group?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this works, but maybe it would make sense to have even more layers of depth. Would you want to re-write with an alternative layout? I'd be happy to accept a pull request

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that if you believe it is good as is, then it is just fine. I was more asking a question to see what you thought then expressing a major opinion one way or the other.

IDENTITY_USE_CASES.md Show resolved Hide resolved
IDENTITY_USE_CASES.md Show resolved Hide resolved
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the new changes are beneficial for both the more precise wording and also consistency with the rest of OpenSearch documentation.

@peternied peternied marked this pull request as ready for review December 15, 2022 15:13
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this document be updated with authorization use-cases in a future iteration?

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty @peternied !

Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

Signed-off-by: Peter Nied <petern@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Identity PR/Issues associated with Authentication or Authorization skip-changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants