Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature/Identity] Introduce Identity module #5583

Merged

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Dec 15, 2022

Description

Opening a PR to solicit feedback for introduction of Identity module which includes an implementation of Basic Auth.

This PR introduces a new sandbox module identity that will use some of the existing extension points that the security plug-in does to authenticate rest requests and pass a token around on the header of the threadcontext of a task that identifies the user and can subsequently be used for authorization.

This new identity module uses a few existing extension points from the ActionPlugin and the NetworkPlugin.

From the ActionPlugin this branch uses:

  • getRestHandlerWrapper to provide a wrapper that handles authentication. As of now, there is only a Basic auth mechanism that uses the internal IdP in this feature branch to authenticate the user and return a 403 if the request cannot be authenticated
  • getActionFilters - This branch introduces an AuthorizationFilter that is intended to be used to perform authorization. This is mostly pass-through at the moment and right now it verifies that a token is present and valid before the TransportRequest performs its doExecute

From the NetworkPlugin this uses:

  • getTransportInterceptors - The transport interceptor intercepts outgoing TransportRequests and can modify the request before its sent to another node. When testing this branch, I ran into problems with how the TransportMessageListener intercepted outgoing requests as the ThreadContext was not available to inspect to ensure that the node that received the RestRequest created a token before sending the transport request to other nodes. When running the test its clear to see that other nodes received the created token, but the message listener is unable to get it because of how its wrapped in an ActionListener in OutboundHandler:
void sendRequest(...) throws IOException, TransportException {
        Version version = Version.min(this.version, channelVersion);
        OutboundMessage.Request message = new OutboundMessage.Request(
            threadPool.getThreadContext(),
            features,
            request,
            version,
            action,
            requestId,
            isHandshake,
            compressRequest
        );
        ActionListener<Void> listener = ActionListener.wrap(() -> messageListener.onRequestSent(node, requestId, action, request, options));
        sendMessage(channel, message, listener);
    }

The transport interceptor has access to the ThreadContext and the tests will be updated to use the interceptor.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.indices.stats.IndexStatsIT.testFilterCacheStats

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for moving identity project to a module @cwperks !

@@ -0,0 +1 @@
0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

qq.. are the changes in other plugin folders outside authn due to running updateShas?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I removed the server dependency on the :sandbox:libs:opensearch-authn library and ran updateSHAs after removing the dependency.

sandbox/libs/authn/build.gradle Show resolved Hide resolved
@@ -32,7 +32,11 @@ public class InternalAuthenticationManager implements AuthenticationManager {
* and this instantiation uses the default security manager
*/
public InternalAuthenticationManager() {
final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE);
// final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE);
// SecurityUtils.setSecurityManager(securityManager);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can remove this now

@@ -65,6 +66,7 @@ public String toString() {
public void login(AuthenticationToken authenticationToken) {
org.apache.shiro.authc.AuthenticationToken authToken = AuthenticationTokenHandler.extractShiroAuthToken(authenticationToken);
// Login via shiro realm.
shiroSubject.login(authToken);
SecurityUtils.getSecurityManager().authenticate(authToken);
// shiroSubject.login(authToken);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we remove shiroSubject completely? Since we are not using login method it won't creating and setting a subject on successful login, and so I'm not sure if we need this at all.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section needs to be revisited for performance to see if the entire ./gradlew check can run with identity enabled. I can remove the commented out line for now.

sandbox/libs/authn/docs/auth_flow.md Outdated Show resolved Hide resolved
log.debug(pres.toString());
}

if (pres.isAllowed()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check would always be true based on setting on line 99. Is that expected or should line 99 be changed to something conditional?

Copy link
Member Author

@cwperks cwperks Dec 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is more boilerplate that is meant to be expanded on when authorization is tackled. When I started working on this branch one of the big ideas was to deprecate the usage of serializing the User object and transporting around the cluster on the thread context headers as a proxy for a request that has previously been authenticated on the rest layer. Instead of serializing the user object, this PR introduces tokens for authentication information and transports them around the cluster using the thread context headers. I originally wanted to terminate an internal transport request if it did not contain authentication information with it. The problem I faced is that this header would be populated for internal transport requests that originated from the Rest Layer, but it was not present for internal actions invoked from elsewhere.

In a future PR we need to investigate where internal actions are invoked from and choose whether we should send information indicating that its starting from an internal source.

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@codecov-commenter
Copy link

codecov-commenter commented Dec 15, 2022

Codecov Report

Merging #5583 (ad2f483) into feature/identity (71281f1) will decrease coverage by 0.55%.
The diff coverage is 63.04%.

@@                  Coverage Diff                   @@
##             feature/identity    #5583      +/-   ##
======================================================
- Coverage               71.51%   70.95%   -0.56%     
+ Complexity              58645    58494     -151     
======================================================
  Files                    4727     4768      +41     
  Lines                  277738   278941    +1203     
  Branches                40176    40297     +121     
======================================================
- Hits                   198612   197911     -701     
- Misses                  63222    64871    +1649     
- Partials                15904    16159     +255     
Impacted Files Coverage Δ
...search/transport/Netty4NioServerSocketChannel.java 0.00% <0.00%> (ø)
.../java/org/opensearch/transport/NettyAllocator.java 45.45% <0.00%> (ø)
...rch/authn/internal/InternalAccessTokenManager.java 0.00% <0.00%> (ø)
.../opensearch/authn/noop/NoopAccessTokenManager.java 0.00% <0.00%> (ø)
...ensearch/authn/noop/NoopAuthenticationManager.java 66.66% <ø> (ø)
...in/java/org/opensearch/authn/noop/NoopSubject.java 66.66% <ø> (ø)
.../java/org/opensearch/authn/tokens/AccessToken.java 0.00% <ø> (ø)
.../java/org/opensearch/identity/ConfigConstants.java 0.00% <0.00%> (ø)
...rc/main/java/org/opensearch/identity/Identity.java 100.00% <ø> (ø)
...rg/opensearch/identity/ThreadContextConstants.java 0.00% <0.00%> (ø)
... and 557 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @cwperks !

@DarshitChanpura
Copy link
Member

@saratvemulapalli Can you please help merge this?

Copy link
Member

@saratvemulapalli saratvemulapalli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didnt want to block you work.
But i'd like to review the change sometime this week.
@cwperks I'll merge it and i'll drop comments if I have any.

@saratvemulapalli saratvemulapalli merged commit ec7f9b6 into opensearch-project:feature/identity Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants