-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature/Identity] Introduce Identity module #5583
[Feature/Identity] Introduce Identity module #5583
Conversation
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for moving identity project to a module @cwperks !
@@ -0,0 +1 @@ | |||
0ce1edb914c94ebc388f086c6827e8bdeec71ac2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
qq.. are the changes in other plugin folders outside authn
due to running updateShas
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I removed the server
dependency on the :sandbox:libs:opensearch-authn
library and ran updateSHAs
after removing the dependency.
@@ -32,7 +32,11 @@ public class InternalAuthenticationManager implements AuthenticationManager { | |||
* and this instantiation uses the default security manager | |||
*/ | |||
public InternalAuthenticationManager() { | |||
final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE); | |||
// final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE); | |||
// SecurityUtils.setSecurityManager(securityManager); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can remove this now
@@ -65,6 +66,7 @@ public String toString() { | |||
public void login(AuthenticationToken authenticationToken) { | |||
org.apache.shiro.authc.AuthenticationToken authToken = AuthenticationTokenHandler.extractShiroAuthToken(authenticationToken); | |||
// Login via shiro realm. | |||
shiroSubject.login(authToken); | |||
SecurityUtils.getSecurityManager().authenticate(authToken); | |||
// shiroSubject.login(authToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we remove shiroSubject completely? Since we are not using login
method it won't creating and setting a subject on successful login, and so I'm not sure if we need this at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section needs to be revisited for performance to see if the entire ./gradlew check
can run with identity enabled. I can remove the commented out line for now.
...tity/src/internalClusterTest/java/org/opensearch/identity/HttpSmokeTestCaseWithIdentity.java
Show resolved
Hide resolved
sandbox/modules/identity/src/main/java/org/opensearch/identity/PrivilegesEvaluatorResponse.java
Show resolved
Hide resolved
log.debug(pres.toString()); | ||
} | ||
|
||
if (pres.isAllowed()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this check would always be true based on setting on line 99. Is that expected or should line 99 be changed to something conditional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is more boilerplate that is meant to be expanded on when authorization is tackled. When I started working on this branch one of the big ideas was to deprecate the usage of serializing the User object and transporting around the cluster on the thread context headers as a proxy for a request that has previously been authenticated on the rest layer. Instead of serializing the user object, this PR introduces tokens for authentication information and transports them around the cluster using the thread context headers. I originally wanted to terminate an internal transport request if it did not contain authentication information with it. The problem I faced is that this header would be populated for internal transport requests that originated from the Rest Layer, but it was not present for internal actions invoked from elsewhere.
In a future PR we need to investigate where internal actions are invoked from and choose whether we should send information indicating that its starting from an internal source.
sandbox/modules/identity/src/main/java/org/opensearch/identity/SecurityRestFilter.java
Outdated
Show resolved
Hide resolved
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Codecov Report
@@ Coverage Diff @@
## feature/identity #5583 +/- ##
======================================================
- Coverage 71.51% 70.95% -0.56%
+ Complexity 58645 58494 -151
======================================================
Files 4727 4768 +41
Lines 277738 278941 +1203
Branches 40176 40297 +121
======================================================
- Hits 198612 197911 -701
- Misses 63222 64871 +1649
- Partials 15904 16159 +255
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @cwperks !
@saratvemulapalli Can you please help merge this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didnt want to block you work.
But i'd like to review the change sometime this week.
@cwperks I'll merge it and i'll drop comments if I have any.
Description
Opening a PR to solicit feedback for introduction of Identity module which includes an implementation of Basic Auth.
This PR introduces a new sandbox module identity that will use some of the existing extension points that the security plug-in does to authenticate rest requests and pass a token around on the header of the threadcontext of a task that identifies the user and can subsequently be used for authorization.
This new identity module uses a few existing extension points from the
ActionPlugin
and theNetworkPlugin
.From the
ActionPlugin
this branch uses:getRestHandlerWrapper
to provide a wrapper that handles authentication. As of now, there is only a Basic auth mechanism that uses the internal IdP in this feature branch to authenticate the user and return a 403 if the request cannot be authenticatedgetActionFilters
- This branch introduces an AuthorizationFilter that is intended to be used to perform authorization. This is mostly pass-through at the moment and right now it verifies that a token is present and valid before the TransportRequest performs itsdoExecute
From the
NetworkPlugin
this uses:getTransportInterceptors
- The transport interceptor intercepts outgoing TransportRequests and can modify the request before its sent to another node. When testing this branch, I ran into problems with how theTransportMessageListener
intercepted outgoing requests as the ThreadContext was not available to inspect to ensure that the node that received the RestRequest created a token before sending the transport request to other nodes. When running the test its clear to see that other nodes received the created token, but the message listener is unable to get it because of how its wrapped in anActionListener
inOutboundHandler
:The transport interceptor has access to the ThreadContext and the tests will be updated to use the interceptor.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.