Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement on behalf of token passing for extensions #8679

Merged
merged 47 commits into from
Aug 11, 2023
Merged

Implement on behalf of token passing for extensions #8679

merged 47 commits into from
Aug 11, 2023

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Jul 13, 2023
edited
Loading

Description

This PR introduces basic token passing within the RestSendToExtensionAction. These tokens provide authc/z capabilities when supported by a complete Identity Plugin.

Completes: opensearch-project/security#2764

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@stephen-crawford
Outline changes
2837200 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Basic outline
570c04b 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Basic token passing
abd83c4 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Merge branch 'main' into tokenPassingForExtensions
0b4d85d 
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Minor changes
afc6b34 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

stephen-crawford and others added 3 commits August 11, 2023 15:59
@stephen-crawford
Fix changelog
40afb9e 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Changelog
5d17b26 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Merge branch 'opensearch-project:main' into tokenPassingForExtensions
2a8b4ae
@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:



> Task :checkCompatibility
Incompatible components: [https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]
Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git]

BUILD SUCCESSFUL in 23m 58s

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:



> Task :checkCompatibility
Incompatible components: [https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/security-analytics.git]
Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

BUILD SUCCESSFUL in 29m 10s

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:



> Task :checkCompatibility
Incompatible components: [https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/performance-analyzer.git]
Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

BUILD SUCCESSFUL in 31m 50s

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.client.PitIT.testDeleteAllAndListAllPits

peternied
peternied approved these changes Aug 11, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for driving this @scrawfor99

@peternied peternied merged commit 487e3e3 into opensearch-project:main Aug 11, 2023
@reta reta added the backport 2.x Backport to 2.x branch label Aug 11, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-8679-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 487e3e34460cb16abab7597fe4ed7d00a11c595d
# Push it to GitHub
git push --set-upstream origin backport/backport-8679-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-8679-to-2.x.

@reta
Copy link
Collaborator

reta commented Aug 11, 2023

@scrawfor99 please send manual backport to 2.x when you have time, thank you

@peternied
Copy link
Member

After the security review has been completed lets revisit backporting, how does that sound @reta @scrawfor99 ?

linuxpi pushed a commit to linuxpi/OpenSearch that referenced this pull request Aug 14, 2023
@stephen-crawford @RyanL1997
@peternied @linuxpi
Implement on behalf of token passing for extensions (opensearch-proje…
1fa0c7f 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
linuxpi pushed a commit to linuxpi/OpenSearch that referenced this pull request Aug 16, 2023
@stephen-crawford @RyanL1997
@peternied @linuxpi
Implement on behalf of token passing for extensions (opensearch-proje…
9ed4c45 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
kaushalmahi12 pushed a commit to kaushalmahi12/OpenSearch that referenced this pull request Sep 12, 2023
@stephen-crawford @RyanL1997
@peternied @kaushalmahi12
Implement on behalf of token passing for extensions (opensearch-proje…
f27a686 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Kaushal Kumar <ravi.kaushal97@gmail.com>
stephen-crawford added a commit to stephen-crawford/OpenSearch that referenced this pull request Sep 14, 2023
@stephen-crawford @RyanL1997 @peternied
Implement on behalf of token passing for extensions (opensearch-proje…
9d38a09 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
brusic pushed a commit to brusic/OpenSearch that referenced this pull request Sep 25, 2023
@stephen-crawford @RyanL1997
@peternied @brusic
Implement on behalf of token passing for extensions (opensearch-proje…
496dce0 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Ivan Brusic <ivan.brusic@flocksafety.com>
DarshitChanpura pushed a commit to DarshitChanpura/OpenSearch that referenced this pull request Sep 27, 2023
@stephen-crawford @RyanL1997
@peternied @DarshitChanpura
Implement on behalf of token passing for extensions (opensearch-proje…
bff54cc 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
DarshitChanpura pushed a commit to DarshitChanpura/OpenSearch that referenced this pull request Sep 28, 2023
@stephen-crawford @RyanL1997
@peternied @DarshitChanpura
Implement on behalf of token passing for extensions (opensearch-proje…
f40d280 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
RyanL1997 added a commit to RyanL1997/OpenSearch that referenced this pull request Nov 1, 2023
@stephen-crawford @RyanL1997 @peternied
Implement on behalf of token passing for extensions (opensearch-proje…
1607aae 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
This was referenced Nov 1, 2023
Merged
Closed
peternied added a commit that referenced this pull request Nov 2, 2023
@RyanL1997 @stephen-crawford
@peternied @owaiskazi19
[Backport 2.x] Service accounts and on-behalf-of authentication in 2.x (
f1df1cd 
#11052)

* Implement on behalf of token passing for extensions (#8679)

* Provide service accounts tokens to extensions (#9618)

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

* Cherry pick #10614 and #10664

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
@BrewTestBot BrewTestBot mentioned this pull request Feb 21, 2024
Merged
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@stephen-crawford @RyanL1997
@peternied @shiv0408
Implement on behalf of token passing for extensions (opensearch-proje…
7c061ff 
…ct#8679)

Implement on behalf of token passing for extensions

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Ryan Liang <jiallian@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks approved these changes

@peternied peternied peternied approved these changes

@reta reta reta approved these changes

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@tlfeng tlfeng Awaiting requested review from tlfeng

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997

Assignees
No one assigned
Labels
backport 2.x Backport to 2.x branch backport-failed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stephen-crawford @cwperks @reta @peternied @RyanL1997