Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use auth tokens passed from core and introduce extension and user REST clients #892

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Jul 21, 2023

Description

Companion example PR for integ testing in security: cwperks/security#6
Companion example PR for integ testing in core: cwperks/OpenSearch#94

This PR introduces an extensionRestClient and userRestClient that an extension developer can utilize to make REST Requests with Auth Tokens back to an OpenSearch Cluster.

  • The extensionRestClient is part of the extensionsRunner and is available extension-wide. This REST Client uses a Service Account Token to make requests to an OpenSearch cluster on an extension's own behalf. A common example of an extension making requests to OpenSearch on its own behalf is when interacting with a system index that the extension has reserved.

  • The userRestClient is instantiated in handleRequest of BaseExtensionRestHandler and is available to use in all extension REST Handlers. This REST client is utilized to make requests back to opensearch on behalf of the original authenticated user utilizing an On-Behalf-Of token. The On-Behalf-Of token is a short lived access token (JWT) that includes an audience claim that is populated with the destination extension's unique ID. The On-Behalf-Of token lets an extension act as the original user. @peternied is also working on mechanisms for cluster admins to impose further restrictions on these tokens. Details can be found here

The last thing this PR introduces is another security setting to be placed in the extension's settings file: ssl.http.enabled

This setting is used to determine the scheme (http or https) of the REST Client. This is a boolean setting.

Issues Resolved

#887

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took a quick look - thanks for getting this setup, seems decent to me. Maybe there are a couple of things that could be cleaned up by influencing https://github.com/opensearch-project/OpenSearch/pull/8526/files

src/main/java/org/opensearch/sdk/SDKClient.java Outdated Show resolved Hide resolved
@@ -68,11 +73,19 @@ public RestExecuteOnExtensionResponse handleRestExecuteOnExtensionRequest(Extens
);
}

String oboToken = request.getRequestIssuerIdentity();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this should be called an onBehalfOfToken both here and on the request object?

What do you think about making the type Optional<> ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I think this needs to be updated in core. I can create a PR for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants