Issue and ferry Service Account Tokens and On-Behalf-Of Tokens to an Extension #94
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
… extension-service-account-tokens
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Companion Security PR: cwperks/security#6
This is an example PR for integration testing with the extension SDK.
This is the corresponding PR in core for introducing and utilizing the
TokenManagerinterface of anIdentityPluginwhich has methods that are called to issue service account tokens and on-behalf-of tokens. After issuance, these tokens are ferried over to an extension.A Service Account Token is ferried over to an extension on an extension initialization request. This PR only covers ferrying a token on bootstrap and does not cover any flows on extensions requesting a new service account token. This PR treats service account tokens as indefinite (like how passwords are treated in OpenSearch today) and new ones would only be issued on initialization. In the event a token is compromised, its not possible to revoke it. Similar to losing an SSN, you would need to change your identity (extension_unique_id) to recover.
An on-behalf-of token is issued just-in-time, meaning just before the REST Request that is proxied through the OpenSearch node is forwarded to an extension. These are short-lived tokens that are not revokable.