Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC] Add documentation for OnBehalfOf Authentication #4388

Closed
1 of 4 tasks
RyanL1997 opened this issue Jun 23, 2023 · 8 comments · Fixed by #5123
Closed
1 of 4 tasks

[DOC] Add documentation for OnBehalfOf Authentication #4388

RyanL1997 opened this issue Jun 23, 2023 · 8 comments · Fixed by #5123
Assignees
@Naarcha-AWS @RyanL1997
Labels
3 - Done Issue is done/complete security v2.12.0
Milestone
v2.12

Comments

@RyanL1997
Copy link

RyanL1997 commented Jun 23, 2023
edited
Loading

What do you want to do?

  • Request a change to existing documentation
  • Add new documentation
  • Report a technical problem with the documentation
  • Other

Description of the Feature

the security team has opted to develop an on-behalf-of Json web token for managing authentication requests between the user's client and the extension just in time. For the initial extensions design, these tokens will allow the extension to interact with the OpenSearch cluster using the same privileges as the initiating user, that’s the reason it is named as “on-behalf-of”. However, since this token doesn’t have any restrictions in place, it also has the capability of letting a service operate as if they are the original user for some window of time. Which means this generic feature is not limited extension related use cases..

For the most of the scenarios, this obo token will be used just-in-time which means that the token is issued just before it is needed for usage. The token will have a configurable short time window of validity after which it is expired and no longer good for use. If the extension REST handler finished quickly, the token may still be valid after the request is done. If the extension REST handler takes a long time then there is a risk that the token will expire before the request has been fully handled. There may need to be a mechanism in place to refresh a token or have certain handlers be able to obtain tokens with a longer window of validity, for example I think 5 minutes is reasonable and most handlers should be able to handle a request in a short period of time.

Generic Usage vs. Extension Project

Just-in-time UsageFor extensions project, the security team has opted to develop an on-behalf-of Json web token for managing authentication requests between the user's client and the extension just in time. For the initial extensions design, these tokens will allow the extension to interact with the OpenSearch cluster using the same privileges as the initiating user, that’s the reason it is named as “on-behalf-of”. However, since this token doesn’t have any restrictions in place, it also has the capability of letting a service operate as if they are the original user for some window of time. Which means this generic feature is not limited extension related use cases..

For the most of the scenarios, this obo token will be used just-in-time which means that the token is issued just before it is needed for usage. The token will have a configurable short time window of validity after which it is expired and no longer good for use. If the extension REST handler finished quickly, the token may still be valid after the request is done. If the extension REST handler takes a long time then there is a risk that the token will expire before the request has been fully handled. There may need to be a mechanism in place to refresh a token or have certain handlers be able to obtain tokens with a longer window of validity, for example I think 5 minutes is reasonable and most handlers should be able to handle a request in a short period of time.

Token’s Payload

Issuer (iss): OpenSearch Cluster Identifier
Issue-at (iat): Current time of issuing this token
Expiry (exp): Expiration time
Subject (sub): User ID
Audience (aud): Extension’s unique identifier
Roles: Security Privilege Evaluation

Roles in OBO's Payload

Plugin Backward Compatibility Mode (BWC Mode)

BWC Mode OFF (default):
Encrypted roles (er)
BWC Mode ON:
Decrypted roles in plain-text (dr)
Decrypted backend roles in plain-text (dbr)

Configuration in Config.yml

on_behalf_of:
    signing_key: xxxxxxxxxx
    encryption_key: xxxxxxxx

References
@cwillum cwillum added 1 - Backlog Issue: The issue is unassigned or assigned but not started security v2.9.0 and removed untriaged labels Jun 27, 2023
@cwillum cwillum added this to the v2.9 milestone Jun 27, 2023
@cwillum cwillum self-assigned this Jun 27, 2023
@cwillum
Copy link
Contributor

cwillum commented Jun 27, 2023

@RyanL1997 A big thanks for adding this issue, and especially for the thoroughly detailed information on the feature.

@cwillum cwillum mentioned this issue Jun 28, 2023
Closed
1 task
@hdhalter hdhalter added 2 - In progress Issue/PR: The issue or PR is in progress. and removed 1 - Backlog Issue: The issue is unassigned or assigned but not started labels Jun 28, 2023
@cwillum cwillum modified the milestones: v2.9, v2.10 Jun 29, 2023
@cwillum cwillum added 1 - Backlog Issue: The issue is unassigned or assigned but not started v2.10.0 and removed 2 - In progress Issue/PR: The issue or PR is in progress. v2.9.0 labels Jun 29, 2023
@cwillum
Copy link
Contributor

cwillum commented Jun 29, 2023

Pausing this for 2.9. If it doesn't get fresh attention between release cycles, it will be an issue for 2.10.

@hdhalter
Copy link
Contributor

hdhalter commented Aug 9, 2023

@RyanL1997 - can you please add this to the roadmap? Thanks.

@hdhalter hdhalter added 2 - In progress Issue/PR: The issue or PR is in progress. and removed 1 - Backlog Issue: The issue is unassigned or assigned but not started labels Aug 23, 2023
@peternied peternied added v2.11.0 and removed v2.10.0 labels Aug 31, 2023
@peternied
Copy link
Member

@cwillum This is not going to make it for 2.10, moving to 2.11 - sorry for the shuffle.

CC: @davidlago @hdhalter

@hdhalter hdhalter modified the milestones: v2.10, v2.11 Aug 31, 2023
@RyanL1997
Copy link
Author

Hi @cwillum and @hdhalter, thanks for the following up. This issue is a bit outdated and we are preparing a documentation guidance for both service accounts + obo on opensearch-project/security#3290. Me and @scrawfor99 will update everything in the comment section of that issue and we will let you know when everything is ready.

@RyanL1997
Copy link
Author

Hi @hdhalter, just a friendly reminder that our documentation guidance is ready. Please feel free to contact me if you guys have some questions.

@peternied peternied changed the title [DOC] Add documentation for On-behalf-of Authentication [DOC] Add documentation for OnBehalfOf Authentication Sep 29, 2023
@peternied
Copy link
Member

Note; we need to make sure we are consistent with the casing/naming of the feature it is my understanding it is OnBehalfOf @RyanL1997 if you agree can you see about making sure this is consistent?

@hdhalter hdhalter added v2.12.0 and removed v2.11.0 labels Oct 3, 2023
@hdhalter hdhalter modified the milestones: v2.11, v2.12 Oct 3, 2023
@hdhalter
Copy link
Contributor

hdhalter commented Oct 3, 2023

This has been moved to 2.12 as per Jialing Liang.

@hdhalter hdhalter assigned RyanL1997 and unassigned cwillum Oct 26, 2023
@hdhalter hdhalter added 3 - Done Issue is done/complete and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Nov 20, 2023
@hdhalter hdhalter mentioned this issue Dec 4, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Naarcha-AWS Naarcha-AWS

@RyanL1997 RyanL1997

Labels
3 - Done Issue is done/complete security v2.12.0
Projects
None yet
Milestone
v2.12
5 participants
@peternied @Naarcha-AWS @hdhalter @cwillum @RyanL1997