Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue and ferry a Service Account Token to an Extension on bootstrap #3176

Closed
2 of 4 tasks
Tracked by #2944
, #2573
...
cwperks opened this issue Aug 14, 2023 · 7 comments · Fixed by opensearch-project/OpenSearch#9618
Closed
2 of 4 tasks
Tracked by #2944
, #2573
...

Issue and ferry a Service Account Token to an Extension on bootstrap #3176

cwperks opened this issue Aug 14, 2023 · 7 comments · Fixed by opensearch-project/OpenSearch#9618
Assignees
@peternied
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@cwperks
Copy link
Member

cwperks commented Aug 14, 2023
edited by peternied
Loading

As part of [META] System Indices access for Extensions, the plan is for an extension that reserves indices to receive a token on bootstrap that the extension can utilize to interact with its reserved indices. This token will be referred to as a Service Account Token because it represents the identity of the extension and can be used by the extension to act as itself when making requests on the extension's reserved indices.

I'm filing an issue to track the work to create an interface within the IdentityPlugin extension point of core that can be used to trigger the security plugin's implementation of issuing a service account token. After issuance, the token also needs to be ferried to an extension.

I see 2 possible options for ferrying this token to an extension:

  1. As part of the InitializeExtensionRequest which is initiated from core and used to initialize an extension. The handler on the SDK side can be found here.

  2. As a separate Transport action that is sent after successful initialization. I recommend this option.

You can see a sample implementation of a separate transport action for ferrying service account tokens in here. (There's an open PR on the SDK repo to address token handling on the SDK side that provided implementations of ferrying a service account token and obo token: opensearch-project/opensearch-sdk-java#892)

Sending this as a separate Transport Request potentially allows the transport action to be re-used for token rotation, whereas an initialization request is only meant to be performed once.

Acceptance Criteria:

  • Define an interface in core on the IdentityPlugin that can be called to issue a service account token given an extension's unique ID.
  • Create a new TransportAction that runs after successful InitializeExtensionRequest to issue and ferry the service account token to an extension
  • Implement the interface in the Security plugin

Future followup:
@cwperks cwperks added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Aug 14, 2023
@stephen-crawford
Copy link
Collaborator

[Triage] Thanks for filing this issue @cwperks. Please add an additional note about what is required for closing.

@stephen-crawford stephen-crawford removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Aug 14, 2023
This was referenced Aug 16, 2023
Closed
Closed
@stephen-crawford
Copy link
Collaborator

[Triage] Hi @cwperks, thanks for adding the action items. This looks like it is clear defined so marking as triaged.

@stephen-crawford stephen-crawford added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Aug 21, 2023
This was referenced Aug 21, 2023
Closed
Closed
Closed
@cwperks cwperks mentioned this issue Aug 23, 2023
Open
@stephen-crawford stephen-crawford self-assigned this Aug 28, 2023
@stephen-crawford stephen-crawford mentioned this issue Aug 29, 2023
Merged
6 tasks
@stephen-crawford
Copy link
Collaborator

Still waiting on review in core. Left comment asking for review.

@stephen-crawford
Copy link
Collaborator

Still waiting.

1 similar comment
@stephen-crawford
Copy link
Collaborator

Still waiting.

@peternied
Copy link
Member

Adding this back to make sure that we check off all the acceptance criteria are complete

@peternied peternied reopened this Sep 25, 2023
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Sep 25, 2023
@peternied
Copy link
Member

@scrawfor99 If you have any pointers/POCs for how this could be done that would be useful to add to this item

@davidlago davidlago removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Oct 2, 2023
@stephen-crawford stephen-crawford self-assigned this Oct 13, 2023
@stephen-crawford stephen-crawford mentioned this issue Oct 13, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peternied peternied

Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Provide service accounts tokens to extensions stephen-crawford/OpenSearch
4 participants
@peternied @davidlago @cwperks @stephen-crawford