-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Api token authc/z implementation with Cache #4992
base: feature/api-tokens
Are you sure you want to change the base?
Conversation
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
…rmissions Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
originalSource = (new String(BaseEncoding.base64().decode((String) base64), StandardCharsets.UTF_8)); | ||
} else { | ||
originalSource = XContentHelper.convertToJson(originalResult.internalSourceRef(), false, XContentType.JSON); | ||
if (originalSource == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes in this file are to correct a mis-merge that happened in prior PRs to this feature branch.
Signed-off-by: Derek Ho <dxho@amazon.com>
src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexListenerCache.java
Outdated
Show resolved
Hide resolved
@@ -45,7 +46,7 @@ public class PrivilegesEvaluationContext { | |||
private final IndexResolverReplacer indexResolverReplacer; | |||
private final IndexNameExpressionResolver indexNameExpressionResolver; | |||
private final Supplier<ClusterState> clusterStateSupplier; | |||
|
|||
private final ApiTokenIndexListenerCache apiTokenIndexListenerCache = ApiTokenIndexListenerCache.getInstance(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why add this to PrivilegesEvaluatorContext?
I think this should be handled similarly to the security configCache from ConfigurationRepository: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that security uses a publish-subscribe model to notify consumers about changes to the security config. See BackendRegistry.onDynamicConfigModelChanged for an example of a subscriber.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason why I am adding the instance to the context is for evaluation within the authz flow. I am not sure if the publish/subscribe model would work well for api tokens, which seems to be different than the other roles within the cluster. I feel like it is wrong to hook it up such that the actionprivileges need to be re-computed for all roles in the cluster on creation of a new api token (which does not affect the existing roles of the cluster). That is why I went forward with the instance approach that can be modified under the hood without re-computation of the other roles datastructures. Is there any concern with this instance approach other than not following the patterns existing within the security repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class is reserved for the context necessary to evaluate privileges on the currently executing ActionRequest. This class may need modification, but can we limit it to the smallest amount of what is required to evaluate privileges for the request? i.e. only the permissions of the token being utilized?
src/test/java/org/opensearch/security/action/apitokens/ApiTokenAuthenticatorTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
… write test Signed-off-by: Derek Ho <dxho@amazon.com>
|
||
@Test | ||
public void apiToken_explicit_failsWithWildcard() throws Exception { | ||
SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml("test_role:\n" + // |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the roles in this are unused, can we use SecurityDynamicConfiguration.empty(CType.ROLES);
instead?
@@ -172,4 +173,8 @@ public String toString() { | |||
+ mappedRoles | |||
+ '}'; | |||
} | |||
|
|||
public ApiTokenIndexListenerCache getApiTokenIndexListenerCache() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO Cache is an implementation detail. The class should be about accessing metadata about the tokens like the permissions associated with a token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See ConfigurationRepository which has methods for accessing the security configuration (from the security index or from the cache). I think repository is a good name here to let the caller of the class know that its used to access info about the security configuration.
Description
This PR implements authc/z for api tokens. For authc it is based on token validity for as well as presence in a cache, which listens to index and delete operations on the api token index. For Authz, it onboards onto action privileges class, where instead of returning not authorized for cluster and index privileges, requests go through a final api token check, where if the user is an api token, it will evaluate whether the permissions in the cache are sufficient to execute the request.
Issues Resolved
[List any issues this PR will resolve]
Is this a backport? If so, please add backport PR # and/or commits #, and remove
backport-failed
label from the original PR.Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.