Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How should OpenSearch allow for extensions to provide authentication? #19

Closed
peternied opened this issue Jun 20, 2022 · 2 comments
Closed
Labels
discuss help wanted Extra attention is needed

Comments

@peternied
Copy link
Member

Today there are HTTPAuthenticator.java and AuthenticationBackend.java which are extensible through the security plugin for OpenSearch. There are existing implementations for internal user storage, kerberos, saml, ldap, and jwt exchange, The dependency on the Security plugin interfaces does not seem like the correct long term solution for extensions that want to provide authentication.

As many customers have existing Identity Providers (IdP) they can leverage how should we support these with extensions. Alternatively, should these be supported in another way perhaps built into OpenSearch?

@dbwiddis
Copy link
Member

Broadly speaking, I see four main identity/authentication use cases:

  1. Key pair / certificate-based
  2. UserId/password based
  3. Federated identity / single sign-on
  4. Anonymous / public access

The existing features in the Security plugin address 1 and 2 (and 4, sort-of). It seems reasonable to continue to offer this capability in the future, although the decision should be made whether to use a plugin or build that capability into core.

Case 3 would probably require an individual extension for each federation method (or at least a standards-based common ground) and would probably be a good longer-term goal.

@dbwiddis
Copy link
Member

Closing this issue as it is being tracked by opensearch-project/security#1895 and opensearch-project/OpenSearch#3846

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discuss help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants