-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document security scope for extensions #29
Conversation
While working on extensions there are many considerations for security, this document captures what those areas are as a way to discuss design approaches and codify the current state of affairs. Signed-off-by: Peter Nied <[email protected]>
@opensearch-project/security @CEHENKLE @dblock @saratvemulapalli @dbwiddis What do you think of using a document like this for extensions security related features? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good first start. I like the distinction between plugin and extension up front but then I'm starting to miss the usage later on as everything seems to say "plugin". Is it documenting current state?
It may be good to organize the sections into "current state" (plugin) and "future state" (extension + select plugins) to make clear what we are scoping for in the future.
SECURITY.md
Outdated
|
||
OpenSearch offers access control through the security plugin, with checks action names and filters. Actions registered within OpenSearch that are not permitted never reach the handler for a plugin or extension execution. | ||
|
||
Resource level access control is governed by the extension, when requests are processed the [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from common-utils is checked for matching backendroles/roles. Access control checks are managed wholy in the plugin. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs an "As is" and "To Be" summary. We are planning to do something else with User, aren't we? You're also mixing extension and plugin here, not sure if this is documenting current vs. future. I would like to put RBAC as a goal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to put RBAC as a goal.
Me too, I think there is a version of this document that includes lists of issues to be implemented/decisions to make. Before we come to the possible implementations I'd like to lay out the surface area for prioritization. How would you feel about holding off on individual features until we codify this framework?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned in earlier comment, we do need an individual feature list somewhere. We can limit this particular document to the overall framework/scope but identifying at least major categories of features is needed for any actual planning and scoping of future work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets revisit this in a follow up PR to make sure we've got the detail we need
I think a template with a subset of important decision points similar to a document like this is a good idea once this document is ironed out. This document can serve more as a guiding principle while extensions should complete the template with implementation specifics for that extension. |
Great idea - I'm reshaping the doc to be focused on the 'as is' as aspects, there was a couple of details that were basically recommendations in disguise. |
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
…ia should be used to approve pull requesst changes Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@dbwiddis I have respond or made updates to all of the comments you created if you wouldn't mind taking another look. Following the document phases, for this revision I'm trying to concentrate on landing |
Signed-off-by: Peter Nied <[email protected]>
SECURITY.md
Outdated
|
||
Plugins depend on use of the Java Security Manager is use to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. | ||
|
||
Extensions are sandboxed from the host system by operating via REST APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only true for out-of-process extensions. How about the ones that can run in-process? I think we are still open to having those supported down the line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK in process extensions are not being designed or implemented at this time. How do you feel about not including it until this effort is more concrete?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think defining "REST API" is too specific for the potential application. The key point to make here is that interaction is limited to a defined set of API locations. For external extensions, they will use REST. If REST is not needed (e.g., in-process) there still should be another method of using the same API point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If extensions are available in-process, it seems like we are recreating the existing plugin feature with its same architectural weaknesses. With a solid security boundary between OpenSearch and its extensions, we can build extensibility in alignment with trustworthy functionality. I think there is a discussion to be had for in-process extensions and I would prefer to wait to add those considerations to this document until we are committing more thought in this space, does this seem like a worthwhile trade-off in the near term?
I am only away of using REST APIs for extensions, if we want to broaden the language do you have a suggestion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looked into this further and I'm fine with leaving this as REST API for simplicity.
|
||
## Configuration | ||
|
||
Configuration of OpenSearch uses on disk yml configuration files. Other settings are manage in-memory through settings that are modifiable at runtime through APIs or indirectly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also use OpenSearch indexes to store configuration elements too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I know the security plugin built functionality for this pattern, but I'm not sure if other plugins do the same. I'll follow up on this.
Signed-off-by: Peter Nied <[email protected]>
SECURITY.md
Outdated
|
||
Plugins depend on use of the Java Security Manager is use to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. | ||
|
||
Extensions are sandboxed from the host system by operating via REST APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think defining "REST API" is too specific for the potential application. The key point to make here is that interaction is limited to a defined set of API locations. For external extensions, they will use REST. If REST is not needed (e.g., in-process) there still should be another method of using the same API point.
I've been doing some thinking about the integration of security, extensions, and versioning and think they all inter-relate a bit. Tossing the following diagram and content which you might consider including in the scope document in some way. Presently an outline, but each of the below bullet points should be fleshed out. @peternied @saratvemulapalli interested in your thoughts on this. API ControlsAll of the below interactions will use the API/SDK interaction points as the primary means of enabling/enforcing the points below.
Security & Identity
Versioning
Extensibility
Security + Versioning
Security + Extensibility
Extensiblity + Versioning
|
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for writing this up @peternied.
Couple of more thoughts/questions:
- How do we protect inter-extension communication?
- How can we enable extensions to expose resources, perform authentication and authorization?
- I see across the docs, the assumption is that the communication based on REST API's. So far extensions are just built on transport(TCP). For security, if REST APIs are preferred we could weigh in pros and cons.
- I see this doc scope as security for plugins and extensions. What are we thinking for Security for OpenSearch?
- When we define scope, i believe it would be the time to define tenets we would want to stick to.
- We did close: [FEATURE] Security support for extensions security#1895 in favor for this PR. I dont see the tactical items on the plate to execute for supporting AD as an extension. How do you want to take on this?
Signed-off-by: Peter Nied <[email protected]>
Great questions @saratvemulapalli thanks for the feedback.
This sounds like a future-feature request. For the moment, proxied via OpenSearch seems like the path, but there is much potential in this space. When we consider adding this functionality I think it warrants an in-depth discussion. Should we file an issue on this now to track, or is there another document that captures this? I'm leaning on having this come back up organically instead of creating an issue we forget about.
I'm not sure that we would implement all of these in this SDK. For example in the identity space there is Open ID, I do not think that functionality would below in this SDK, as implementing the standard in a native plugin might be the better way.
If we want to be security focused with extensions, I think we need to strongly consider moving to only communicate via REST API. While there are likely trade-offs from existing functionality/perf, there are huge benefits to quickly onboard simple extensions written in python, rust, or golang. Additionally, by limited communicates with an ephemeral connections we can be sure that authorization is granted at the time of a given request. It creates a well defined trust boundary. I've created #34 for additional discussion, as well as updating this doc in the COMSEC section.
This is a good callout, I'll start an effort to connect OpenSearch / Security as well as this doc together.
I like this in principle, but I am struggling to see how we could roll this out. I don't think we have existing engineering tenets in OpenSearch, this might be exactly the time to create them. This said I think that those will be documented in the OpenSearch codebase and I'd like to see about merging this change without them, how does that occur to you?
Thanks for bringing this up, after I merge this version of the document, there should be a fast follow for calling out the investigations and work that needs to be done to support Anomaly Detections feature set. I'll reopen that issue and close it when this has been done. |
@dbwiddis @saratvemulapalli how does this look in its current form? |
I'm happy with it in it's current form. We may tweak a few things in the future but it's a good working document at this point. Good questions regarding REST and auth/security. I think it's a solvable problem, and all these are implementation details rather than scope which the doc outlines.
|
* Document security scope for extensions While working on extensions there are many considerations for security, this document captures what those areas are as a way to discuss design approaches and codify the current state of affairs. This document contains phases to help guide usage and describe what criteria should be used to make forward progress. Signed-off-by: Peter Nied <[email protected]>
Description
While working on extensions there are many considerations for security, this document captures what those areas are as a way to discuss design approaches and codify the current state of affairs.
To approve this document means that we have
agreement of areas and 'as-is' state of OpenSearch Plugins and Extensions.
There are more details as to the phases of this document over time within the doc itselfIssues Resolved
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.