Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document security scope for extensions #29

Merged
merged 10 commits into from
Jul 8, 2022
57 changes: 57 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Extensions Security Guidelines

OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them, this creates a larger surface area for misuse, vunerabilities, and malicious interactions. This document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch
peternied marked this conversation as resolved.
Show resolved Hide resolved

To keep concepts consistant, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary).
peternied marked this conversation as resolved.
Show resolved Hide resolved

Additional terms:
* **Plugin** - reference to the existing functionality to extend OpenSearch functionality.
* **Extension** - reference to the in development functionality to extend OpenSearch.

## Host security

The Java Security Manager is the mechanism for ensuring plugins are limited in what they can do to the host operation system resources (cpu/disk/memory/network/...). As there are limitations and its deprecated with removal scheduled in the next release of the JVM.
peternied marked this conversation as resolved.
Show resolved Hide resolved

The current extensions design they operate via Rest APIs, by isolating extensions from using host they are prevented from executing operation system calls directly on hosts of the cluster.
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Communications security (COMSEC)

Data is transferred from the OpenSearch cluster to the extensions. This is done via https requests between the nodes on the cluster and the extensions endpoint(s).
peternied marked this conversation as resolved.
Show resolved Hide resolved

Extensions should never directly communicate with other extensions, cross extensions work should always be proxied through OpenSearch.
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Data Security

OpenSearch stores data in its memory and local file system storage, the security plugin provides mechanisms to control data access within OpenSearch. Extensions have independent data storage.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the security plugin going to remain as-is? That's not clear here. I think it's a good idea if so but we should articulate that.


Plugins store data inside of the OpenSearch cluster itself such as in system/hidden indices.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plugins do store, or may store?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworked this section, does this sound better?


## Access Control

OpenSearch offers access control through the security plugin, with checks action names and filters. Actions registered within OpenSearch that are not permitted never reach the handler for a plugin or extension execution.
peternied marked this conversation as resolved.
Show resolved Hide resolved

Resource level access control is governed by the extension, when requests are processed the [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from common-utils is checked for matching backendroles/roles. Access control checks are managed wholy in the plugin. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs an "As is" and "To Be" summary. We are planning to do something else with User, aren't we? You're also mixing extension and plugin here, not sure if this is documenting current vs. future. I would like to put RBAC as a goal.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to put RBAC as a goal.

Me too, I think there is a version of this document that includes lists of issues to be implemented/decisions to make. Before we come to the possible implementations I'd like to lay out the surface area for prioritization. How would you feel about holding off on individual features until we codify this framework?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in earlier comment, we do need an individual feature list somewhere. We can limit this particular document to the overall framework/scope but identifying at least major categories of features is needed for any actual planning and scoping of future work

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets revisit this in a follow up PR to make sure we've got the detail we need


Available permissions and roles are defined in the security plugin, every extension needs to update the security plugin to provide these values, eg. [roles.xml](https://github.com/opensearch-project/security/blob/main/config/roles.yml).
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Auditing

With the security plugin installed, when actions are performed on the OpenSearch cluster they are recorded if filtering criteria are meet to configurable audit log sinks.

## Installation

Plugin installation is managed by using a binary on the node that extract plugin.zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime.
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Versioning

OpenSearch systems have ways to deprecate unsupported patterns, feature, and APIs.
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Configuration

Configuration of OpenSearch is split between on disk yml files and various in OpenSearch systems such as cluster settings.

Plugins configuration is loaded and checked at service startup time for correctness. If there is an error OpenSearch can fail to start.

## Reliability

OpenSearch plugins can create node instability if incorrectly configured, or there are code defects.