Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing Identity for OpenSearch blog post #1149

Merged
merged 18 commits into from
Jan 18, 2023

Conversation

peternied
Copy link
Member

Description

Introducing Identity for OpenSearch blog post

Issues Resolved

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the BSD-3-Clause License.

peternied and others added 2 commits November 11, 2022 14:11
Adding identities image

Signed-off-by: Peter Nied <[email protected]>
@peternied peternied added the new blog New blog post label Nov 11, 2022
@peternied peternied requested a review from a team as a code owner November 11, 2022 20:45
@peternied
Copy link
Member Author

@opensearch-project/security Could you take a look at how we are presenting identity more broadly to the community? If anyone else wants to get an authorship credit happy to get additional contributors - let me know!

@peternied
Copy link
Member Author

@jimishs @shanilpa Can you double-check that this is in alignment with the public discussion we want to start about these features? Would love to get nitpicky feedback about the blog's content.

Actions have an existing protection model – resources of a plugin do not, they must be implemented by each plugin developer separately. Being able to use shared systems for secure access and standard permissions schemes will make adding security features faster with fewer bugs.

## How to learn more?
Identity features are being built in a feature branch of OpenSearch, features/identity [4]. Roadmaps, documentation, findings, and functionality are in active development of that feature branch. Beginning in December there will be a monthly check-in during the OpenSearch community meeting.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@krisfreedain We've discussed a series of presentations/participation in the community meetings that I've hand-waved into this doc. What do you think of the proposal for a monthly update in the community meeting, or is there another format/audience that would better suit this discussion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@krisfreedain Any thoughts?

@peternied peternied requested a review from davidlago November 11, 2022 20:54
@shanilpa
Copy link

@peternied Awesome job on this and can't wait to see what comes out of the community discussions! Here's some questions and maybe not so relevant feedback:

  1. Does the phrase "All OpenSearch Systems" include OSDashboards? This feels heavily focused on identity as a backend construct - I know this is what enables the front end identity system but curious if we want to open it up a little more to invite some of those OS Dashboards identity discussions as well. "Who can access visualizations" "Who can share" etc.
  2. I like the definitions in the footnotes however they link to a page with many definitions (some similar but not exact and this can be misinterpreted). Is out plan to work with the community to come to a common definition for these terms? If so I think that's something worth mentioning.
  3. This is a language suggestion - the document is written well but uses some uncommon/complex words which might be hard for people who aren't that strong in English to understand. Would we be able to simplify the language and make it more accessible so we don't exclude some people from contributing to discussions cause they had a hard time understanding the doc?
  4. What is a source of interaction? Seems like a central concept but I'm not sure I understand it looking through the document. - *this feedback might be because this is a common term and I might not be the audience for this doc
  5. "Actions have an existing protection model" - what are these actions? What's an action? *again maybe a common term and I'm not really the audience for this doc

Hopefully this is the type of feedback you were looking for and makes sense 😅

@peternied
Copy link
Member Author

Great feedback @shanilpa

  1. Does the phrase "All OpenSearch Systems" include OSDashboards? This feels heavily focused on identity as a backend construct - I know this is what enables the front end identity system but curious if we want to open it up a little more to invite some of those OS Dashboards identity discussions as well. "Who can access visualizations" "Who can share" etc.

Oh- good catch. I am referring only to the back-end components in this doc - do you have a recommendation on how I could position the document to make that clear?

The front-end ecosystem can certainly use these identities through new APIs. Features for relationship management/sharing scenarios are out of scope for what is planned in the roadmaps - but they could be developed in parallel with the existing security plugin features.

  1. I like the definitions in the footnotes however they link to a page with many definitions (some similar but not exact and this can be misinterpreted). Is out plan to work with the community to come to a common definition for these terms? If so I think that's something worth mentioning.

I'll reword to highlight these concepts to be more approachable

  1. This is a language suggestion - the document is written well but uses some uncommon/complex words which might be hard for people who aren't that strong in English to understand. Would we be able to simplify the language and make it more accessible so we don't exclude some people from contributing to discussions cause they had a hard time understanding the doc?

I'll do a pass to reword/simplify if you could make comments inline where you have specific suggestions that will make sure I don't miss anything. I'm showing my bias toward complex language

  1. What is a source of interaction? Seems like a central concept but I'm not sure I understand it looking through the document. - *this feedback might be because this is a common term and I might not be the audience for this doc

The sources are that bulleted list - but this might be a way I could set up the conceptual model. Ultimately everything is done by users, but sometimes the user does something directly via an API call, and other times they use a 3rd party system to make an API call. IMO we should be able to treat those differently.

  1. "Actions have an existing protection model" - what are these actions? What's an action? *again maybe a common term and I'm not really the audience for this doc

I'll expand as well and add a citation to the existing permissions documentation for those that want to dig in.

@pajuric
Copy link

pajuric commented Nov 14, 2022

Tentatively scheduled for publication on 12/6/2022.

Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finished a first pass. Thank you for putting this together and making it public @peternied ! I am really looking forward to community input on this initiative.

_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Copy link

@cwillum cwillum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some general comments on the structure of the blog. I'll be available to clarify anything or discuss further, if it helps. Looking forward to seeing this rolled out.

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied Thank you for adding this blogpost. Here are my initial thoughts:

_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
Copy link
Member Author

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks everyone for the great feedback, I've restructured the document trying to balance all of this into account. Even if you don't see your individual line item updates, know that I've got like four more technical docs brewing that will use that feedback - so thank you!

Housekeeping wise - pushed this out to a much more achievable mid-January timeframe.

Actions have an existing protection model – resources of a plugin do not, they must be implemented by each plugin developer separately. Being able to use shared systems for secure access and standard permissions schemes will make adding security features faster with fewer bugs.

## How to learn more?
Identity features are being built in a feature branch of OpenSearch, features/identity [4]. Roadmaps, documentation, findings, and functionality are in active development of that feature branch. Beginning in December there will be a monthly check-in during the OpenSearch community meeting.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@krisfreedain Any thoughts?

_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducting-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2022-12-05-Introducing-Identity.markdown Outdated Show resolved Hide resolved
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the update @peternied! I took a first pass and focused more on high-level content.

I like the conciseness of the post. It conveys a lot of information for a short blog post.

There are a couple of paragraphs that I think could use a bit of improvement when it comes to flow, but the core idea comes across in the post.

Through the post, there are a lot of mentions of extensions and it left me wondering if maybe we can describe it as a paradigm shift for OpenSearch which spurs the need to rethink security for OpenSearch. Lately, I have been describing the work as building a platform and the security features necessary to operate the platform securely.

_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved

As the core OpenSearch project begins its shift away from a plugin model to a framework that utilizes extensions, those extensions, its legacy plugins, and the administrators who manage them will need mechanisms for controlling access that are more granular and able to cover a broader range of scenarios where effective access control is critical. We are creating/building out/developing a new suite of features that are designed to provide comprehensive access control to OpenSearch’s ecosystem, and we collectively call these new features Identity.

The main objectives for Identity include:
Copy link
Member

@cwperks cwperks Dec 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙌 I like this structure of listing high-level objectives and diving into each one. These are my main takeaways when reading the post.

_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
Signed-off-by: Peter Nied <[email protected]>
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from security developer point of view

@pajuric
Copy link

pajuric commented Jan 14, 2023

@peternied - Please update the publish date for this blog to 1/18/2023. Also, please add front matter to this blog. It should be included just below the title, author, and date at the top of the blog. Here's the content:
Meta descrip: Learn about OpenSearch Identity and how this suite of features provides users with comprehensive access control and creates a better defense-in-depth posture.
Keywords: access control, OpenSearch security, OpenSearch identity, least privilege access

Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied @cwillum Please see my comments and changes and let me know if you have any questions or would like to discuss. Thanks!

_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-16-Introducing-Identity.markdown Outdated Show resolved Hide resolved
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>

Co-authored-by: Nate Bower <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@peternied
Copy link
Member Author

@natebower Thanks for all the great feedback; I've made all of those updates
@pajuric I have added the metadata at the top of the blog, an author profile and updated the date to the 18th.

Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied Just a few more minor changes and you should be good to go.

_authors/peternied.markdown Outdated Show resolved Hide resolved
_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved

And since we operate in the open-source community, we’d like to learn about your ideas and benefit from your contributions as we make progress.

Watch for further blog posts on specific identity and access control features, and join us for community meetings. Furthermore, you can stay informed of development by visiting the following resources in the OpenSearch repository:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think it would be a good idea to provide links to where the reader can submit their ideas or join a community meeting.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a feedback link

_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved
peternied and others added 3 commits January 18, 2023 09:42
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>

Co-authored-by: Nate Bower <[email protected]>
natebower
natebower previously approved these changes Jan 18, 2023
Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@natebower
Copy link
Collaborator

@pajuric @krisfreedain Approved and ready to publish.

@pajuric
Copy link

pajuric commented Jan 18, 2023

@peternied - Looks like the meta description and keywords fell off the post. Please confirm they are included before publishing.
Meta descrip: Learn about OpenSearch Identity and how this suite of features provides users with comprehensive access control and creates a better defense-in-depth posture.
Keywords: access control, OpenSearch identity, OpenSearch security, least privilege access

@peternied
Copy link
Member Author

@pajuric I've added those fields, let me know if that captures what you are looking for

@pajuric pajuric closed this Jan 18, 2023
@pajuric pajuric reopened this Jan 18, 2023
@krisfreedain krisfreedain self-assigned this Jan 18, 2023
Copy link
Member

@krisfreedain krisfreedain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied - two minor edits requested - thanks!

_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved
_posts/2023-01-18-Introducing-Identity.markdown Outdated Show resolved Hide resolved
@peternied
Copy link
Member Author

@krisfreedain I've made those updates, thanks

@krisfreedain krisfreedain merged commit 73908a3 into opensearch-project:main Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new blog New blog post
Projects
Status: Done
Status: Done
Development

Successfully merging this pull request may close these issues.

[Blog Post] Introducing Identity for OpenSearch
10 participants