Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing Identity for OpenSearch blog post #1149

Merged
merged 18 commits into from
Jan 18, 2023
Merged
Show file tree
Hide file tree
Changes from 12 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions _authors/peternied.markdown
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
name: Peter Nied
short_name: peternied
photo: '/assets/media/authors/peternied.jpeg'
github: peternied
---

**Peter Nied** is a Software Engineer at Amazon Web Services, focusing on OpenSearch security.
peternied marked this conversation as resolved.
Show resolved Hide resolved
73 changes: 73 additions & 0 deletions _posts/2023-01-18-Introducing-Identity.markdown
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
layout: post
title: "Introducing identity and access control for OpenSearch"
authors:
- peternied
date: 2023-01-18 00:00:00 -0700
categories:
- technical-post
---

# Introducing identity and access control for OpenSearch
peternied marked this conversation as resolved.
Show resolved Hide resolved

The existing OpenSearch[^1] access control features included in the Security plugin let administrators apply access control to indexes and cluster actions so that users have the right permissions[^2] and the cluster is protected from unwanted activity. However, the current access control features do have certain limitations that can make it difficult to use them with other plugins.

As the core OpenSearch Project begins its shift away from a plugin[^3] model to a platform model that utilizes extensions[^4], those extensions, its legacy plugins, and the administrators who manage them will need mechanisms for controlling access that are more granular and able to manage a broader range of scenarios where effective access control is critical. We are developing a new suite of features that are designed to provide comprehensive access control to the OpenSearch ecosystem, and we collectively call these new features _identity_.
peternied marked this conversation as resolved.
Show resolved Hide resolved

The main objectives are to:

- Provide mechanisms for OpenSearch and its plugins and extensions that can check permissions before attempting an action.
- Restrict plugins and extensions from performing actions unless they have been granted access.
- Introduce functionality that allows background tasks to run with the same access controls as interactive user requests.
- Add new security boundaries inside OpenSearch that create conditions for a better defense-in-depth posture.

## Detailed objectives

Let’s look at some of the ways we plan to meet these objectives.

### Permission checks

To work effectively, application developers need to know what users can and cannot do in OpenSearch based on the permissions assigned to them. Likewise, administrators responsible for setting up users and the permissions assigned to users require a reliable way to make sure the permissions are configured correctly. Given the degree of complexity that these configurations can reach in large systems, there needs to be a way to verify which users have what permissions. At this time, a mechanism that would allow administrators and developers to check these mappings doesn’t exist.

The approach to closing this gap is to provide a robust set of APIs that will allow these checks on permissions. Furthermore, these APIs should have the capacity to work not only in core OpenSearch but across all plugins and extensions as well.
peternied marked this conversation as resolved.
Show resolved Hide resolved

### Plugin and extension restrictions

Just as downloading an app to your smartphone includes restrictions intended to prevent surprises and risk, downloading a plugin to OpenSearch should be just as safe and predictable a process. To create this kind of experience for all actions involving plugins and extensions, we intend to introduce certain restrictions that will allow administrators to handle tasks confidently and avoid having to second-guess whether an action might involve any risk.

To ensure that these kinds of limitations are enforced, we plan to leverage the same structures used to grant users access and map permissions for all plugin and extension management activities. As a result, we will reduce the complexity and risk involved in managing these tasks.

### Background task permissions

There are many tasks that run in the background of an OpenSearch cluster, such as deletion of old indexes and generation of monitoring data and reports. When these tasks run, each should have only the minimum number of permissions needed to protect against task errors and any unintended results and their consequences.

Associating identity to tasks will ensure that permissions applied to these tasks are well defined and effective at preventing errors and unexpected results.

### Security isolation

Following the principle of least privilege, using a minimum number of permissions to run tasks is key to preventing execution errors or software flaws from impacting the stability of an OpenSearch cluster. By adding features that can protect all of the separate elements in OpenSearch by isolating the potential impact a problem in one element may have on another element. This will reduce the spread of errors and keep them from affecting other areas of OpenSearch.
peternied marked this conversation as resolved.
Show resolved Hide resolved

## Get involved

These features present a significant departure from the current security model. It does so by providing features that make it easier for OpenSearch developers to access and build assets and for administrators to carry out tasks in a stable environment. Over the last several months, we’ve been busy defining new features and building tools to prepare for the integration of Security into core OpenSearch. We’ve struck out on this path in an effort to make OpenSearch security features more efficient, more reliable, and simply easier and more enjoyable to work with.
peternied marked this conversation as resolved.
Show resolved Hide resolved

And since we operate in the open-source community, we’d like to learn about your ideas and benefit from your contributions as we make progress.

Watch for further blog posts on specific identity and access control features, and join us for community meetings. Furthermore, you can stay informed of development by visiting the following resources in the OpenSearch repository:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think it would be a good idea to provide links to where the reader can submit their ideas or join a community meeting.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a feedback link


- [OpenSearch meetup group events](https://www.meetup.com/opensearch/events/)
peternied marked this conversation as resolved.
Show resolved Hide resolved
- [Support for native authentication and authorization in OpenSearch](https://github.com/opensearch-project/OpenSearch/issues/4514)
- [Feature branch for Identity](https://github.com/opensearch-project/OpenSearch/pulls?q=is%3Apr+base%3Afeature%2Fidentity)
- [Current issues for Identity](https://github.com/opensearch-project/OpenSearch/issues?q=label%3AIdentity+)

We look forward to your participation!

## Terms in this blog post

[^1]: OpenSearch – A community-driven, open-source (Apache 2.0–licensed) search engine.

[^2]: Permissions – Rights and privileges granted to a user that allow the user to perform specified tasks within a software application or platform. Permissions are typically managed by administrators responsible for overseeing who can access different parts of the platform.

[^3]: Plugin – A piece of software designed to customize a larger software application. Plugins do not modify the core functionality of the larger application; they only add to the core functionality.

[^4]: Extension – A software program designed to enhance and extend the functionality of a larger software application. Extensions involve some integration with the core of the larger application to meet the aims of the extra functionality they introduce.
Binary file added assets/media/authors/peternied.jpeg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.