Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing Identity for OpenSearch blog post #1149

Merged
merged 18 commits into from
Jan 18, 2023
Merged

Introducing Identity for OpenSearch blog post #1149

Changes from 6 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
ffab951
Introducing Identity for OpenSearch Draft Blog Contents
peternied Nov 11, 2022
05d4ed1
Update 2022-12-05-Introducting-Identity.markdown
peternied Nov 11, 2022
1892eee
Address Initial PR feedback
peternied Nov 18, 2022
fd41a05
Introducing Identity for OpenSearch blog post v2
peternied Dec 9, 2022
2906d5f
Additional Feedback
peternied Dec 13, 2022
f6d2478
Round 2 feedback
peternied Jan 6, 2023
f66dc78
Latest round of PR feedback
peternied Jan 12, 2023
7ba414b
Apply suggestions from code review
peternied Jan 17, 2023
9940282
More PR feedback
peternied Jan 17, 2023
e69f2a2
Update the publish date for the blog
peternied Jan 17, 2023
1b9fb47
Add metadata to post
peternied Jan 17, 2023
42641fe
Add peternied author
peternied Jan 17, 2023
d64a4bb
Apply suggestions from code review
peternied Jan 18, 2023
954c7fe
Remove 'S' security and reframe
peternied Jan 18, 2023
886da5e
Add link for feedback issue
peternied Jan 18, 2023
01cb9aa
Add meta description and keywords
peternied Jan 18, 2023
5b1a26e
Follow format from more recent posts
peternied Jan 18, 2023
65ad635
Fix title and adjust events link
peternied Jan 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions _posts/2023-01-16-Introducing-Identity.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Introducing Identity for OpenSearch
peternied marked this conversation as resolved.
Show resolved Hide resolved

OpenSearch's existing access control features included in the Security plugin let administrators apply access control to indexes and cluster actions so that users have the right permissions to do their work and the cluster is protected from unwanted activity. However, the features for access control that are currently in place do have certain limitations that can make it hard to use them with other plugins.

As the core OpenSearch project begins its shift away from a plugin model to a framework that utilizes [extensions](https://github.com/opensearch-project/OpenSearch/issues/2447), those extensions, its legacy plugins, and the administrators who manage them will need mechanisms for controlling access that are more granular and able to cover a broader range of scenarios where effective access control is critical. We are developing a new suite of features that are designed to provide comprehensive access control to OpenSearch’s ecosystem, and we collectively call these new features "Identity".
peternied marked this conversation as resolved.
Show resolved Hide resolved

Identity’s main objectives include:
peternied marked this conversation as resolved.
Show resolved Hide resolved

- Provide mechanisms for OpenSearch, plugins, and extensions that can check permissions before attempting an action.
peternied marked this conversation as resolved.
Show resolved Hide resolved
- Restrict plugins or extensions from performing actions unless they have been granted access.
peternied marked this conversation as resolved.
Show resolved Hide resolved
- Introduce functionality that allows background tasks to run with the same access controls as interactive user requests.
- Add new security boundaries inside OpenSearch that create conditions for a better defense-in-depth posture.

Let’s look at some ways we plan to meet these objectives.
peternied marked this conversation as resolved.
Show resolved Hide resolved

### Permission checks
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no Heading 2. I would add one above "Let's look..."


Application developers need to know what the current user is capable of doing and not capable of doing. OpenSearch doesn't have a way to communicate these capabilities today.
peternied marked this conversation as resolved.
Show resolved Hide resolved

Similar to knowing what the actions the current user can perform - administrators set permissions on users in OpenSearch. These permissions can be complex and administrators need a way to know those permissions are set correctly.

Identity’s approach to filling this gap is to develop a series of APIs that will allow checks on permissions, whether those permissions have to do with a plugin, an extension, or core OpenSearch itself.

### Plugins and Extensions restrictions
peternied marked this conversation as resolved.
Show resolved Hide resolved

Feeling confident installing apps on mobile phone is in part because there are limits on what apps can do. OpenSearch's plugins have had few limits making them risky for Administrators to install.
peternied marked this conversation as resolved.
Show resolved Hide resolved

By associating the plugin/extension activities with permissions checks on OpenSearch, we can ensure that limits are enforced. These permissions will be the same as those used to grant users access - reducing the complexity and risk for Administrators.

### Background tasks permissions
peternied marked this conversation as resolved.
Show resolved Hide resolved

Many tasks run in the background of an OpenSearch cluster such as deleting old indices, producing monitoring data, and generating reports. When these different tasks execute, each should only have minimal set of permissions it needs to protect against mistakes or unintended consequences.
peternied marked this conversation as resolved.
Show resolved Hide resolved

### Security Isolation
peternied marked this conversation as resolved.
Show resolved Hide resolved

Using the lowest level of privileges when any task is executed is a key to prevent mistakes or software defects from impacting the stability of an OpenSearch cluster. By enforcing protections everywhere inside OpenSearch, the blast radius of these incidents will be drastically reduced.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested rewrite (everything under "Security isolation"):
"Using a minimum number of permissions to run tasks is key to preventing execution errors or software flaws from having an impact on the stability of an OpenSearch cluster. Identity will launch features that can protect all of the separate elements in OpenSearch by isolating the potential impact a problem with one part may exert on another. As a consequence, this will reduce the reach of errors and keep them from affecting other areas of OpenSearch."

Q: Can you check me on the meaning and make sure I haven’t take this off course? I’m admittedly having to use a little imagination here.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was just looking over something that DC had commented on in another PR regarding the principle of least privilege. Is that the idea here? If yes, I suppose this should be reworded to "Using a minimal set of privileges to allow users to run tasks is key ...". If it's important to emphasize this idea, I could revise this to place a sharper point on the concept and make clear that it's a driver behind this objective.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was just looking over something that DC had commented on in another PR regarding the principle of least privilege. Is that the idea here? If yes, [...]

Yes this is the case. On the topic of who is creating these permissions, they will be managed internally by the OpenSearch team, so while administrators/users of a cluster will benefit, the only action they need to take is using the latest version.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hold on, that's big ([permissions will be] managed internally by the OpenSearch team, so while administrators/users of a cluster will benefit, the only action they need to take is using the latest version).
Are you adding that? At least, "the only action users need to take is to keep versions up to date.)


## Get Involved
peternied marked this conversation as resolved.
Show resolved Hide resolved

This is a paradigm shift, security features will be easier for OpenSearch developers to access and rely on. We are in the process of defining and building the Identity systems into the core of OpenSearch.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested rewrite (everything under "Get involved"):
"Identity presents a significant departure from the current security model. It does so to provide features that make it easier for OpenSearch developers to access and build assets and for administrators to carry out tasks in a stable environment. Over the last several months we’ve been busy defining new features and building out the tools to prepare for the integration of Security into core OpenSearch. We’ve struck out on this path in an effort to make security features for OpenSearch more efficient, more reliable, and simply easier and more enjoyable to work with.

And since we operate in the open source community, we’d like to learn about your ideas and benefit from your contributions as we make progress and move development along.

Keep an eye out for further blog posts on specific features for Identity, and join us for presentations during the community meetings. Furthermore, you can stay on top of development by visiting the following resources in the OpenSearch repository:

Support for native authentication and authorization in OpenSearch
Feature branch for Identity
Current issues for Identity

We look forward to your participation."

Q: Do you want to provide some instruction for ways to join the community meetings?

Regarding the comment from shanilpa about terminology, what do yo think about adding these for now in a level four heading? I'm not sure what the blog style guide says about this. But I can look into it. For now, this suggestion:

Terms in this blog

  • OpenSearch—a community-driven and open source (Apache 2.0 licensed) search engine.
  • Plugin—a small piece of software designed to customize a larger software application. Plugins do not modify the core functionality of the larger application, they only add to the core functionality.
  • Extension—a software program designed to enhance and extend functionality of a larger software application. Extensions do involve some integration with the core of the larger application to meet the aims of the extra functionality it introduces.
  • Permissions—rights and privileges granted to a user that allow the user to perform specified tasks within a software application or platform. Permissions are typically managed by administrators responsible for overseeing who gets access to different parts of the platform.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Do you want to provide some instruction for ways to join the community meetings?

Good call, I'll add a link

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terms in this blog ...

Love this. It looks like GitHub supports footnotes1, let me know what you think.

Footnotes

  1. https://github.blog/changelog/2021-09-30-footnotes-now-supported-in-markdown-fields/

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is pretty slick!


As Identity impacts many facets of the OpenSearch ecosystem we would like your ideas and contributions to be engaged during the development process [link](https://github.com/opensearch-project/OpenSearch/issues/4514) and watch this [feature branch](https://github.com/opensearch-project/OpenSearch/pulls?q=is%3Apr+base%3Afeature%2Fidentity) or [label](https://github.com/opensearch-project/OpenSearch/issues?q=label%3AIdentity+) in OpenSearch.

Expect more blog posts on Identity features and presentations during the community meetings.
peternied marked this conversation as resolved.
Show resolved Hide resolved