-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Security support for extensions #1895
Comments
This security plugin is not in a good position to support a feature that is built into OpenSearch's codebase, looking at how we are considering building extensions security related features should be built into the core of OpenSearch instead of through its plugin systems. I am going to close this issue. However, having a hand in developing security for extensions is a discussion we would like to influence - I will create an issue in core and we can have a basis of discussion there. For the specific topics mentioned:
There is an existing user object in the common-utils codebase, this object can't be injected/extracted as is currently done since it requires a shared thread context model. There is work in opensearch-project/opensearch-sdk-java#14 that I believe is the foundation for resolving this problem. Is there a place where API contracts of extensions are under discussion or should I start proposing the api request/responses?
Persisting identity is a very difficult problem to solve. I think we need a new series of APIs that allow for out of band/non-interactive request to create actions on behalf of a user. This will require first coming to terms with the identity management system in OpenSearch, but also the access mechanisms (eg, do we follow a pattern from AWSs assume role APIs, or is there another convention we should be adopting |
All in all - I think we have an opportunity to design a better security posture for OpenSearch and its extensibility models. Asks like this highlight the need for more thought and alignment generation in this space, thanks for calling out these concerns. |
Note; Leaving this open until those called out areas are documented in the SDK |
Hi Sarat, Thanks for starting this thread. Could you pls elaborate on specific needs across the following themes that you highlighted (comments inline)
In addition im also curious to get your thoughts on whether extensions will be able to create their own metadata/storage files, or is that something that could be part of a security SDK? Thanks |
Thanks @jimishs for these questions. This was written 6months ago, I have updated the issue with more granular details of the problems.
"Plugins are validated during install time as they are only bootstrapped once during a lifetime of a node. They are validated by
"Extensions SDK should be able to restrict host level access(file system, network, execution etc) based on security policy."
Sure, Anomaly Detection extension will create detectors, Alerting will create monitors. These resources have to be gated by user identity.
"[Extensions] Extensions by default should not have any permissions, and are explicitly granted based on defined policies. I hope that helps. Let me know what other questions do you have. On a side note: @peternied @dbwiddis @dblock @nknize I've updated the issue with sets of problems/requirements, would love your feedback and thoughts. |
Thanks for the updates @saratvemulapalli some areas I'd like more details on:
Can you give me an example for how the first requirement is different from the second?
Is this needed for remote extensions? When you say security policy, does this mean the intention is to keep reusing the JSM based policy files for extensions sharing a host? FYI @cwperks |
Coming at this from a slightly different perspective, so this comment is not particularly a reply to anything above but more my own understanding of how things are planned to work. Current State:
Future State with extensions:
Overall summary:
|
@peternied Thats a great question, my head wanted to say Transport APIs and Rest APIs. I'll combine both of them together to make it concise.
Yes, its for all extensions running with the SDK. Not really leaning onto one solution, I've used security policy as an example which everybody gets it, but we could piggy back on JSM but the risks are obvious as its deprecated. |
I'm not seeing how restrict host level access falls into the Extensions SDK, could you expand on this and frame it this with a user problem? |
Coming from:
[Meta] Making OpenSearch Extensible opensearch-project/OpenSearch#2447
[Meta] Plugin Sandboxing (a.k.a extensions) opensearch-project/OpenSearch#1422
Problem
As we are building extensions, security is an integral part of everything we deliver. We see a bunch of problems for plugin security and would like to solve them from Day 1 for extensions.
Anomaly Detection: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/java/org/opensearch/ad/util/ParseUtils.java#L465
Alerting: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt#L78
Anomaly Detection: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java#L95
Alerting: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportExecuteMonitorAction.kt#L68
Alerting-Anomaly Detection integration: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/InputService.kt#L149
Anomaly Detection: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/plugin-metadata/plugin-security.policy
Alerting: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/plugin-metadata/plugin-security.policy
bin/opensearch-plugin
installation tool. Extensions can be installed/modified/removed on the fly and needs identity validation before it joins the cluster.Requirements
Refactored these requirements from June 2022 to explain the problems above.
The text was updated successfully, but these errors were encountered: