-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] How can requests coming from an extension interact with the OpenSearch cluster? #2572
Comments
I know I wrote the blurb originally, but looking at it again this should apply to all extensions and not just out-of-process ones. There are additional considerations for in-process extensions as direct manipulation of immutable areas of the ThreadContext will need to be forbidden. |
When core receives a request originating from an extension it needs to:
When it comes to looking up the extensions permissions, what do you think of the following convention. The extensions will have a corresponding internal user with a name that matches the extension id. This is a special internal user, a service account, that corresponds to the extension system. A service account is:
When the request is received at core it will identify the extension, lookup its service account to get the role and then lookup the role definition to get the extension's permissions. By convention, the role name could also match the service account name so that a direct lookup can be done. All of this is in the config cache and should be performant. |
I created an analogy for a hypothetical extension and here are some thoughts: This analogy assumes that all requests that originate from an extension are governed by the same policy and it would not consider the original user's permissions for the requests that originate from the extension. As long as the user is permitted to use the route that the extension registers then the request will be permitted to flow to the extension and handled from there using the extension's governing policy for how it can interact with the cluster. UserA makes request to Word Count Extension[TM] to get word count of the word
Tracing this action out: We authorize this request initially in the REST layer with the security plugin and ensure user has permission to
One of the challenges of trying to reconcile the policy that governs how requests coming from an extension can interact with the cluster and the user's permissions is FLS/DLS. By having a single policy in place that makes it clear that any request from an extension is permitted to do action X, Y, Z on indices 1, 2 and 3 then I think it would be easier cognitive burden on the person setting up the policy. What would be great is if it was possible to compare 2 permission sets. i.e. If UserA's permissions are a superset of the policy for ExtA then they can do anything the extension can so let the request go through assuming that UserA is allowed to perform the action registered by ExtA. However, if UserA's permissions are more restricted than the policy for ExtA then don't permit the request - Its tricky to compare permission sets with the current model On installation of this extension, the cluster admin could be presented with multiple prompts:
|
Hi @cwperks, thank you for your thoughtful reply. The scenario you outlined is definitely something I have been considering as I have looked at designing our permissions system. What you have proposed seems good to me in general though there are a couple issues that I have been mulling over. First, in your flow, you mention at 3 checking only the permissions of the extension. To me, this seems counter to what we discussed yesterday of carrying the user credentials on the token the entire time. It looks like we have tossed the user credentials and are now only dealing with extension credentials for the request. I assume I am misreading this, but that is how I currently interpret what you outlined. Second, I am not sure how the policy in you reference after 5. comes into play. If you mean that we should have a single policy to represent the user and extension permissions, I am not sure I see how that would work. This would require a lot of different policies for a single extension and become intractable before too long (we would need one policy per extension per user). Alternatively, if you are referring only to the extension permissions than I certainly agree. I do not think that we would ever want to have multiple policies to resolve the permissions from if we could help it. I would recommend we have a single policy for the user and a single for the extension and look for the intersection of the two to represent the actions that the extension can perform on behalf of the user. For the actions the extension wishes to perform on its own, I would recommend we only looked at the extension's permissions and treated the "user" in this case as the cluster administrator (who should have all permissions). This would mean that when an admin installed the extension they were granting it the ability to execute all actions they gave it permission for without a user. Otherwise, I think everything you wrote makes a lot of sense. I am certainly in favor of a design very similar if not identical to the shell you outlined here. |
@scrawfor99 yes, this is a bit of a change from yesterday's discussion on considering the user's permissions when an extension makes a request to opensearch on behalf of a user. The primary problem is that it becomes challenging to consider DLS and FLS for these situations. Say for instance that an extension tries to search a table of employees on behalf of a user. The user is restricted to only see employees in the HR department and requests from the extension are only allowed to see employees located in the US. What would you expect the result of the query to be? I would probably expect the intersection of the 2 which would give the employees in the US who have the HR role. Currently roles with DLS are ORed together so it returns all of the documents viewable across all of the roles assigned to a user and its not clear how to implement DLS with AND. Its also a bit confusing to understand how this will work from a cluster admin POV. In the example above it would be possible for the cluster admin to achieve the user's restrictions of only seeing records with the HR roles, but in order to achieve that the cluster admin would need to have the restriction on the extension's policy for how requests coming from it can interact with OpenSearch and it would apply to all requests coming from the extension. The other problem is that considering the user's permissions on a request coming from the extension would only provide a veneer of Security. We can't prevent what the extension will do with the data once its been provided to the extension. If one user has DLS/FLS restrictions and another user doesn't and the extension gets all the data, then its already outside the trust boundary and cannot be ensured how it is presented to other users. IMO there should be a single policy that governs how requests coming from the extension can access data from OpenSearch and that will be used to evaluate whether the request is permitted. Users would be restricted from using an extension based on the user's permissions. |
Hi @cwperks, thank you for the follow-up. I understand better what you are getting at now. I would agree that it would probably make the most sense to provide the AND of the filters as opposed to the typical OR. I was originally thinking of using the AND for such a scenario. In order to do this, we would likely be best off recursively applying the filters if that makes sense. So you would first only look at the HR employees and then only look at the US results in that group. This would give you the AND though it would be expensive. That being said, if we do not want to go this route that is fine. To your final paragraph, to what extent do you mean users would be restricted from using an extension? Would they need all the permissions that the extension had? I think that we would run into issues if we were to not allow people to use an extension at all just because they lacked one of the permissions for something specific. I may not want every employee to be able to edit the documents in our directory extension, but I probably am fine with all employees being able to see each other. Did you mean something else? |
Hey @scrawfor99 let's take AD for an example which currently defines the following 2 roles:
Notice all of the index permissions that AD provides in its full_access role - that's because in order to use AD to the fullest the user needs to be able to read from all indices. Upon further review, I'm not crazy about this pattern because its also giving full read permissions to the cluster by assigning this role, but let's set that aside for now. In the extensions world let's break it down by the following:
To recap: In 1) it defines roles that are mappable to a user. These define what actions they can perform on the extension and they map to endpoints. We will block requests in the REST-layer before forwarded to the extension if the user is not permitted to perform the action. For 2) this policy governs how requests coming from AD can interact with the cluster. For optimal use, the AD extension is requesting to be able to read from all indices. If a cluster admin wants to apply DLS/FLS they would do so there. |
Hi @cwperks, thank you for your detailed explanation. I think I better understand your suggestion now. I do have one question about your example. Why have we split based on cluster and index permissions? I am not sure why these would be split in such a way. It seems either could be part of the user defined roles (1) or the permissions being granted to the extension itself (2). I don't see a clear difference in the types of permissions outside of the general naming convention we use. Is there something that makes cluster permissions unsuitable to be granted to the extension in 2? Or vice versa? Thank you again for your thoughtful responses and suggestions. |
@scrawfor99 Read the comment I put in for the 2 user roles up above ;). It is not split by cluster/index permission. Ideally for the user roles, they are namespaced in such a way that its easy to see at a glance that its an action for an extension. Perhaps
There is nothing preventing cluster permissions when defining the policy that governs how requests coming from the extension can interact with the cluster. The word count example above had cluser_permissions defined. Here's the examlpe above with AD modified to also include cluster permissions.
|
Hi @cwperks, thank you for the quick reply. I think I must have misunderstood your comment when you said "in the extension world." I was not sure if you meant this is what things should like once extensions are released. Ultimately, it seems like your proposal would require extension authors to request the extension itself be granted the equivalent of an all_access role on installation. Is this correct? I am not against the idea, but trying to understand how we could go about getting extension creators to know which privileges to request for their extension. Regardless, what you have proposed seems good to me. |
Hi @opensearch-project/security, I am going to make some executive decisions to try to drive these questions to a resolution. For each of the points below, I will be moving forward unless I hear objections by Wednesday 4/5.
NOTE: After discussion, we will support DLS/FLS for user accounts and on-behalf-of tokens acting as those users. Likewise, we will support DLS/FLS for service accounts and auth tokens representing them when an extension makes an independent action. We won't be P0 supporting filters on the scope of an extensions permissions. Meaning there will be no way to restrict the access of an extension across all use cases. You cannot say an extension can READ for all use cases can't just not this one index. This is the scenario that is complicated to resolve and is going to be left for a later date. |
@scrawfor99 See responses below:
and
I would expect these policies to be ANDed together for a SearchRequest coming from the extension to the employees index on behalf of UserA. The result set would only contain documents from NY. Note: I have briefly looked into what it would take to implement this and it was not straightforward at first glance. More work needs to be done in this regard, but I would prioritize other work items first since this extension policy is a new feature and not something that exists with plugins today. Its certainly on the radar. |
I think there are two separate scenarios:
Both of these options don't require 'additional' features or structures to support DLS/FLS scenarios - I think this is good for our initial release. What do folks think? For administrators that want to absolute control of data accessed by an extension, they should not allow use On-Behalf-Of tokens. We should book out work to message / document this behavior and its implications. I suppose customers could request additional layers of filtering to build additional assurances, but lets revisit these advanced scenarios after building the minimal support. |
Hi @cwperks, Thank you for your quick reply. To your replies:
|
@scrawfor99 Sorry to get hung up on language again. I'm getting confused with the phrase
For the service account token use case, that request will be granted based on the role associated with the service account. If any identity has permission to modify the security configuration of the cluster (including if its the service account token associated with an extension) it should be assumed that it can do anything. |
See the comment over here: #2587 (comment) for greater detail about the service gate and user gate |
Hi @cwperks, no problem. I know the terms can make talking about stuff challenging since we all may refer to the same things a little differently. Basically the plan is this: Use config files to define 1. The scope of what an extension can do; 2. What permissions the service account will have. I am not looking at requests originating from users but instead requests coming from the extensions and then operating using the service accounts. |
@scrawfor99 I'd like to get your thoughts on the comment posted over here: #2587 (comment) that touches upon some thoughts I've had on the subject in richer detail. I think what's posted there would give us a good deal of security, flexibility and will enable a great deal of code re-use so I would advocate for something along the lines of what is presented there. The comment also has example configs. I'm still not quite sure about what is meant by "The scope of what an extension can do"? Can you elaborate? |
HI @cwperks, I will review and leave a comment now. |
Closing with decisions: How can an admin grant and revoke service account permissions?
How is an extension prevented from elevating its own permissions?
How does DLS/FLS work for extensions?
|
Problem Statement
This issue tracks specific design questions about Service Accounts.
What type of REST requests are intended for extensions?
How does the Security Plugin interact with REST requests?
What is the current method of signifying things?
Action items decided on this issue:
There are a couple options for handling how an administrator can grant or revoke extension permissions.
The two main options for preventing an extension from elevating its own permissions are:
There are two main options for handling DLS/FLS for extensions.
A, B
and the extension had patternsC, D
, then the final request would be treated as if the extension had patternsA, B, C, D
.The text was updated successfully, but these errors were encountered: