[Extensions] Add support for extension_dns list in extensions.yml file
#2730
Comments
cwperks
added
enhancement
|
This PR introduced a mechanism for an extension to perform transport requests with the cluster and the request is identified through the threadcontext header |
|
I would recommend to avoid using acronyms in config files so they are easy to search / gain context on such as |
|
@peternied How about support for both |
|
That proposal is overly complicated, I'm just providing feedback about the name |
davidlago
added
triaged
…nsion settings bwcPluginMode and extensionDistinguishedNames Signed-off-by: scosta <[email protected]>
|
Just commenting here for awareness, im adding this setting at the same time as adding bwcPluginMode setting from issue #2616 |
…nsion settings bwcPluginMode Signed-off-by: scosta <[email protected]>
Description Add support for extension domain name check, similar to how it's done for admin certificate or for nodes from different clusters More about that in the task: #2730 Issues Resolved #2730 Currently the implementation looks like this: During extension initialization via REST call, DNs are passed in the request body: curl -XPOST -k -u user:password "https://localhost:9200/_extensions/initialize" -H "Content-Type:application/json" --data '{ "name":"hello-world", "uniqueId":"hello-world2", "hostAddress":"127.0.0.1", "port":"4500", "version":"1.0", "opensearchVersion":"3.0.0", "minimumCompatibleVersion":"3.0.0", "dependencies":[{"uniqueId":"test1","version":"2.0.0"},{"uniqueId":"test2","version":"3.0.0"}], "distinguishedNames": ["CN=extension-0.example.com,OU=node,O=node,L=test,DC=de"] }' In next iterations I'd like to store configuration in index and make it dynamic. PR on openserch-core side: Here's old PR that I created at the beginning of working on the task, additional input from @cwperks is there. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Maciej Mierzwa <[email protected]>
|
Merged: #3031 |
|
@MaciejMierzwa does that mean this issue is ready to be closed? or are there other PRs needed before we do so? |
github-project-automation
bot
moved this from In Progress
to Done
in Security for Extensions
Similar to the setting
plugins.security.nodes_dnwhich lets a cluster admin define the list of distinguished names that a node of the cluster can use to join the cluster with, extensions need an analogous mechanism. The distinguished name is extracted from the node's transport certificate and identifies a request as coming from a node (though not uniquely - nodes can connect with the same distinguished name and this is even done in the demo configuration!).This new setting will initially be static, though this needs to also be dynamic in future iterations similar to the
nodes_dn.ymldynamic configuration file.This setting can reside in the
extensions/extensions.ymlfile like so:The text was updated successfully, but these errors were encountered: