-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Determine how auth tokens are forwarded to Extensions #2764
Comments
We can use this: opensearch-project/OpenSearch#7452. The security plugin would implement the interface and then the Extension manager could pass everything into the RestSendToExtensionAction. |
[Triage] Assigned to @scrawfor99 . Please update with more details on what the initial interface will look like. |
Overview of the interface: PR opensearch-project/OpenSearch#7452, will introduce a new TokenManager interface to be used as a template for what an IdentityPlugin will expect any implementation to support. The TokenManager Interface defines five operations which are supposed to be implemented:
Each of the implementing methods are relatively straightforward. The only ones which may require complicated handling are token issuance and token revocation. Issuing a token is likely to requiring overloading the method in some implementations of the IdentityPlugin. For example you may need to pass extension information to an IdentityPlugin for a new token to be created for that extension. At the same time, a key-based system could simply generate a random key with no information. Revoking a token can also be complicated depending on the implementation. For example, you would not want to create a revocation list for a token that encoded BasicAuth information. Instead, you may need to erase the token to effectively disable it. |
@scrawfor99 Is there a companion security PR? |
With the security plugin, the auth token to be forwarded to an extension will be generated after successful authentication on a request destined for an extension. The actual request forwarding is performed in the extensions rest handler RestSendToExtensionAction. This handler needs to be able to obtain the generated token to forward to the extension.
The text was updated successfully, but these errors were encountered: