-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security/Extension] Extension Authentication Backend #2672
[Security/Extension] Extension Authentication Backend #2672
Conversation
Testing is WIP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Ryan, I wanted to give you some early feedback. Overall, looks like you are on the right track! Great tests!
JwtParser _jwtParser = null; | ||
|
||
try { | ||
if(signingKey == null || signingKey.length() == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this throw an error instead of just logging?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this will directly skip the else
and throw another error log L110 with an runtime exception at L112. The way we want to do it in this way is because we would like to log some specific information for user to know the reason of failure creation of this token. There are also some try
/catch
statements in the else
for checking encryption algorithms, and each of them will work in the same pattern. It will tell the user why they failed first by these error logs and give them the runtime exception at L112.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this require a throw statement in order for catch block at L110 to catch it?
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
} | ||
|
||
final int index; | ||
if((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { //detect Bearer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a standard-practice implementation? It may be possible to replace this with .match(BEARER)
or something similar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think it is also work with the .match()
. I was following the same expression in HTTPJwtAuthenticator.java
(L170). So, maybe we should just leave like this.
// We expect a String. If we find something else, convert to String but issue a warning | ||
if(!(subjectObject instanceof String)) { | ||
log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", subjectKey, subjectObject, subjectObject.getClass()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to allow this conversion or should we just throw an error? What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the original HTTPJwtAuthenticator.java
it does the same thing. I believe the reason to do this is that we also need to handle the case for some nonString claims. In the test case, we also have a test case called testNonStringClaim
. I think this scenario only happens when the user enable the BWCMode, which means instead of passing encoded roles, plain text roles will be passed into the claim. For the disabling of BMCMode, the role will always be encrypted, so that it will always be an encrypted string
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message here shouldn't contain the word roles
. Can you update the message to Expected type String for subject...
This should be updated in the HTTPJwtAuthenticator
as well. There is overlap between here and the HTTPJwtAuthenticator
class. Maybe we can create a utility class with static methods or maybe add these to an abstract class that both inherit from?
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
I'm working on the fix of just 1 test case: |
The CI will be fixed after the merge of #2715 |
return null; | ||
} | ||
|
||
String jwtToken = request.header(HttpHeaders.AUTHORIZATION); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that this takes anything passed in the Authorization
header as long as it doesn't contain the word Basic
anywhere? In the next block if it contains the word bearer
it will strip that out and trim the rest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @RyanL1997 , I took a first pass at this and like the progress and tests that have been added here. Do you have any thoughts about configuration of this backend? Is this a special backend that if extensions is enabled then is evaluated before the list of auth domains in the authc
section of the security plugin config.yml
file? Have you been able to install the security plugin with this change into an opensearch node and show the change in use?
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
} else { | ||
final String rolesClaim = rolesObject.toString(); | ||
//IF THE USER IS IN BWC MODE WE ARE EXPECTING UNENCRYPTED ROLES. IF THE BWC MODE IS OFF WE ARE EXPECTING ENCRYPTED ROLES | ||
if (rolesClaim != null && !BWCMode) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The null check isn't needed here or in the else if, this will never be null.
// We expect a String. If we find something else, convert to String but issue a warning | ||
if(!(subjectObject instanceof String)) { | ||
log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", subjectKey, subjectObject, subjectObject.getClass()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message here shouldn't contain the word roles
. Can you update the message to Expected type String for subject...
This should be updated in the HTTPJwtAuthenticator
as well. There is overlap between here and the HTTPJwtAuthenticator
class. Maybe we can create a utility class with static methods or maybe add these to an abstract class that both inherit from?
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @RyanL1997, things look very good here. I would be happy to approve if you are able to address Craig's comments. I think he covered everything.
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
4abc74c
to
f43c9a6
Compare
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## feature/extensions #2672 +/- ##
========================================================
+ Coverage 61.57% 61.59% +0.02%
- Complexity 3409 3426 +17
========================================================
Files 274 275 +1
Lines 18836 18971 +135
Branches 3293 3309 +16
========================================================
+ Hits 11598 11686 +88
- Misses 5638 5674 +36
- Partials 1600 1611 +11
|
* GitHub history for details. | ||
*/ | ||
|
||
package com.amazon.dlic.auth.http.jwt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are your thoughts on this package, com.amazon doesn't make much sense to me. I'd suggest a move this under a org.opensearch.security.auth
package or child package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. That makes sense to me too. I was doing this because I was following the class of HTTPJwtAuthenticator
.
|
||
protected final Logger log = LogManager.getLogger(this.getClass()); | ||
|
||
private static final Pattern BASIC = Pattern.compile("^\\s*Basic\\s.*", Pattern.CASE_INSENSITIVE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this authenticating backend check for BASIC auth headers, shouldn't it only support bearer auth?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was the question I raised up during one of our stand-up meetings. I assume that the HTTPJwtAuthenticator
were doing this could be due to leniency in handling to support non-standard header formats that do not include the “Bearer” keyword explicitly. However, for our case, we are require the keyword "Bearer" for our auth header. I will fix this in the next commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() { | ||
@Override | ||
public AuthCredentials run() { | ||
return extractCredentials0(request); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is their a specific action that needs the permission? The InternalAuthenticationBackend doesn't seem to need this PrivilegedAction.
return creds; | ||
} | ||
|
||
private AuthCredentials extractCredentials0(final RestRequest request) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Take a look at these classes from @scrawfor99 's PR, they do a good job isolating the specific functionality from the overall context. While you might not need extra classes here, I think the parsing extracting logic would be cleaner
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on moving extraction logic to an isolated class. Could be done in a follow-up PR tho
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied and @DarshitChanpura , Thanks for the information and suggestions. Yes I think this is a good idea. We can do that as the follow-up PR for linking this backend with the configuration setup.
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
import org.opensearch.security.securityconf.DynamicConfigModel; | ||
import org.opensearch.security.user.AuthCredentials; | ||
|
||
public class HTTPExtensionJwtAuthenticator implements HTTPAuthenticator { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While extensions will use this functionality. This class is a delegate authenticating backend, lets remove the name extension and reframe to its purpose, what do you think of this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point~ Have already changed it to HTTPOnBehalfOfJwtAuthenticator
, what do you think about this one?
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
return creds; | ||
} | ||
|
||
private AuthCredentials extractCredentials0(final RestRequest request) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on moving extraction logic to an isolated class. Could be done in a follow-up PR tho
String jwtToken = request.header(HttpHeaders.AUTHORIZATION); | ||
if (jwtToken != null && BASIC.matcher(jwtToken).matches()) { | ||
jwtToken = null; | ||
} | ||
|
||
if (jwtToken == null || jwtToken.length() == 0) { | ||
if(log.isDebugEnabled()) { | ||
log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION); | ||
} | ||
return null; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
String jwtToken = request.header(HttpHeaders.AUTHORIZATION); | |
if (jwtToken != null && BASIC.matcher(jwtToken).matches()) { | |
jwtToken = null; | |
} | |
if (jwtToken == null || jwtToken.length() == 0) { | |
if(log.isDebugEnabled()) { | |
log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION); | |
} | |
return null; | |
} | |
String authHeader = request.header(HttpHeaders.AUTHORIZATION); | |
if (authHeader == null || authHeader.length() == 0 || BASIC.matcher(authHeader).matches()) { | |
if(log.isDebugEnabled()) { | |
log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION); | |
} | |
return null; | |
} |
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/dlic/auth/http/jwt/HTTPExtensionJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good Ryan! Great job :)
if (roles != null) { | ||
String listOfRoles = String.join(",", roles); | ||
jwtClaims.setProperty("roles", EncryptionDecryptionUtil.encrypt(claimsEncryptionKey, listOfRoles)); | ||
jwtClaims.setProperty("er", EncryptionDecryptionUtil.encrypt(claimsEncryptionKey, listOfRoles)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what "er" means. I know there are some conflicting opinions, but I am of the mind that we lose meaning at a certain point of abbreviating things. I am guessing this stands for "____ roles"? Perhaps we can make this a more meaningful key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think er
stands for encrypted roles
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @RyanL1997! I left 2 comments that are pretty minor. Once addressed I will approve this PR and we can merge it into the feature branch.
src/main/java/org/opensearch/security/http/HTTPOnBehalfOfJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/http/HTTPOnBehalfOfJwtAuthenticator.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @RyanL1997! I left 2 comments that are pretty minor. Once addressed I will approve this PR and we can merge it into the feature branch.
2782200
to
0d02d74
Compare
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
0d02d74
to
24f16b3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely done!
Signed-off-by: Ryan Liang <[email protected]>
…ject#2672) * Extension Authentication-backend Signed-off-by: Ryan Liang <[email protected]> Signed-off-by: Maciej Mierzwa <[email protected]>
…ject#2672) * Extension Authentication-backend Signed-off-by: Ryan Liang <[email protected]> Signed-off-by: Maciej Mierzwa <[email protected]>
commit 1e24bbb Author: Ryan Liang <[email protected]> Date: Fri Aug 25 12:06:53 2023 -0700 Fixed the exception in keyutils Signed-off-by: Ryan Liang <[email protected]> commit 4b406c5 Author: Ryan Liang <[email protected]> Date: Fri Aug 25 11:41:14 2023 -0700 Change the null check right after the jwtparserbuilder Signed-off-by: Ryan Liang <[email protected]> commit a805843 Author: Ryan Liang <[email protected]> Date: Fri Aug 25 11:11:13 2023 -0700 Change to use copyof in getSecurityRoles in AuthCredentials class Signed-off-by: Ryan Liang <[email protected]> commit 308f269 Author: Ryan Liang <[email protected]> Date: Fri Aug 25 11:02:04 2023 -0700 Add the null or empty check for signingkey in keyUtils Signed-off-by: Ryan Liang <[email protected]> commit 40eed32 Author: Ryan Liang <[email protected]> Date: Fri Aug 25 09:55:19 2023 -0700 Fix V6 and V7 and lint Signed-off-by: Ryan Liang <[email protected]> commit 3c76151 Author: Ryan Liang <[email protected]> Date: Fri Aug 25 09:29:17 2023 -0700 Fix comment - Craig Signed-off-by: Ryan Liang <[email protected]> commit 7f2fc19 Author: Ryan Liang <[email protected]> Date: Thu Aug 24 23:01:24 2023 -0700 Fix some comments 08/24 Signed-off-by: Ryan Liang <[email protected]> commit 4841b25 Author: Ryan Liang <[email protected]> Date: Thu Aug 24 10:50:24 2023 -0700 Add the constant for defaut service in create obo endpoint Signed-off-by: Ryan Liang <[email protected]> commit 477b505 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 20:18:05 2023 -0700 Remove the unrelated line in AccountApiTest l77 Signed-off-by: Ryan Liang <[email protected]> commit f42d2f5 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 19:40:33 2023 -0700 Re-edit the error msg for createoboendpoint Signed-off-by: Ryan Liang <[email protected]> commit a272ccb Author: Ryan Liang <[email protected]> Date: Wed Aug 23 19:34:56 2023 -0700 Rename the obo endpoint Signed-off-by: Ryan Liang <[email protected]> commit c021473 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 19:30:45 2023 -0700 Correct the getClusterName() Signed-off-by: Ryan Liang <[email protected]> commit 8b5158d Author: Ryan Liang <[email protected]> Date: Wed Aug 23 19:11:07 2023 -0700 Use ClusterInfoHolder to pass clusterName Signed-off-by: Ryan Liang <[email protected]> commit 336aa57 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 18:18:42 2023 -0700 Change the error msg in jwtvendorTests too Signed-off-by: Ryan Liang <[email protected]> commit 682379d Author: Ryan Liang <[email protected]> Date: Wed Aug 23 17:21:11 2023 -0700 Switch to assertThat in obo authenticator test Signed-off-by: Ryan Liang <[email protected]> commit cb3406a Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:59:30 2023 -0700 Add comment in DynamicConfigModelV7 Signed-off-by: Ryan Liang <[email protected]> commit 15c8530 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:47:13 2023 -0700 Change to assertThrows for obo authenticator tests Signed-off-by: Ryan Liang <[email protected]> commit e56bf01 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:39:24 2023 -0700 Rename to OnBehalfOfSettings in ConfigV6 Signed-off-by: Ryan Liang <[email protected]> commit 62cfb4f Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:29:31 2023 -0700 Add comment for authentication failure in obo authenticator Signed-off-by: Ryan Liang <[email protected]> commit d0ebe91 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:22:08 2023 -0700 Specify the error msg of missing signing key in jwtvendor Signed-off-by: Ryan Liang <[email protected]> commit ca95380 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 16:12:46 2023 -0700 Refactor the jwtvendor expiry and set up upper limit Signed-off-by: Ryan Liang <[email protected]> commit 884f7a1 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 13:51:11 2023 -0700 Flip the boolean logic of roleSecurityMode Signed-off-by: Ryan Liang <[email protected]> commit e1021c2 Author: Ryan Liang <[email protected]> Date: Wed Aug 23 13:36:05 2023 -0700 Refactor the bwc mode into roleSecurityMode Signed-off-by: Ryan Liang <[email protected]> commit c1a825b Author: Ryan Liang <[email protected]> Date: Wed Aug 23 12:03:17 2023 -0700 Refactor in jwtVendor 1 Signed-off-by: Ryan Liang <[email protected]> commit 8eac5cd Author: Ryan Liang <[email protected]> Date: Wed Aug 23 09:53:24 2023 -0700 Change the comment in backend registry Signed-off-by: Ryan Liang <[email protected]> commit b0ac41a Author: Ryan Liang <[email protected]> Date: Tue Aug 22 17:58:15 2023 -0700 Revert the unrelated change in SecurityRestFilter Signed-off-by: Ryan Liang <[email protected]> commit b64460d Author: Ryan Liang <[email protected]> Date: Tue Aug 22 17:53:32 2023 -0700 Remove stale function Signed-off-by: Ryan Liang <[email protected]> commit 54bca2a Author: Ryan Liang <[email protected]> Date: Tue Aug 22 17:36:05 2023 -0700 Refactor the obo endpoint Signed-off-by: Ryan Liang <[email protected]> commit e429d7b Author: Ryan Liang <[email protected]> Date: Tue Aug 22 17:16:47 2023 -0700 Refactor the KeyUtils OBOAuthenticator and JwtAuthenticator with jwtParserBuilder Signed-off-by: Ryan Liang <[email protected]> commit 72dcec1 Author: Ryan Liang <[email protected]> Date: Tue Aug 22 16:22:42 2023 -0700 Some minor refactoring in obo authenticator Signed-off-by: Ryan Liang <[email protected]> commit 6f0e79b Author: Ryan Liang <[email protected]> Date: Tue Aug 22 15:46:19 2023 -0700 Remove the malformed token warning for backendroles extraction Signed-off-by: Ryan Liang <[email protected]> commit 1ba378e Author: Ryan Liang <[email protected]> Date: Tue Aug 22 15:42:38 2023 -0700 Refactor the EncryptionDecryptionUtil Signed-off-by: Ryan Liang <[email protected]> commit b315559 Author: Ryan Liang <[email protected]> Date: Tue Aug 22 12:02:06 2023 -0700 Fix the exception type in JwtVendorTests Signed-off-by: Ryan Liang <[email protected]> commit 6f49801 Author: Ryan Liang <[email protected]> Date: Tue Aug 22 11:35:10 2023 -0700 Remove the if condition in oboconfig for integ testing Signed-off-by: Ryan Liang <[email protected]> commit 034aa34 Author: Ryan Liang <[email protected]> Date: Tue Aug 22 11:22:45 2023 -0700 Set up creatJwkException in exceptionUtils and apply that in JwtVendor constructor Signed-off-by: Ryan Liang <[email protected]> commit 0f0478d Author: Ryan Liang <[email protected]> Date: Tue Aug 22 10:14:55 2023 -0700 Rename the KeyUtils Signed-off-by: Ryan Liang <[email protected]> commit a4e7aff Author: Ryan Liang <[email protected]> Date: Tue Aug 22 09:46:27 2023 -0700 Refactor the backendroles claim into br Signed-off-by: Ryan Liang <[email protected]> commit 2ff746e Author: Ryan Liang <[email protected]> Date: Tue Aug 22 09:31:50 2023 -0700 Fix lint Signed-off-by: Ryan Liang <[email protected]> commit 9ce36dc Author: Ryan Liang <[email protected]> Date: Tue Aug 22 01:11:24 2023 -0700 Refactor the OBO Authenticator part2 Signed-off-by: Ryan Liang <[email protected]> commit e52c5ce Author: Ryan Liang <[email protected]> Date: Tue Aug 22 00:55:33 2023 -0700 Refactor the backendrole extraction in oboauthenticator Signed-off-by: Ryan Liang <[email protected]> commit 9c9e060 Author: Ryan Liang <[email protected]> Date: Tue Aug 22 00:41:51 2023 -0700 Refactor the role extraction in oboauthenticator Signed-off-by: Ryan Liang <[email protected]> commit 387027b Author: Ryan Liang <[email protected]> Date: Tue Aug 22 00:18:31 2023 -0700 Refactor the logic in JwtVendor Signed-off-by: Ryan Liang <[email protected]> commit 267255c Author: Ryan Liang <[email protected]> Date: Tue Aug 22 00:01:15 2023 -0700 Add integration test case for obo permission Signed-off-by: Ryan Liang <[email protected]> commit 93bc8c6 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 19:18:49 2023 -0700 Remove unused constants variable in OBO authenticator Signed-off-by: Ryan Liang <[email protected]> commit 878a107 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 19:10:27 2023 -0700 Refactor the encryptiondecryptionutilstests Signed-off-by: Ryan Liang <[email protected]> commit 1c1bae6 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 14:53:45 2023 -0700 Remove the null check in oboconfig Signed-off-by: Ryan Liang <[email protected]> commit 7e3824e Author: Ryan Liang <[email protected]> Date: Mon Aug 21 14:44:07 2023 -0700 Remove the wording of seconds in obo endpoint and make the expiry into configconstants Signed-off-by: Ryan Liang <[email protected]> commit a126512 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 12:48:33 2023 -0700 Use constant util in Obo integration test Signed-off-by: Ryan Liang <[email protected]> commit e5a32c6 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 12:13:50 2023 -0700 Rename the obo endpoint path to generateobotoekn Signed-off-by: Ryan Liang <[email protected]> commit e09a902 Author: Ryan Liang <[email protected]> Date: Mon Aug 21 09:15:53 2023 -0700 Remove the unused instance in configV6 Signed-off-by: Ryan Liang <[email protected]> commit af8aaa7 Author: Ryan Liang <[email protected]> Date: Fri Aug 18 13:05:04 2023 -0700 Fix the lint Signed-off-by: Ryan Liang <[email protected]> commit 9103b23 Author: Ryan Liang <[email protected]> Date: Fri Aug 18 13:01:56 2023 -0700 Add permission obo/create for accessing create obo endpoint Signed-off-by: Ryan Liang <[email protected]> commit 2349213 Author: Ryan Liang <[email protected]> Date: Thu Aug 17 15:54:38 2023 -0700 Change the name into keyUtils with the s Signed-off-by: Ryan Liang <[email protected]> commit dae0ac7 Author: Ryan Liang <[email protected]> Date: Thu Aug 17 15:48:12 2023 -0700 Switch to try/catch + assertEquals for JwtVendorTest Signed-off-by: Ryan Liang <[email protected]> commit d918d7a Author: Ryan Liang <[email protected]> Date: Thu Aug 17 15:39:46 2023 -0700 Change the JwtVendorTest with manually built-up assertThrow Signed-off-by: Ryan Liang <[email protected]> commit f47026b Author: Ryan Liang <[email protected]> Date: Thu Aug 17 14:35:13 2023 -0700 Fix the typo in exceptionUtils Signed-off-by: Ryan Liang <[email protected]> commit 43b8d5d Author: Ryan Liang <[email protected]> Date: Thu Aug 17 14:33:22 2023 -0700 Remove stacktrace debug statement in OBOAutehnticator Signed-off-by: Ryan Liang <[email protected]> commit a2c6db1 Author: Ryan Liang <[email protected]> Date: Thu Aug 17 13:04:30 2023 -0700 Change some of the methods name into camle case instead of snake case Signed-off-by: Ryan Liang <[email protected]> commit ee79b49 Author: Ryan Liang <[email protected]> Date: Thu Aug 17 11:55:11 2023 -0700 Add unit tests for EncryptionDecryptionUtil Signed-off-by: Ryan Liang <[email protected]> commit 3ebff2b Author: Ryan Liang <[email protected]> Date: Thu Aug 17 09:43:43 2023 -0700 Work around for not set static cluster service Signed-off-by: Ryan Liang <[email protected]> commit a4efad6 Author: Ryan Liang <[email protected]> Date: Wed Aug 16 13:31:57 2023 -0700 Modify the getDynamicOnBehalfOfSettings() to return settings.Empty if there is no changes Signed-off-by: Ryan Liang <[email protected]> commit e23d757 Author: Ryan Liang <[email protected]> Date: Wed Aug 16 12:26:39 2023 -0700 Encapsulate the logic for endpoints access checking into a method Signed-off-by: Ryan Liang <[email protected]> commit be26148 Author: Ryan Liang <[email protected]> Date: Wed Aug 16 12:09:25 2023 -0700 Remove useless comments Signed-off-by: Ryan Liang <[email protected]> commit bef85da Author: Ryan Liang <[email protected]> Date: Wed Aug 16 11:57:39 2023 -0700 Remove the enforcing of token type for OBO auth Signed-off-by: Ryan Liang <[email protected]> commit 1f79431 Author: Ryan Liang <[email protected]> Date: Wed Aug 16 11:45:45 2023 -0700 Change the field name reason in obo endpoint to description Signed-off-by: Ryan Liang <[email protected]> commit 1f12e5e Author: Ryan Liang <[email protected]> Date: Wed Aug 16 11:15:56 2023 -0700 Change the backendrole check's claim name into br Signed-off-by: Ryan Liang <[email protected]> commit b2c7d75 Author: Ryan Liang <[email protected]> Date: Tue Aug 15 23:30:25 2023 -0700 Address some comment 2 Signed-off-by: Ryan Liang <[email protected]> commit d79973c Author: Ryan Liang <[email protected]> Date: Tue Aug 15 23:24:16 2023 -0700 Address some comment 1 Signed-off-by: Ryan Liang <[email protected]> commit 8a96cab Author: Sam <[email protected]> Date: Fri Aug 18 14:43:07 2023 +0100 Feature/extensions bwc setting (opensearch-project#3180) ### Description This Draft PR includes the new setting bwcPluginMode (backward compatible plugin mode for extensions ) ### Issues Resolved opensearch-project#2616 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Sam <[email protected]> commit 91f4478 Merge: e42e4d3 88b6d23 Author: Ryan Liang <[email protected]> Date: Mon Aug 14 23:30:37 2023 -0700 Merge branch 'main' into feature/extensions commit e42e4d3 Author: Ryan Liang <[email protected]> Date: Mon Aug 14 10:12:58 2023 -0700 [Feature/Extension] Remove hostmapping from create OBO endpoint. (opensearch-project#3161) Signed-off-by: Ryan Liang <[email protected]> commit ade34b4 Merge: 6d8e0e2 05f12d8 Author: Ryan Liang <[email protected]> Date: Fri Aug 11 11:37:21 2023 -0700 Merge branch 'main' into feature/extensions commit 6d8e0e2 Merge: 493b53f 3139c18 Author: Ryan Liang <[email protected]> Date: Thu Aug 10 21:11:43 2023 -0700 Merge branch 'main' into feature/extensions commit 493b53f Merge: 30cf5b1 46989b5 Author: Ryan Liang <[email protected]> Date: Wed Aug 9 12:00:14 2023 -0700 Merge branch 'main' into feature/extensions commit 30cf5b1 Author: Ryan Liang <[email protected]> Date: Wed Aug 9 10:10:24 2023 -0700 [Feature/Extension] Add cluster id check for OBO Authenticator (opensearch-project#3117) --------- Signed-off-by: Ryan Liang <[email protected]> commit 058f8ec Merge: d643fb2 6cc90e6 Author: Ryan Liang <[email protected]> Date: Mon Aug 7 12:33:57 2023 -0700 Merge branch 'main' into feature/extensions commit d643fb2 Author: Ryan Liang <[email protected]> Date: Fri Aug 4 22:57:18 2023 -0700 [Feature/Extension] Restrict OBO token's usage for certain endpoints (opensearch-project#3008) Signed-off-by: Ryan Liang <[email protected]> commit 2319059 Merge: d634d60 527495d Author: Ryan Liang <[email protected]> Date: Fri Aug 4 08:50:34 2023 -0700 Merge branch 'main' into feature/extensions commit d634d60 Author: Ryan Liang <[email protected]> Date: Wed Aug 2 13:09:03 2023 -0700 [Feature/Extension] Add configuration of disable OBO (opensearch-project#3047) Signed-off-by: Ryan Liang <[email protected]> commit df3dba3 Merge: 1268dee 5384272 Author: Ryan Liang <[email protected]> Date: Wed Aug 2 09:42:04 2023 -0700 Merge branch 'main' into feature/extensions commit 1268dee Merge: a9451dd 8063e1b Author: Ryan Liang <[email protected]> Date: Tue Jul 25 11:23:05 2023 -0700 Merge branch 'main' into feature/extensions commit a9451dd Merge: 671c772 59e2657 Author: Ryan Liang <[email protected]> Date: Mon Jul 24 13:30:37 2023 -0700 Merge branch 'main' into feature/extensions commit 671c772 Merge: 67515bc f1be2d7 Author: Ryan Liang <[email protected]> Date: Tue Jul 18 09:04:25 2023 -0700 Merge branch 'main' into feature/extensions commit 67515bc Merge: 88f32e9 0e6608d Author: Ryan Liang <[email protected]> Date: Thu Jul 13 11:18:07 2023 -0700 Merge branch 'main' into feature/extensions commit 88f32e9 Author: Ryan Liang <[email protected]> Date: Fri Jul 7 11:42:21 2023 -0700 [Feature/Extension] Add oboauthcbackend registry and set up e2e endpoint testing flow (opensearch-project#2857) * Add OBO Authbackend Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Ryan Liang <[email protected]> Co-authored-by: Peter Nied <[email protected]> commit 8c3c639 Merge: 21891d7 4eef662 Author: Ryan Liang <[email protected]> Date: Mon Jul 3 10:34:27 2023 -0700 Merge branch 'main' into feature/extensions commit 21891d7 Merge: 8ad24ad 7546c05 Author: Ryan Liang <[email protected]> Date: Thu Jun 29 13:28:12 2023 -0700 Merge branch 'feature-branch-sync-629' into feature/extensions commit 8ad24ad Author: Ryan Liang <[email protected]> Date: Thu Jun 29 13:23:04 2023 -0700 Revert "Feature branch sync 06/29/2023 (opensearch-project#2918)" (opensearch-project#2920) This reverts commit 748a711. commit 748a711 Author: Ryan Liang <[email protected]> Date: Thu Jun 29 12:37:08 2023 -0700 Feature branch sync 06/29/2023 (opensearch-project#2918) * add search model group permission to ml_read_access role (opensearch-project#2855) * add search model group permission to ml_read_access role Signed-off-by: Bhavana Ramaram <[email protected]> * IntegrationTest spotless (opensearch-project#2863) Signed-off-by: Stephen Crawford <[email protected]> * Format everything (opensearch-project#2866) * Use boucycastle PEM reader instead of reg expression (opensearch-project#2864) Use BouncyCastle PEMReader instead of regular expression to read and parse private key pem files. Signed-off-by: Andrey Pleskach <[email protected]> * Adding field level security test cases for FlatFields (opensearch-project#2876) Signed-off-by: Peter Nied <[email protected]> * Update snappy to 1.1.10.1 and guava to 32.0.1-jre (opensearch-project#2886) * Update snappy to 1.1.10.1 and guava to 32.0.1-jre Signed-off-by: Craig Perkins <[email protected]> * Upgrade kafka to 3.5.0 Signed-off-by: Craig Perkins <[email protected]> * Force snappy Signed-off-by: Craig Perkins <[email protected]> * Add runtime dependency on org.scala-lang.modules:scala-java8-compat_3:1.0.2 to fix issue with KafkaSinkTest Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> * Role permissions order tool and workflow (opensearch-project#2733) * Check Permissions Order tool and workflow Adds a NodeJS tool that can inspect yaml role definitions, check if they are in alphabetical order, correct them if required. Signed-off-by: Peter Nied <[email protected]> * Apply fixes to roles.yml files Signed-off-by: Peter Nied <[email protected]> * Fixing busted test, adding findArrayInJson for response bodies Signed-off-by: Peter Nied <[email protected]> --------- Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> * Misc changes (opensearch-project#2902) Moved isStatic and isReserved methods to the SecurityDynamicConfiguration class Signed-off-by: Andrey Pleskach <[email protected]> * Update triaging guidelines (opensearch-project#2899) * Update triaging guidelines Signed-off-by: Stephen Crawford <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> * fix cluster perm classification for msearch template (opensearch-project#2892) * fix cluster perm classification for msearch template Signed-off-by: Derek Ho <[email protected]> * move test to unit test file Signed-off-by: Derek Ho <[email protected]> * fully revert integration test file Signed-off-by: Derek Ho <[email protected]> * Update src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java Signed-off-by: Stephen Crawford <[email protected]> * spotless Signed-off-by: Derek Ho <[email protected]> --------- Signed-off-by: Derek Ho <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> Co-authored-by: Stephen Crawford <[email protected]> * [Doc] Add architecture document (opensearch-project#2869) * Add initial architecture document Signed-off-by: Peter Nied <[email protected]> * [Enhancement] Parallel test jobs for CI (opensearch-project#2861) * Split multiple tests into separate gradle tasks. * Tasks are configured in "splitTestConfig" map in build.gradle file. Map allows to use all patterns from TestFilter like: includeTestsMatching, excludeTestsMatching, includeTest etc. * Tasks are automatically generated from "splitTestConfig" map. * Two new Gradle tasks: listTasksAsJSON and listTasksAsParam to output task names to console. First one outputs them as a JSON and second - in gradlew "-x <TASK>" format to use in CLI. * Patterns included in tasks are automatically excluded from main "test" task but at the same time generated tasks are dependencies for "test". Running "gradlew test" will run whole suite at once. * CI pipeline has been configured to accomodate all changes. * New 'master' task to generate list of jobs to run in parallel. * Updated matrix strategy to include task name to start. Signed-off-by: Pawel Gudel <[email protected]> * Bump BouncyCastle from jdk15on to jdk15to18 (opensearch-project#2901) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability Signed-off-by: Andrey Pleskach <[email protected]> * Spotless Apply Signed-off-by: Ryan Liang <[email protected]> --------- Signed-off-by: Bhavana Ramaram <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> Signed-off-by: Andrey Pleskach <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> Signed-off-by: Derek Ho <[email protected]> Signed-off-by: Pawel Gudel <[email protected]> Signed-off-by: Ryan Liang <[email protected]> Co-authored-by: Bhavana Ramaram <[email protected]> Co-authored-by: Stephen Crawford <[email protected]> Co-authored-by: Andrey Pleskach <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Craig Perkins <[email protected]> Co-authored-by: Derek Ho <[email protected]> Co-authored-by: pawel-gudel-eliatra <[email protected]> commit 7546c05 Author: Ryan Liang <[email protected]> Date: Thu Jun 29 11:50:58 2023 -0700 Spotless Apply Signed-off-by: Ryan Liang <[email protected]> commit 81b7818 Author: Andrey Pleskach <[email protected]> Date: Thu Jun 29 15:54:21 2023 +0200 Bump BouncyCastle from jdk15on to jdk15to18 (opensearch-project#2901) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability Signed-off-by: Andrey Pleskach <[email protected]> commit 95efddd Author: pawel-gudel-eliatra <[email protected]> Date: Wed Jun 28 22:41:46 2023 +0200 [Enhancement] Parallel test jobs for CI (opensearch-project#2861) * Split multiple tests into separate gradle tasks. * Tasks are configured in "splitTestConfig" map in build.gradle file. Map allows to use all patterns from TestFilter like: includeTestsMatching, excludeTestsMatching, includeTest etc. * Tasks are automatically generated from "splitTestConfig" map. * Two new Gradle tasks: listTasksAsJSON and listTasksAsParam to output task names to console. First one outputs them as a JSON and second - in gradlew "-x <TASK>" format to use in CLI. * Patterns included in tasks are automatically excluded from main "test" task but at the same time generated tasks are dependencies for "test". Running "gradlew test" will run whole suite at once. * CI pipeline has been configured to accomodate all changes. * New 'master' task to generate list of jobs to run in parallel. * Updated matrix strategy to include task name to start. Signed-off-by: Pawel Gudel <[email protected]> commit 766389b Author: Peter Nied <[email protected]> Date: Wed Jun 28 15:28:11 2023 -0500 [Doc] Add architecture document (opensearch-project#2869) * Add initial architecture document Signed-off-by: Peter Nied <[email protected]> commit c1d2127 Author: Derek Ho <[email protected]> Date: Wed Jun 28 15:21:04 2023 -0400 fix cluster perm classification for msearch template (opensearch-project#2892) * fix cluster perm classification for msearch template Signed-off-by: Derek Ho <[email protected]> * move test to unit test file Signed-off-by: Derek Ho <[email protected]> * fully revert integration test file Signed-off-by: Derek Ho <[email protected]> * Update src/test/java/org/opensearch/security/privileges/PrivilegesEvaluatorUnitTest.java Signed-off-by: Stephen Crawford <[email protected]> * spotless Signed-off-by: Derek Ho <[email protected]> --------- Signed-off-by: Derek Ho <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> Co-authored-by: Stephen Crawford <[email protected]> commit 37f277e Author: Stephen Crawford <[email protected]> Date: Mon Jun 26 15:28:13 2023 -0400 Update triaging guidelines (opensearch-project#2899) * Update triaging guidelines Signed-off-by: Stephen Crawford <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> commit 926bdda Author: Andrey Pleskach <[email protected]> Date: Mon Jun 26 20:09:39 2023 +0200 Misc changes (opensearch-project#2902) Moved isStatic and isReserved methods to the SecurityDynamicConfiguration class Signed-off-by: Andrey Pleskach <[email protected]> commit 9cd0198 Author: Peter Nied <[email protected]> Date: Mon Jun 26 10:04:39 2023 -0500 Role permissions order tool and workflow (opensearch-project#2733) * Check Permissions Order tool and workflow Adds a NodeJS tool that can inspect yaml role definitions, check if they are in alphabetical order, correct them if required. Signed-off-by: Peter Nied <[email protected]> * Apply fixes to roles.yml files Signed-off-by: Peter Nied <[email protected]> * Fixing busted test, adding findArrayInJson for response bodies Signed-off-by: Peter Nied <[email protected]> --------- Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> commit 4bb144f Author: Craig Perkins <[email protected]> Date: Wed Jun 21 09:31:47 2023 -0400 Update snappy to 1.1.10.1 and guava to 32.0.1-jre (opensearch-project#2886) * Update snappy to 1.1.10.1 and guava to 32.0.1-jre Signed-off-by: Craig Perkins <[email protected]> * Upgrade kafka to 3.5.0 Signed-off-by: Craig Perkins <[email protected]> * Force snappy Signed-off-by: Craig Perkins <[email protected]> * Add runtime dependency on org.scala-lang.modules:scala-java8-compat_3:1.0.2 to fix issue with KafkaSinkTest Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> commit c71d9b3 Author: Peter Nied <[email protected]> Date: Tue Jun 20 13:36:01 2023 -0500 Adding field level security test cases for FlatFields (opensearch-project#2876) Signed-off-by: Peter Nied <[email protected]> commit e3b4f8f Author: Andrey Pleskach <[email protected]> Date: Mon Jun 19 16:18:28 2023 +0200 Use boucycastle PEM reader instead of reg expression (opensearch-project#2864) Use BouncyCastle PEMReader instead of regular expression to read and parse private key pem files. Signed-off-by: Andrey Pleskach <[email protected]> commit ef6224c Author: Stephen Crawford <[email protected]> Date: Thu Jun 15 23:32:10 2023 -0400 Format everything (opensearch-project#2866) commit ef048a2 Author: Stephen Crawford <[email protected]> Date: Thu Jun 15 11:57:25 2023 -0400 IntegrationTest spotless (opensearch-project#2863) Signed-off-by: Stephen Crawford <[email protected]> commit b6bfb11 Author: Bhavana Ramaram <[email protected]> Date: Tue Jun 13 17:00:34 2023 -0700 add search model group permission to ml_read_access role (opensearch-project#2855) * add search model group permission to ml_read_access role Signed-off-by: Bhavana Ramaram <[email protected]> commit 26244e9 Merge: 56e77fe 1691ca7 Author: Craig Perkins <[email protected]> Date: Tue Jun 13 16:14:33 2023 -0400 Merge branch 'format-feature-extensions-apply' into feature/extensions commit 1691ca7 Merge: efcadd4 2e263b8 Author: Craig Perkins <[email protected]> Date: Tue Jun 13 16:05:59 2023 -0400 Merge branch 'main' into format-feature-extensions-apply commit efcadd4 Merge: 1a09a87 ceb5ad2 Author: Craig Perkins <[email protected]> Date: Fri Jun 9 10:16:02 2023 -0400 Merge branch 'main' into format-feature-extensions-apply commit 1a09a87 Author: Craig Perkins <[email protected]> Date: Fri Jun 9 09:57:42 2023 -0400 Run spotlessApply Signed-off-by: Craig Perkins <[email protected]> commit 01917ff Author: Craig Perkins <[email protected]> Date: Fri Jun 9 09:55:09 2023 -0400 Remove other spotless section Signed-off-by: Craig Perkins <[email protected]> commit c83ad28 Author: Craig Perkins <[email protected]> Date: Fri Jun 9 09:53:35 2023 -0400 Add formatting changes in feature/extensions Signed-off-by: Craig Perkins <[email protected]> commit 56e77fe Merge: fa0fcc3 33aebb9 Author: Ryan Liang <[email protected]> Date: Wed May 24 11:31:54 2023 -0700 Merge branch 'main' into feature/extensions commit fa0fcc3 Author: Ryan Liang <[email protected]> Date: Tue May 16 10:55:57 2023 -0700 [Feature/Extension] Rename the term 'extension' into 'on_behalf_of' (opensearch-project#2774) Signed-off-by: Ryan Liang <[email protected]> commit f1cee3b Merge: 95f9c77 15860b6 Author: Ryan Liang <[email protected]> Date: Tue May 16 09:33:59 2023 -0700 Merge branch 'main' into feature/extensions commit 95f9c77 Author: Ryan Liang <[email protected]> Date: Thu May 11 11:50:12 2023 -0700 [Security/Extension] Extension Authentication Backend (opensearch-project#2672) * Extension Authentication-backend Signed-off-by: Ryan Liang <[email protected]> commit 8f02d8d Merge: 9515181 9d758f9 Author: Ryan Liang <[email protected]> Date: Wed May 10 12:12:20 2023 -0700 Merge branch 'main' into feature/extensions commit 9515181 Author: Ryan Liang <[email protected]> Date: Wed May 10 09:51:26 2023 -0700 Fix the conflicts Signed-off-by: Ryan Liang <[email protected]> commit 06055c3 Merge: df75a37 f4def32 Author: Ryan Liang <[email protected]> Date: Wed May 10 09:34:05 2023 -0700 merge main into security extension feature branch commit df75a37 Author: MaciejMierzwa <[email protected]> Date: Tue May 2 15:44:04 2023 +0200 Extensions config for JWT signing/encryption key (opensearch-project#2671) * Extensions config for JWT signing/encryption key Signed-off-by: Maciej Mierzwa <[email protected]> commit d4e5f1f Merge: 4da62c3 6997f97 Author: Ryan Liang <[email protected]> Date: Thu Apr 27 07:05:39 2023 -0700 Merge branch 'main' into feature/extensions commit 4da62c3 Merge: 73ab1fc 6ace852 Author: Craig Perkins <[email protected]> Date: Tue Apr 25 09:38:52 2023 -0400 Merge branch 'main' into feature/extensions commit 73ab1fc Author: Ryan Liang <[email protected]> Date: Thu Apr 6 13:38:19 2023 -0700 [Security/Extension] Role encryption/decryption (opensearch-project#2620) * Encryption/Decryption of `roles` Signed-off-by: Ryan Liang <[email protected]> commit 1681823 Author: Ryan Liang <[email protected]> Date: Fri Mar 31 06:58:56 2023 -0700 [Security/Extension] JWT Vendor for extensions (opensearch-project#2567) * JWT Vendor for extensions Signed-off-by: Ryan Liang <[email protected]> Signed-off-by: Peter Nied <[email protected]>
Description
Extension Authentication Backend
Some additional modification in JWTVendor:
- BWCMode On: plain text roles will be passed into claim. It also accepts nonString configuration, but it will be converted intostring
as the payload. The roles information will be stored in the payload fielddec_r
(standing for decrypted roles).- BMCMode Off: encrypted roles will be passed into claim, and it will always be a encryptedstring
. The roles information will be stored in the payload fieldenc_r
(standing for encrypted roles).Category
New feature
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.