Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OnBehalfOf claims take second duration #10664

Merged
merged 3 commits into from
Oct 18, 2023
Merged

OnBehalfOf claims take second duration #10664

merged 3 commits into from
Oct 18, 2023

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Oct 17, 2023
edited
Loading

Description

This change swaps the OnBehalfOf claims provider in core in order to work with external token providers. Without this change, implementing the TokenManager class is not straightforward. We would force users to to provide an expiration time (i.e. system time) when we want them to be able to provide a value in seconds and do the math for them.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@stephen-crawford stephen-crawford changed the title Make it reasonable to provide time for expiration [SKIP CHANGELOG] Make OnBehalfOf claims take second duration instead of absolute time Oct 17, 2023
@stephen-crawford stephen-crawford mentioned this pull request Oct 17, 2023
Merged
3 tasks
@stephen-crawford stephen-crawford marked this pull request as draft October 17, 2023 17:24
@stephen-crawford stephen-crawford changed the title [SKIP CHANGELOG] Make OnBehalfOf claims take second duration instead of absolute time Make OnBehalfOf claims take second duration instead of absolute time Oct 17, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 17, 2023
edited
Loading

Compatibility status:

Checks if related components are compatible with change 7718a2f

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@codecov
Copy link

codecov bot commented Oct 17, 2023
edited
Loading

Codecov Report

Merging #10664 (e046658) into main (e942483) will increase coverage by 0.02%.
Report is 2 commits behind head on main.
The diff coverage is 80.00%.

❗ Current head e046658 differs from pull request most recent head 7718a2f. Consider uploading reports for the commit 7718a2f to get more accurate results

@@             Coverage Diff              @@
##               main   #10664      +/-   ##
============================================
+ Coverage     71.12%   71.15%   +0.02%     
+ Complexity    58503    58502       -1     
============================================
  Files          4853     4853              
  Lines        275915   275660     -255     
  Branches      40153    40118      -35     
============================================
- Hits         196256   196149     -107     
+ Misses        63247    63122     -125     
+ Partials      16412    16389      -23
Files Coverage Δ
...g/opensearch/identity/tokens/OnBehalfOfClaims.java 87.50% <80.00%> (+9.72%) ⬆️

... and 492 files with indirect coverage changes

@stephen-crawford stephen-crawford marked this pull request as ready for review October 17, 2023 20:33
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.indices.replication.SegmentReplicationIT.classMethod

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@peternied peternied changed the title Make OnBehalfOf claims take second duration instead of absolute time OnBehalfOf claims take second duration Oct 17, 2023
@peternied
Copy link
Member

@scrawfor99 looks like there are some merge conflicts

@stephen-crawford
Make it reasonable to provide time for expiration
8cc86ee 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
OnBehalfOf claims
9d8fb4d 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Fix changelog
7718a2f 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Copy link
Contributor Author

Should be all fixed @peternied

@peternied peternied merged commit d2c2e20 into opensearch-project:main Oct 18, 2023
12 of 13 checks passed
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford stephen-crawford deleted the swapExpirationToSecond branch October 18, 2023 18:36
deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Oct 19, 2023
@stephen-crawford @deshsidd
OnBehalfOf claims take second duration (opensearch-project#10664)
4b33c59 
OnBehalfOf claims take second duration

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Siddhant Deshmukh <deshsid@amazon.com>
austintlee pushed a commit to austintlee/OpenSearch that referenced this pull request Oct 23, 2023
@stephen-crawford @austintlee
OnBehalfOf claims take second duration (opensearch-project#10664)
7d76611 
OnBehalfOf claims take second duration

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@RyanL1997 RyanL1997 mentioned this pull request Nov 1, 2023
Merged
8 tasks
RyanL1997 pushed a commit to RyanL1997/OpenSearch that referenced this pull request Nov 1, 2023
@stephen-crawford @RyanL1997
OnBehalfOf claims take second duration (opensearch-project#10664)
1b2b65d 
OnBehalfOf claims take second duration

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@RyanL1997 RyanL1997 mentioned this pull request Nov 1, 2023
Closed
8 tasks
peternied added a commit that referenced this pull request Nov 2, 2023
@RyanL1997 @stephen-crawford
@peternied @owaiskazi19
[Backport 2.x] Service accounts and on-behalf-of authentication in 2.x (
f1df1cd 
#11052)

* Implement on behalf of token passing for extensions (#8679)

* Provide service accounts tokens to extensions (#9618)

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

* Cherry pick #10614 and #10664

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@stephen-crawford @shiv0408
OnBehalfOf claims take second duration (opensearch-project#10664)
be404e4 
OnBehalfOf claims take second duration

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied approved these changes

@reta reta Awaiting requested review from reta reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stephen-crawford @peternied