-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove identity-related feature flagged code from the RestController #15430
Remove identity-related feature flagged code from the RestController #15430
Conversation
Signed-off-by: Craig Perkins <cwperx@amazon.com>
❌ Gradle check result for e6b82ba: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Craig Perkins <cwperx@amazon.com>
❌ Gradle check result for bc610a2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❕ Gradle check result for 1abfe97: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Signed-off-by: Craig Perkins <craig5008@gmail.com>
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for c2d9a3a: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for c2d9a3a: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-15430-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 1bc81d3eee07e96b6c6393510b41d194276e204c
# Push it to GitHub
git push --set-upstream origin backport/backport-15430-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
@cwperks could you please backport to 2.x manually? thank you! |
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> (cherry picked from commit 1bc81d3)
…15430) (#16004) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> (cherry picked from commit 1bc81d3) Signed-off-by: Craig Perkins <cwperx@amazon.com>
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Handle null Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address forbiddenApi Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove change in IdentityService Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review comments Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
Description
This PR is a follow-up to #14630. This PR removes code in the RestController that was behind the
opensearch.experimental.feature.identity.enabled
feature flag.The problem with the current code behind the feature flag is that it uses the RestTokenExtractor which assumes that authinfo is provided on the AUTHORIZATION header and is not directly usable by the security plugin in the current state. This PR removes the code to leave it up to the Identity plugin how to provide the subject information. For instance, this PR updates the identity-shiro plugin to utilize ActionPlugin.getRestHandlerWrapper to authenticate a web request and hydrate information about the current subject. The RestTokenExtractor has been moved into the identity-shiro plugin which only supports basic auth with the AUTHORIZATION header in its current state.
I'm opening this PR as a step towards removing the Identity feature flag (but keeping the interface marked as experimental).
I am planning to ask plugin maintainers to remove usages of ThreadContext.stashContext after the experimental feature flag for identity is removed.
Related Issues
Related to opensearch-project/security#4439
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.