Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[META] Security for Extensions #2524

Open
davidlago opened this issue Mar 8, 2023 · 0 comments
Open

[META] Security for Extensions #2524

davidlago opened this issue Mar 8, 2023 · 0 comments
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@davidlago
Copy link

davidlago commented Mar 8, 2023
edited by peternied
Loading

Security Plugin for Extensions Project

This document describes the features and functionalities being built to support extensions securely through the security plugin. Links to GitHub issues where either meta issues or decisions docs will be included throughout.

Background

OpenSearch is building extensions to support existing plugin functionality with a goal to eventually replace them. The first iteration of extensions are built to run out of process, creating a trust boundary that did not exist before. This boundary provides a golden opportunity to require and enforce security in all extensions. The security team will focus on building up existing security features, providing parity for missing features, and establishing baseline security requirements.

Previously, OpenSearch had an Identity project that was built from the ground up to provide a set of features for identity and security systems. However, the team decided to pivot to reduce the amount of customer migrations and provide features that customers can use more quickly.

Approach

Our approach to securely supporting extensions and OpenSearch is to keep extension-related information in the extensions manager. Then, there will be a series of connections to the security plugin where the security plugin will contain implementations and enforcement of existing patterns. Extension will received opaque tokens for authentication with the OpenSearch cluster, Extensions are responsible to handle cases where the requests are successful or unsuccessful.

OpenSearch Core

Management of extensions will include the current information, as well as features to ensure trusted connections between the OpenSearch cluster and the extensions endpoint. Extensions registration and configuration will include application scopes that limit the kinds of access to OpenSearch in a broad fashion.

OpenSearch does not have a current identity by exposing context through an identity plugin, OpenSearch will be able to provide structured authentication information.

OpenSearch has a plugin called Job Scheduler. This plugin would store a list of tasks to be executed on intervals or in the future time. These tasks did not contain information on who was executing them. Job Scheduler needs to be enhanced to store this information securely.

Security Plugin

When requests are forwarded through the OpenSearch cluster to the extension, several security features will be added to support current scenarios and to enable new functionality.

Authorization was previously provided through inspection of transport layer actions. These actions are not available to extensions. The security plugin will extend how authorization is performed so that extensions' actions exposed as REST API are permissioned in the same way as like plugins are treated today.

Impersonation - In the current plugin model, the plugin operates as the identity of the user making that request, controlled by the thread context. Outside of the OpenSearch process, when extensions need to execute requests on behalf of the user, a just-in-time token will be provided that an extension can use to interact with the OpenSearch cluster.

Extensions Security Features

Extensions need a mechanism to issue requests outside of the context of an incoming user request. Service accounts will be used to allow extensions to make requests into the OpenSearch cluster.

Plugins have access to thread context information that is used to determine additional security features for their resources. A backward compatibility mechanism will be created to pass this data to extensions.

Plugins have the ability to access OpenSearch system indices to store their state information while being sure that plugin index data could not be altered. Extensions will need new permissions to allow access to these system indices.

Questions

Space for questions related to this high level topic

Diagrams

Central space for all design diagrams introduced as part of this initiative.
@davidlago davidlago converted this from a draft issue Mar 8, 2023
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 8, 2023
@cwperks cwperks changed the title Security for Extensions [META] Security for Extensions Mar 8, 2023
@peternied peternied self-assigned this Mar 8, 2023
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 13, 2023
@stephen-crawford stephen-crawford added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Mar 20, 2023
@RyanL1997 RyanL1997 mentioned this issue Apr 24, 2023
Closed
@davidlago davidlago moved this to Tracking in Security for Extensions May 10, 2023
@davidlago davidlago mentioned this issue Jun 14, 2023
Open
@peternied peternied removed their assignment May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
Security for Extensions
Status: Tracking
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peternied @davidlago @stephen-crawford