-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] How to support extensions parity for user information #2536
Comments
@cwperks What do you think? |
I like the approach of using 'Legacy' annotation. It would define the intent correctly and would also solve the question we are addressing here. Option 3 it is from my end. |
@peternied Re-capping a discussion from earlier today about what claims to include in a token for an extension and what not to include. I'd like to add context with OpenSearch Dashboards and the claims that are provided in the token the dashboards receives vs. the information it additionally gets from the server by calling When Dashboards is configured with SAML or OIDC, the user is asked to authenticate with the external IdP once and upon successful authentication is redirected back to OSD with a JWT that is used to authenticate and authorize subsequent requests for as long as the session remains valid.
In both cases, the token has a minimum of 2 claims, but most likely has at least 4. Those are:
From what I gather of the security-dashboard-plugin code, these claims are never read or used by the frontend. Instead the frontend relies on the The claims are useful to the backend and the JWT Auth backend uses the roles in the token to evaluate privileges of the caller. |
Updated the diagrams with process/host boundaries - thanks @DarshitChanpura for figuring that out! |
@cwperks @scrawfor99 @RyanL1997 @davidlago What do you think? I'm feeling good about |
Hi @peternied, I am in full support of option 3 myself. Thank you for putting together the thorough review. |
@peternied I support moving forward with option 3 with the initial goalpost being that AD backend is being converted from a plugin to an extension and needing to be compatible with plugin paradigms today like protecting resources with user's backend roles. This will be protected behind a configuration that is off by default and must be explicitly turned on to allow. |
Hi @peternied , thank you for putting all these together. I'm voting to option3. |
We are going with |
Thanks @peternied for writing this up. Sounds like we should define a generic Transport Message which encapsulates User identity and use it as a base Request for all extension messages.
Also, Plugins dont have a way today to get User identity on Rest APIs today which is why they write transport APIs to access User information. As part of this work, could we expose generic interfaces to access this information at Rest layer for both Plugins/Extensions ? |
How to support extensions parity for user information
This issue is meant to decide how information user should be provided to extensions based on exiting behavior for plugins
Background
Many existing plugins reference common-utils User object. For plugins that implement security checks on resources these are the limits of the existing security information that is exposed.
Example user object represented as JSON
Problem
User context information is stored within the thread context. Extensions should never have access to the thread context and there must be a way to reason decisions about user with existing data.
Option 0: Don't provide user information
In this option extensions do not have support for existing scenarios where reasoning is done about the user identity or resource checks.
For each plugin -> extension migration the plugin would need to find any dependencies on User data and remove them. This might require modification or deprecation of features
Pros:
Cons
Option 1: Include user information on all requests to extensions
In this option, changes would be made to the RestSendToExtensionAction, the user information is collected from the existing thread context and provided to the extension as part of the payload of the ExtensionRestRequest. Extension would be able to retrieve this information as an object and use it for new / existing scenarios.
Pros:
Cons:
Option 2: Build new security features to support exist plugin scenarios
In this option for all scenarios different scenarios that user information is used new features / API would be build to support individual requirements. For Anomaly Detection detector ownership check, an object that represented the identity of the caller, but encrypted would be provided. This object would be comparable as before if a user making a request != the representative identity but would not expose the username/email etc. There would need to be many additional scenarios supported.
Pros:
Cons:
Option 3: Include user information on requests to extensions restricted with 'LEGACY' scope [Recommended]
In this option we would use the approach from Option 1, but the information would not be included by default, the field would be annotated with a deprecation message. Only if the extension was permitted to a
legacy_user_context
scope would the information be included and it would be removed from the extensions SDK in a future release.Pros:
Cons:
The text was updated successfully, but these errors were encountered: