-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Service Account Specifications #2597
Comments
x-posting comment from PR: #2594 (comment)
Once the concept of the service account is introduced, an API to list service accounts should be created and we can also start linking it to the extensions use-case like you are doing here to create one on extension registration. |
Hi @cwperks, thank you for taking the time to cross post this. I think some of these we can leave till after the initial POC demonstrates the functionality of Service Accounts. Right now, I am planning on the initial POC demonstrating:
To your other points, I don't have any immediate implementations of them. I am not sure I understand the benefit of restricting service accounts to a single role or not allowing backend roles. What is the concern about allowing either? Modifying the internalUsers API to not show Service Accounts sounds like a good idea (though a change that can come at a later date). Aside from from that why can't we allow for the other functionality? An extension could always request a new account if its account were deleted so I am not sure why we would prevent an administrator for interacting with service accounts. |
@scrawfor99 Sounds good, for plugins requesting to create a system index do you think we can create a token as part of the bootstrap process (assuming the cluster admin grants installation of the extension) that extensions go through on startup? In addition to the extensionUniqueId, we could also consider namespacing the account like |
Hi @cwperks, I think that your suggestion for the bootstrapping token process sounds like a good option. I will need to think about it a little more to hash out the specifics but I can prioritize it as the next aspect of the POC after initial implementation. I agree that we should prioritize AD use cases since that is the first scenario. I just wanted to take the opportunity to document some of the situations that had impacted design decisions thus far. As far as cases of an extension stashing the thread context, my hope is that we can treat these scenarios identically to any other extension-originated request. I know it is a specialized case but my goal would be to abstract the handling in such a way that the actual operation the extension performs is largely irrelevant to the code. I will need to look more into AD soon to understand how it works better but for the time being, I am going off the assumption that we can treat all extensions interchangeably from the Security Plugin's POV. |
Hi @opensearch-project/security, I am going to make some executive decisions to try to drive these questions to a resolution. For each of the points below, I will be moving forward unless I hear objections by Monday 4/3.
|
@scrawfor99 I think these are good starting points. Q1: As users can be created via REST API. Can service accounts be created in this same way?
Q2: Are there new customer facing REST APIs that will need to be created?
Q3: RE: Can an extension have more than one service account?
|
@scrawfor99 See responses below. In general, I like the idea of introducing the concept of a service account that can be extended more generally outside of extensions alone, and for the extensions use-case I think we can create one automatically for extensions requesting reserved (
|
@cwperks Service accounts are a new concept we are adding to support extensions requests that do not use on-behalf-of tokens, such as calling system indexes. As long as the extension can make a request with the account and the administrator can control the accounts permissions I think those are the requirements. Are there requirements that are missing? I think we could expand / alter the implementation after the initial release that could support different restrictions as you've mentioned. |
@peternied That works for me. I agree that we should first target getting a token to an extension and showing the token utilizing the token to interact with its system index. I think there will need to be a way to identify that the token being utilized is from a service account so that https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java#L124-L128 can be modified to permit the request coming from a service account that owns the index. |
Problem Statement
This issue tracks specific design questions about Service Accounts.
What type of REST requests are intended for extensions?
How does the Security Plugin interact with REST requests?
What is the current method of signifying things?
Action items decided on this issue:
In order to make extension registration tied to service accounts, the obvious choice appears to be forcing the extension to check in with the Security Plugin.
Using this method, we can force an extension to request a service account from the Security Plugin during registration and make the extension responsible for tracking its account credentials.
On service startup, all extenesions are loaded, and scopes are validated.
For every extensions they make a call to enable or disable service accounts:
'Enabled: true'
'Enabled: false'
, do not return the account to OpenSearch core.The current design implements service accounts in a similar manner to a standard internal user account. This extends to the storage of service accounts which places the service accounts inside the configuration index of the Security Plugin.
There are two main options for whether service accounts should be different from normal internal user accounts.
"service":"true"
but otherwise there should be no specifications as to the types of properties a service account should have.The second option is to restrict the properties associated with a service account. For example:
This option adds specific requirements to service accounts and enforces rules based on an account's status. This option may still require the addition of new attributes such as the above mentioned
service
field.The current plan is for an extension to use its service account for:
There are two main options for whether an extension should be able to have more than one service account.
Flow Diagrams
The text was updated successfully, but these errors were encountered: