Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expanding Authentication with SecurityRequest Abstraction #3430

Merged
merged 53 commits into from
Oct 6, 2023

Conversation

peternied
Copy link
Member

@peternied peternied commented Oct 1, 2023

Description

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel, to streamline and secure the authentication process in the OpenSearch Security plugin. By isolating the essential request components needed for authentication, we minimize potential risks associated with previous designs and provide a more maintainable architecture.

graph TD
    A[SecurityRequestFactory] -->|Creates| E[SecurityRequest]
    A -->|Creates| B[SecurityRequestChannel]
    C[Netty Channel Handler] -->|Provides data to| A
    D[OpenSearch Rest Controller] -->|Provides data to| A
    
    subgraph SecurityRequest Objects
        E --> B[SecurityRequestChannel]
    end
    
    B --> |Used in| SecurityFilter
    B --> |Used in| BackendRegistry
    B --> |Used in| HttpAuthenticator

    style A fill:#f9d,stroke:#333,stroke-width:2px;
    style B fill:#afd,stroke:#333,stroke-width:2px;
    style C fill:#fea,stroke:#333,stroke-width:2px;
    style D fill:#fea,stroke:#333,stroke-width:2px;
    style E fill:#afd,stroke:#333,stroke-width:2px;


Loading

To Do items:

  • Unit tests for new components
  • Check code coverage on impacted changes, add / update tests

Issues Resolved

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
…equest

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
@codecov
Copy link

codecov bot commented Oct 1, 2023

Codecov Report

Merging #3430 (e7b0916) into main (bfba97a) will increase coverage by 0.02%.
The diff coverage is 64.85%.

Impacted file tree graph

@@             Coverage Diff              @@
##               main    #3430      +/-   ##
============================================
+ Coverage     64.57%   64.60%   +0.02%     
- Complexity     3549     3573      +24     
============================================
  Files           269      275       +6     
  Lines         20365    20451      +86     
  Branches       3377     3382       +5     
============================================
+ Hits          13151    13212      +61     
- Misses         5526     5544      +18     
- Partials       1688     1695       +7     
Files Coverage Δ
...ava/org/opensearch/security/auditlog/AuditLog.java 100.00% <ø> (ø)
...security/auditlog/AuditLogSslExceptionHandler.java 57.14% <ø> (ø)
...org/opensearch/security/auditlog/NullAuditLog.java 0.00% <ø> (ø)
...earch/security/auditlog/impl/AbstractAuditLog.java 76.59% <ø> (ø)
...pensearch/security/auditlog/impl/AuditLogImpl.java 88.09% <ø> (ø)
...ava/org/opensearch/security/auth/UserInjector.java 90.66% <ø> (ø)
...arch/security/dlic/rest/api/AbstractApiAction.java 88.61% <100.00%> (ø)
...earch/security/dlic/rest/api/NodesDnApiAction.java 89.74% <ø> (ø)
...rity/dlic/rest/api/RestApiPrivilegesEvaluator.java 69.23% <100.00%> (+0.15%) ⬆️
...curity/dlic/rest/validation/EndpointValidator.java 94.20% <ø> (ø)
... and 32 more

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
@peternied peternied added backport 2.x backport to 2.x branch backport 2.11 Backport to 2.11 branch labels Oct 5, 2023
Copy link
Collaborator

@RyanL1997 RyanL1997 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @peternied, great change. I just left some comments

@peternied peternied merged commit f435c05 into opensearch-project:main Oct 6, 2023
60 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3430-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f435c052a826b15683b8a6a6f2ccd9dd107070f9
# Push it to GitHub
git push --set-upstream origin backport/backport-3430-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3430-to-2.x.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.11 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.11 2.11
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.11
# Create a new branch
git switch --create backport/backport-3430-to-2.11
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f435c052a826b15683b8a6a6f2ccd9dd107070f9
# Push it to GitHub
git push --set-upstream origin backport/backport-3430-to-2.11
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.11

Then, create a pull request where the base branch is 2.11 and the compare/head branch is backport/backport-3430-to-2.11.

peternied added a commit to peternied/security that referenced this pull request Oct 6, 2023
…ion (opensearch-project#3430)

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel,
to streamline and secure the authentication process in the OpenSearch
Security plugin. By isolating the essential request components needed
for authentication, we minimize potential risks associated with previous
designs and provide a more maintainable architecture.

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit f435c05)
peternied added a commit to peternied/security that referenced this pull request Oct 6, 2023
…tion (opensearch-project#3430)

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel,
to streamline and secure the authentication process in the OpenSearch
Security plugin. By isolating the essential request components needed
for authentication, we minimize potential risks associated with previous
designs and provide a more maintainable architecture.

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit f435c05)
DarshitChanpura pushed a commit that referenced this pull request Oct 6, 2023
…tion (#3430) (#3488)

Backport of f435c05 from #3430

Signed-off-by: David Osorno <daosgu27@gmail.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Andrey Pleskach <ples@aiven.io>
DarshitChanpura pushed a commit that referenced this pull request Oct 6, 2023
…ion (#3430) (#3487)

Backport of f435c05 from #3430

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel,
to streamline and secure the authentication process in the OpenSearch
Security plugin. By isolating the essential request components needed
for authentication, we minimize potential risks associated with previous
designs and provide a more maintainable architecture.

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit f435c05)
@peternied peternied deleted the headerverifier branch October 17, 2023 09:38
peternied added a commit to peternied/security that referenced this pull request Nov 8, 2023
…ion (opensearch-project#3430)

Backport of f20cc68 from opensearch-project#3430

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel,
to streamline and secure the authentication process in the OpenSearch
Security plugin. By isolating the essential request components needed
for authentication, we minimize potential risks associated with previous
designs and provide a more maintainable architecture.

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit f20cc68)
peternied added a commit that referenced this pull request Nov 14, 2023
…ion (#3487) (#3670)

Backport of f20cc68 from #3430

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel,
to streamline and secure the authentication process in the OpenSearch
Security plugin. By isolating the essential request components needed
for authentication, we minimize potential risks associated with previous
designs and provide a more maintainable architecture.

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit f20cc68)

Signed-off-by: Peter Nied <petern@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch backport 2.11 Backport to 2.11 branch v2.11.0 Issues targeting the 2.11 release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants