-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement IdentityPlugin in Security plugin #3538
Implement IdentityPlugin in Security plugin #3538
Conversation
src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecuritySubject.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecuritySubject.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
Blocked by: opensearch-project/OpenSearch#10614 |
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
Codecov Report
@@ Coverage Diff @@
## main #3538 +/- ##
=========================================
+ Coverage 0 5.60% +5.60%
- Complexity 0 238 +238
=========================================
Files 0 283 +283
Lines 0 20661 +20661
Branches 0 3395 +3395
=========================================
+ Hits 0 1159 +1159
- Misses 0 19312 +19312
- Partials 0 190 +190
|
src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecuritySubject.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
Need to make this change: opensearch-project/OpenSearch#10664 We don't want people to have to provide absolute times in JSON form. Right now we are running into an issue like this where the calculated time expects a Second value to be provided in the case of a JSON is used to request the token settings. But then it auto-propagates the fields with a millisecond absolute time value. We want our times to be in similar magnitude not way out of scale like this: Max expiry time is: 1697562174 Or running into issues with conversion like this: Max expiry time is: 1697562174 |
src/main/java/org/opensearch/security/identity/SecuritySubject.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
….java Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
8e8cea0
to
0d86259
Compare
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Design/refactoring is done so I'm marking this change ready for review as there were changes from the original version of this change. In the meanwhile, I'll be adding & cleaning up the tests. |
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/authtoken/jwt/ExpiringBearerAuthToken.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Thanks @cwperks & @DarshitChanpura I've responded to all feedback and resolved all threads - let me know what you think. |
src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
Outdated
Show resolved
Hide resolved
- Added test case to verify when OBO is disabled the correct response is recieved - Added test case where the signing key is rotated - Patched up a bug where insufficent signing key complexity would only be caught when decrypting, but not configuring cluster. Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
Show resolved
Hide resolved
Signed-off-by: Peter Nied <petern@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have one more question around backend_roles, but otherwise this PR looks good to me.
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good just a few comments but otherwise seems all set!
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Show resolved
Hide resolved
@cwperks @DarshitChanpura Anything holding up approval of this PR? |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3538-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 467645241d42c8ae02166c4d41d3e7aa5edafdc7
# Push it to GitHub
git push --set-upstream origin backport/backport-3538-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x Then, create a pull request where the |
Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Peter Nied <petern@amazon.com>
Description
This change implements the IdentityPlugin interface inside the Security Plugin codebase.
This change adds the methods
getSubject
andgetTokenManager
. It also adds a new classSecurityTokenManager
which handles the issuance of Service Account tokens and OBO tokens. This is done by having the token manager wrap the appropriate methods inside theUserService
(for service accounts) andJwtVendor
(for OBO tokens).Issues Resolved
This issue addresses the final check box for: #3176
Testing
This change adds tests for issuing the tokens using the SecurityTokenManager. The other functionality has already been tested by the supporting classes.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.