Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature/Identity] Identity Module and tokens for internal authentication #5471

Closed
wants to merge 93 commits into from
Closed

[Feature/Identity] Identity Module and tokens for internal authentication #5471

wants to merge 93 commits into from

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Dec 6, 2022
edited
Loading

Description

Opening a draft PR to solicit feedback for implementation of internal authentication.

This PR introduces a new sandbox module identity that will use some of the existing extension points that the security plug-in does to authenticate rest requests and pass a token around on the header of the threadcontext of a task that identifies the user and can subsequently be used for authorization.

This new identity module uses a few existing extension points from the ActionPlugin and the NetworkPlugin.

From the ActionPlugin this branch uses:

  • getRestHandlerWrapper to provide a wrapper that handles authentication. As of now, there is only a Basic auth mechanism that uses the internal IdP in this feature branch to authenticate the user and return a 403 if the request cannot be authenticated
  • getActionFilters - This branch introduces an AuthorizationFilter that is intended to be used to perform authorization. This is mostly pass-through at the moment and right now it verifies that a token is present and valid before the TransportRequest performs its doExecute

From the NetworkPlugin this uses:

  • getTransportInterceptors - The transport interceptor intercepts outgoing TransportRequests and can modify the request before its sent to another node. When testing this branch, I ran into problems with how the TransportMessageListener intercepted outgoing requests as the ThreadContext was not available to inspect to ensure that the token that received the RestRequest created a token before sending the transport request to other nodes. When running the test its clear to see that other nodes received it the created token, but the message listener is unable to get it because of how its wrapped in an ActionListener in OutboundHandler:
void sendRequest(...) throws IOException, TransportException {
        Version version = Version.min(this.version, channelVersion);
        OutboundMessage.Request message = new OutboundMessage.Request(
            threadPool.getThreadContext(),
            features,
            request,
            version,
            action,
            requestId,
            isHandshake,
            compressRequest
        );
        ActionListener<Void> listener = ActionListener.wrap(() -> messageListener.onRequestSent(node, requestId, action, request, options));
        sendMessage(channel, message, listener);
    }

The transport interceptor has access to the ThreadContext and the tests will be updated to use the interceptor.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

cwperks and others added 15 commits November 21, 2022 15:00
@cwperks
Create auth token after successful authc + authz for internal transpo…
a01cb3e 
…rt actions to identify the subject

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP adding internalClusterTest
9b176f3 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP on internal tokens
ba989cc 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP on internal tokens distributed through the cluster
7fca5b5 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
WIP on internal tokens
d7324d0 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'feature/identity' into internal-tokens
1cf3bb2
@Rishikesh1159
Fix flaky ShardIndexingPressureConcurrentExecutionTests (opensearch-p…
0bd3141 
…roject#5439)

Add conditional check on assertNull to fix flaky tests.

Signed-off-by: Rishikesh1159 <rishireddy1159@gmail.com>
@cwperks
Add missing import
4662fb9 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Create identity module
8277f5a 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Test rest wrapper with gradlew run
0c62564 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@dhwanilpatel
Fix bwc for cluster manager throttling settings (opensearch-project#5305
913cb3a 
)

Signed-off-by: Dhwanil Patel <dhwanip@amazon.com>
@cwperks
Add HttpSmokeTestCaseWithIdentity
750134e 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@reta
Update ingest-attachment plugin dependencies: Apache Tika 3.6.0, Apac…
5500114 
…he Mime4j 0.8.8, Apache Poi 5.2.3, Apache PdfBox 2.0.27 (opensearch-project#5448)

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@cwperks
WIP on verifying tokens passed through the cluster test
e136240 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Remove sysout in RestClient
c3e3712 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 6, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Dec 6, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Dec 6, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks
Create and use TokenInterceptorPlugin for IT
ca619bb 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 7, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks
Add to CHANGELOG
c7f0844 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 7, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks
Add package-info and disable missingJavadoc for identity module
8d321cd 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 7, 2022

Gradle Check (Jenkins) Run Completed with:

ashking94 and others added 2 commits December 7, 2022 23:01
@ashking94
Enhance CheckpointState to support no-op replication (opensearch-proj…
1069660 
…ect#5282)

* CheckpointState enhanced to support no-op replication

Signed-off-by: Ashish Singh <ssashish@amazon.com>
Co-authored-by: Bukhtawar Khan<bukhtawa@amazon.com>
@cwperks
Remove sysouts in ActionModule
ce1ee4b 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 7, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks
Run spotlessApply
40bc815 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Run spotlessApply on identity module
a47fc78 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Fix :sandbox:modules:identity:loggerUsageCheck
de33925 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
noCharger and others added 3 commits December 14, 2022 14:39
@noCharger @dblock
Refactor fuzziness interface on query builders (opensearch-project#5433)
d3f6dfa 
* Refactor Object to Fuzziness type for all query builders

Signed-off-by: noCharger <lingzhichu.clz@gmail.com>

* Revise on bwc

Signed-off-by: noCharger <lingzhichu.clz@gmail.com>

* Update change log

Signed-off-by: noCharger <lingzhichu.clz@gmail.com>

Signed-off-by: noCharger <lingzhichu.clz@gmail.com>
Co-authored-by: Daniel (dB.) Doubrovkine <dblock@amazon.com>
@cwperks
Remove identity.disabled in full-cluster-restart/build.gradle
22695a6 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Disable identity module by default and add setting to enable
a3b6216 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@cwperks
Set default to false
88232b7 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

cwperks and others added 2 commits December 14, 2022 17:08
@cwperks
Test identity module with identity enabled
27db2a1 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@dreamer-89 @opensearch-ci-bot @dblock
Upgrade lucene version (opensearch-project#5570)
0475d1c 
* Added bwc version 2.4.2

Signed-off-by: Daniel (dB.) Doubrovkine <dblock@amazon.com>

* Added 2.4.2.

Signed-off-by: Daniel (dB.) Doubrovkine <dblock@amazon.com>

* Update Lucene snapshot to 9.5.0-snapshot-d5cef1c

Signed-off-by: Suraj Singh <surajrider@gmail.com>

* Update changelog entry

Signed-off-by: Suraj Singh <surajrider@gmail.com>

* Add 2.4.2 bwc version

Signed-off-by: Suraj Singh <surajrider@gmail.com>

* Internal changes post lucene upgrade

Signed-off-by: Suraj Singh <surajrider@gmail.com>

Signed-off-by: Daniel (dB.) Doubrovkine <dblock@amazon.com>
Signed-off-by: Suraj Singh <surajrider@gmail.com>
Co-authored-by: opensearch-ci-bot <opensearch-ci-bot@users.noreply.github.com>
Co-authored-by: Daniel (dB.) Doubrovkine <dblock@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@dreamer-89
Copy link
Member

dreamer-89 commented Dec 14, 2022
edited
Loading

Gradle Check (Jenkins) Run Completed with:

Failing due to version bump after 2.4.1 release. #5560.

* What went wrong:
Execution failed for task ':distribution:bwc:bugfix:buildBwcLinuxTar'.
> Building 2.4.1 didn't generate expected file /var/jenkins/workspace/gradle-check/search/distribution/bwc/bugfix/build/bwc/checkout-2.4/distribution/archives/linux-tar/build/distributions/opensearch-min-2.4.1-SNAPSHOT-linux-x64.tar.gz

@cwperks
Set identity enabled in HttpSmokeTestCaseWithIdentity
459c18e 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@dreamer-89
Copy link
Member

@cwperks : Can you please rebase your changes against latest changes in main ?

@cwperks
Copy link
Member Author

cwperks commented Dec 14, 2022
edited
Loading

@dreamer-89 Thank you for checking on that. Was that build issue resolved with this PR (#5570)? I will merge the latest from main into the identity feature branch and rebase this branch.

@dreamer-89
Copy link
Member

@dreamer-89 Thank you for checking on that. Was that build issue resolved with this PR (#5570)? I will merge the latest from main into the identity feature branch and rebase this branch.

Thanks @cwperks. Yes, issue is resolved on latest main. Please let know if you see any other issue on main.

@zelinh
Add CI bundle pattern to distribution download (opensearch-project#5348)
fe8fd67 
* Add CI bundle pattern for ivy repo

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

* Gradle update

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

* Extract path

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

* Change with customDistributionDownloadType

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

* Add default for exception handle

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

* Add documentations

Signed-off-by: Zelin Hao <zelinhao@amazon.com>

Signed-off-by: Zelin Hao <zelinhao@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@codecov-commenter
Copy link

codecov-commenter commented Dec 14, 2022
edited
Loading

Codecov Report

Merging #5471 (1d56fa3) into feature/identity (31bcda6) will decrease coverage by 0.00%.
The diff coverage is 60.78%.

@@                  Coverage Diff                   @@
##             feature/identity    #5471      +/-   ##
======================================================
- Coverage               71.01%   71.00%   -0.01%     
- Complexity              58149    58509     +360     
======================================================
  Files                    4711     4768      +57     
  Lines                  277573   278956    +1383     
  Branches                40180    40296     +116     
======================================================
+ Hits                   197122   198079     +957     
- Misses                  64293    64783     +490     
+ Partials                16158    16094      -64
Impacted Files Coverage Δ
...search/transport/Netty4NioServerSocketChannel.java 0.00% <0.00%> (ø)
.../java/org/opensearch/transport/NettyAllocator.java 45.45% <0.00%> (ø)
...rch/authn/internal/InternalAccessTokenManager.java 0.00% <0.00%> (ø)
.../opensearch/authn/jwt/BadCredentialsException.java 0.00% <0.00%> (ø)
.../opensearch/authn/noop/NoopAccessTokenManager.java 0.00% <0.00%> (ø)
.../java/org/opensearch/authn/tokens/AccessToken.java 0.00% <0.00%> (ø)
.../java/org/opensearch/identity/ConfigConstants.java 0.00% <0.00%> (ø)
...rg/opensearch/identity/ThreadContextConstants.java 0.00% <0.00%> (ø)
.../main/java/org/opensearch/action/ActionModule.java 99.11% <ø> (+1.47%) ⬆️
...tion/admin/cluster/state/ClusterStateResponse.java 80.00% <0.00%> (-2.36%) ⬇️
... and 590 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

dependabot bot and others added 3 commits December 14, 2022 15:32
@dependabot @owaiskazi19 @dreamer-89
Bump protobuf-java from 3.21.9 to 3.21.11 in /plugins/repository-hdfs (
cb26035 
…opensearch-project#5519)

* Bump protobuf-java from 3.21.9 to 3.21.11 in /plugins/repository-hdfs

Bumps [protobuf-java](https://github.com/protocolbuffers/protobuf) from 3.21.9 to 3.21.11.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/generate_changelog.py)
- [Commits](protocolbuffers/protobuf@v3.21.9...v3.21.11)

---
updated-dependencies:
- dependency-name: com.google.protobuf:protobuf-java
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Updating SHAs

Signed-off-by: dependabot[bot] <support@github.com>

* Updated changelog

Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <dependabot[bot]@users.noreply.github.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Suraj Singh <surajrider@gmail.com>
@cwperks
Remove added Version
68efc49 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into internal-tokens
d53c4b8
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@cwperks
Re-enable tests with many async requests
1d56fa3 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@cwperks
Remove changes in OpenSearchRestTestCase
4ddbd03 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Copy link
Member Author

cwperks commented Dec 15, 2022

I opened a separate PR after a recent merge with main into feature/identity to squash these commits and simplify. Closing this PR in favor of: #5583

@cwperks cwperks closed this Dec 15, 2022
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@peternied peternied mentioned this pull request Jan 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied left review comments

@reta reta Awaiting requested review from reta reta will be requested when the pull request is marked ready for review reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz will be requested when the pull request is marked ready for review anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross will be requested when the pull request is marked ready for review andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar will be requested when the pull request is marked ready for review Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE will be requested when the pull request is marked ready for review CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock will be requested when the pull request is marked ready for review dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna will be requested when the pull request is marked ready for review gbbafna is a code owner

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal will be requested when the pull request is marked ready for review kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 will be requested when the pull request is marked ready for review mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize will be requested when the pull request is marked ready for review nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 will be requested when the pull request is marked ready for review owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 will be requested when the pull request is marked ready for review Rishikesh1159 is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli will be requested when the pull request is marked ready for review saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja will be requested when the pull request is marked ready for review shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89 dreamer-89 will be requested when the pull request is marked ready for review dreamer-89 is a code owner

@tlfeng tlfeng Awaiting requested review from tlfeng tlfeng will be requested when the pull request is marked ready for review tlfeng is a code owner

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah will be requested when the pull request is marked ready for review VachaShah is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.