Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation for on-behalf-of token authorization #4411

Closed
wants to merge 8 commits into from
Closed

Add documentation for on-behalf-of token authorization #4411

wants to merge 8 commits into from

Conversation

cwillum
Copy link
Contributor

@cwillum cwillum commented Jun 28, 2023

Description

On-behalf-of tokens will allow users to authorize services running with OpenSearch on their behalf. The first use case for this token is the Security extension.

Issues Resolved

Fixes #4388

Checklist

  • By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
    For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwillum
fix#4388 obo token authz
b98d47e 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@cwillum cwillum added 2 - In progress Issue/PR: The issue or PR is in progress. security release-notes PR: Include this PR in the automated release notes v2.9.0 labels Jun 28, 2023
@cwillum cwillum requested a review from hdhalter as a code owner June 28, 2023 03:09
@cwillum cwillum self-assigned this Jun 28, 2023
cwillum added 2 commits June 28, 2023 12:00
@cwillum
fix#4388 obo token authz
18317d5 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@cwillum
fix#4388 obo token authz
3ce5abd 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@cwillum
Copy link
Contributor Author

cwillum commented Jun 29, 2023

Pausing this for 2.9. If it doesn't get fresh attention between release cycles, it will be an issue for 2.10.

@cwillum cwillum added 1 - Backlog Issue: The issue is unassigned or assigned but not started v2.10.0 and removed 2 - In progress Issue/PR: The issue or PR is in progress. v2.9.0 release-notes PR: Include this PR in the automated release notes labels Jun 29, 2023
@cwillum cwillum marked this pull request as draft June 29, 2023 19:25
@cwillum
Copy link
Contributor Author

cwillum commented Jul 12, 2023

Pushed to 2.10.

@hdhalter hdhalter added this to the v2.10 milestone Jul 12, 2023
cwillum added 2 commits August 24, 2023 13:06
@cwillum
fix#4388 obo token authz
9370ca9 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@cwillum
fix#4388 obo token authz
3e2b4e6 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@cwillum cwillum added 2 - In progress Issue/PR: The issue or PR is in progress. and removed 1 - Backlog Issue: The issue is unassigned or assigned but not started labels Aug 25, 2023
@cwillum cwillum marked this pull request as ready for review August 25, 2023 00:37
@cwillum
Copy link
Contributor Author

cwillum commented Aug 30, 2023

@RyanL1997 I'm getting near to completing a rough draft for OBO authentication. A few questions remain:

  • Has anything changed in configuration/usage since the documentation issue [DOC] Add documentation for OnBehalfOf Authentication #4388 was created?
  • You can see I've created some questions in comments (inline with text in "Files changed"). Basically they have to do with authc configuration in the config.yml file (see changes). The JWT auth domain doesn't appear to require an encryption_key setting in its configuration. Is there a special use here for OBO? Are there additional configuration settings for OBO that carry over from a JWT domain configuration (e.g., challenge to false, the jwt_header, set authentication_backend type to noop)?
  • I'm not quite clear on the "Roles in OBO's Payload" section in the documentation issue. What is this about? Where is this configured? Is there more information somewhere about the part this plays in OBO and how it's used?

Thanks.

@cwillum
fix#4388 obo token authz
6f30302 
Signed-off-by: cwillum <cwmmoore@amazon.com>
@hdhalter hdhalter added v2.11.0 and removed v2.10.0 labels Sep 8, 2023
@Naarcha-AWS Naarcha-AWS assigned Naarcha-AWS and unassigned cwillum Oct 3, 2023
@hdhalter hdhalter added v2.12.0 and removed v2.11.0 labels Oct 10, 2023
@hdhalter hdhalter removed this from the v2.10 milestone Oct 10, 2023
@hdhalter hdhalter added 3 - Tech review PR: Tech review in progress and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Oct 23, 2023
@hdhalter hdhalter mentioned this pull request Nov 3, 2023
Merged
1 task
@hdhalter hdhalter added Closed - Duplicate or Cancelled Issue: Nothing to be done and removed v2.12.0 3 - Tech review PR: Tech review in progress labels Feb 1, 2024
@hdhalter hdhalter deleted the fix#4388-obo-token branch March 28, 2024 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hdhalter hdhalter Awaiting requested review from hdhalter

@kolchfa-aws kolchfa-aws Awaiting requested review from kolchfa-aws kolchfa-aws is a code owner

@Naarcha-AWS Naarcha-AWS Awaiting requested review from Naarcha-AWS Naarcha-AWS is a code owner

@vagimeli vagimeli Awaiting requested review from vagimeli

@ananzh ananzh Awaiting requested review from ananzh

@seanneumann seanneumann Awaiting requested review from seanneumann

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@natebower natebower Awaiting requested review from natebower natebower is a code owner

Assignees

@Naarcha-AWS Naarcha-AWS

Labels
Closed - Duplicate or Cancelled Issue: Nothing to be done security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[DOC] Add documentation for OnBehalfOf Authentication
3 participants
@cwillum @Naarcha-AWS @hdhalter