-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Documentation] Documentation guidance for Service Accounts + OnBehalfOf Authentication #3290
Comments
Hi @RyanL1997 thanks for filing this issue. I can definitely help you with the Service Accounts and anything else you may need related to this. |
[Triage] This is an item for service accounts and on behalf of tokens. |
On-Behalf-Of Authentication1.0 UsageOn-behalf-of tokens are a special form of JSON Web Token used for managing authentication requests between a user's client and an extension. These tokens operate "just-in-time," meaning that a token is issued just before it is required for authentication. A token will have a configurable window of validity (with a maximum duration of five minutes) after which it expires and cannot be used. On-behalf-of tokens will allow an extension to interact with the OpenSearch cluster using the same privileges as the initiating user (the reason the tokens are “on-behalf-of”). However, since these tokens do not have any restrictions in place, they also provide services the ability to operate as if they are the original user until token expiration. This implies that this feature can be used more broadly and is not limited to extension related use cases. 2.0 ConfigurationIn the security config file, the on-behalf-of configuration is located under the dynamic config section. It contains the signing key for the token signature and the encryption key for the token payload (role information) decryption:
The encoding algorithm is HMAC SHA512 by default for the signing of the JWT. Both the signing key and encryption key are Base64 encoded and stored on the file system of the OpenSearch node. The keys should be the same on all hosts, otherwise it encryption and decryption operations may fail. Deployment of these keys is managed by the cluster operator. 3.0 Token StructureThe payload of an on-behalf-of token must include all standard configurations of a JWT (JSON Web Token), along with encrypted and decrypted roles. Depending on the setting of the "Plugin Backward Compatibility Mode," backend roles should also be incorporated into role claims. It is important to note that the absence of any of these claims will result in a malformed token, failing to meet the required standard for authentication. The on-behalf-of token contains the following claims:
The OpenSearch security plugin will be responsible for handling encryption and decryption processes. This approach ensures the protection of user information, even when traversing the trust boundary between OpenSearch and any third party services. 3.0 API EndpointThere will be an new API endpoint To access this API endpoint, the request body should contain three API parameters:
4.0 Additional Authorization Restriction (related discussion)While the conversation about the usage of on-behalf-of (OBO) tokens continues, it is critical to manage certain edge cases. Even though an OBO token can act as a valid Bearer authorization header for any API access, there needs to be certain limitations. For instance, it should be forbidden to use an OBO token to access the API endpoint to issue another OBO token. Similarly, using an OBO token to access the reset password API in order to modify a user's authentication information should be disallowed. These preventive measures are necessary to uphold the integrity and security of the system. |
Service Accounts1.0 Introduction of Service AccountsService Accounts are a new authC/authZ path where extensions can execute requests without assuming the role(s) of the active user. Service Accounts are a special type of principal associated with each extension and have a set of permissions. The permissions assigned to a Service Account grant the associated extension the authorization to execute any of the mapped operations without needing to assume the roles of the active user or stash the user’s role(s) in the ephemeral user context. Currently, Service Account only permit operations on system indices associated with the mapped extension. 2.0 Service Account BackgroundBefore the introduction of Service Accounts, it was not possible for an extension to execute a request without assuming the roles of the active user. Instead, when a request is processed, an ephemeral “Plugin User” was created. The Plugin User then assumed all the permissions of the currently authenticated operator (human user). The result was a Plugin User which acted on the extension’s behalf but had all of the privileges of the operator. In this way, the previous model can be said to have had extensions “impersonate” the operator. This impersonation approach lead to two main issues:
3.0 Service Account BenefitService Accounts address the issues listed in 2.0 by defining a separate state which autonomously executing extensions run in. Service Accounts maintain referential integrity by introducing a distinct state which extensions run in when executing requests on their own behalf. Audit logging can then record when an extension executes on its own—it will make authC/authZ calls against the Service Account—or whether it is executing an action on behalf of the operator and therefore making use of the OnBehalfOf tokens. Similarly, Service Accounts address threat exposure concerns by separating the roles an extension assumes from those of the operator or a generic hard coded user (such as those in the 4.0 API EndpointAs suggested by the name, the boolean flag
|
Handling on-behalf-of & Service Account RequestsWhile both on-behalf-of token handling and Service Accounts can be viewed as independent features, the most significant benefits are realized when coupled. Specifically, OpenSearch exposes a client which is used to connect to the OpenSearch cluster and provides Plugins the ability to execute requests. With the introduction of on-behalf-of tokens and Service Accounts the client is now able to be used to handle requests which will make use of both of these new features. Now, when the client executes a request which requires an extension to use an on-behalf-of token, the first step of handling the request is the forwarding of the request to the Security Plugin. In the Security Plugin, the request is authenticated and authorized against the active user. If the active user is permitted, the request returns to OpenSearch’s core code base where a request to create an on-behalf-of for the target extension using the active user’s identity is created. This request to generate the on-behalf-of token is then handled by the Extensions acting on their own behalf also make use of the client exposed by OpenSearch. When an extension is first initialized in OpenSearch, the In both on-behalf-of and Service Account token request flows, the |
@RyanL1997 went through the OBO write up and made some style changes otherwise everything looks good. I will do similar with the Service Account write up. |
|
Removing 2.11 label as this is being tracked for 2.12 now. |
Closing this due to the merge of opensearch-project/documentation-website#5123 and the release of |
Description
This is issue is targeting on providing the guidance for the feature of Service Accounts and On Behalf Of Authentication. General design details from internal threat model document can be transferred to here as the guidance for documentation work on our doc website. So, let's using the comment section of this issue to capture all these informations with all the latest design changes.
Exit Criteria
Having the following portions of guidance:
On Behalf Of Authentication:
Service Account
References
The text was updated successfully, but these errors were encountered: