Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Feature OnBehalfOf Authentication #3563

Merged
merged 8 commits into from
Oct 19, 2023

Conversation

RyanL1997
Copy link
Collaborator

@RyanL1997 RyanL1997 commented Oct 18, 2023

Description

Backport feature OnBehalfOf Authentication into 2.x branch

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    New feature

Issues Resolved

For completely resolve the above issue, we still need to backport #3421 into 2.x branch. However, since that change also includes something unrelated to OBO Auth, we will backport that separately.

Testing

Unit Tests + Integration Tests included

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 changed the title JwtVendor ready in 2.x [Backport 2.x] Feature OnBehalfOf Authentication Oct 18, 2023
@codecov
Copy link

codecov bot commented Oct 18, 2023

Codecov Report

Merging #3563 (94899b0) into 2.x (89910d9) will increase coverage by 0.15%.
Report is 7 commits behind head on 2.x.
The diff coverage is 76.24%.

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #3563      +/-   ##
============================================
+ Coverage     64.71%   64.86%   +0.15%     
- Complexity     3524     3598      +74     
============================================
  Files           274      281       +7     
  Lines         20044    20382     +338     
  Branches       3346     3374      +28     
============================================
+ Hits          12971    13221     +250     
- Misses         5406     5490      +84     
- Partials       1667     1671       +4     
Files Coverage Δ
...mazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java 80.00% <100.00%> (-2.36%) ⬇️
.../opensearch/security/OpenSearchSecurityPlugin.java 84.69% <100.00%> (+0.11%) ⬆️
.../org/opensearch/security/auth/BackendRegistry.java 62.54% <100.00%> (-0.30%) ⬇️
...rg/opensearch/security/auth/HTTPAuthenticator.java 100.00% <100.00%> (ø)
...urity/auth/internal/NoOpAuthenticationBackend.java 85.71% <100.00%> (+5.71%) ⬆️
...arch/security/configuration/ClusterInfoHolder.java 68.18% <100.00%> (+2.32%) ⬆️
...ch/security/securityconf/DynamicConfigFactory.java 54.85% <100.00%> (+0.25%) ⬆️
...arch/security/securityconf/DynamicConfigModel.java 100.00% <ø> (ø)
.../org/opensearch/security/user/AuthCredentials.java 71.01% <100.00%> (+2.26%) ⬆️
...ch/security/securityconf/DynamicConfigModelV6.java 0.00% <0.00%> (ø)
... and 10 more

... and 21 files with indirect coverage changes

Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 added the v2.12.0 Items targeting 2.12.0 label Oct 18, 2023
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
willyborankin
willyborankin previously approved these changes Oct 19, 2023
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 merged commit 587d747 into opensearch-project:2.x Oct 19, 2023
58 checks passed
stephen-crawford pushed a commit that referenced this pull request Oct 24, 2023
…uth backend and add Privileged Action for `JwtParserBuilder ` (#3579)

### Description
Switch to `supportsImpersonation` check for http auth backend + wrap
JwtParserBuilder with `doPrivileged`

Reference to @cwperks's
[comment](#3563 (comment)):
>As a default implementation the authDomain could have:
>
>```
>default boolean supportsImpersonation() { return true; }
>```
>
>and any authDomain that does not support it can override:
>
>```
>@OverRide
>public boolean supportsImpersonation() { return false; }
>```

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)
Enhancement

### Issues Resolved
* Related #3563

Is this a backport? If so, please add backport PR # and/or commits #
It has already been included in `2.x` 

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Ryan Liang <jiallian@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v2.12.0 Items targeting 2.12.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants