Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Api token authc/z implementation with Cache #4992

Open
wants to merge 19 commits into
base: feature/api-tokens
Choose a base branch
from
Open

Api token authc/z implementation with Cache #4992

wants to merge 19 commits into from
+1,373 −240

Conversation

derek-ho
Copy link
Collaborator

@derek-ho derek-ho commented Dec 24, 2024
edited
Loading

Description

This PR implements authc/z for api tokens. For authc it is based on token validity for as well as presence in a cache, which listens to index and delete operations on the api token index. For Authz, it onboards onto action privileges class, where instead of returning not authorized for cluster and index privileges, requests go through a final api token check, where if the user is an api token, it will evaluate whether the permissions in the cache are sufficient to execute the request.

Issues Resolved

[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@derek-ho derek-ho changed the title Naive cluster permission authz and authc based on token validity Naive authc+z api token implementation Dec 26, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 55.76324% with 142 lines in your changes missing coverage. Please review.

Project coverage is 71.24%. Comparing base (0edba23) to head (9fcb720).
Report is 10 commits behind head on feature/api-tokens.

Files with missing lines Patch % Lines
...arch/security/action/apitokens/ApiTokenAction.java 2.50% 39 Missing ⚠️
...pensearch/security/http/ApiTokenAuthenticator.java 58.97% 22 Missing and 10 partials ⚠️
...urity/action/apitokens/ApiTokenUpdateResponse.java 0.00% 14 Missing ⚠️
...ction/apitokens/TransportApiTokenUpdateAction.java 22.22% 14 Missing ⚠️
...ensearch/security/privileges/ActionPrivileges.java 85.91% 4 Missing and 6 partials ⚠️
...curity/action/apitokens/ApiTokenUpdateRequest.java 0.00% 6 Missing ⚠️
...earch/security/auditlog/impl/AbstractAuditLog.java 40.00% 3 Missing and 3 partials ⚠️
...y/action/apitokens/ApiTokenUpdateNodeResponse.java 0.00% 4 Missing ⚠️
...nsearch/security/action/apitokens/Permissions.java 60.00% 4 Missing ⚠️
...curity/privileges/PrivilegesEvaluationContext.java 77.77% 3 Missing and 1 partial ⚠️
... and 4 more
Additional details and impacted files

Impacted file tree graph

@@                  Coverage Diff                   @@
##           feature/api-tokens    #4992      +/-   ##
======================================================
- Coverage               71.46%   71.24%   -0.22%     
======================================================
  Files                     334      347      +13     
  Lines                   22552    23190     +638     
  Branches                 3590     3667      +77     
======================================================
+ Hits                    16117    16522     +405     
- Misses                   4642     4847     +205     
- Partials                 1793     1821      +28
Files with missing lines Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 83.65% <100.00%> (+0.09%) ⬆️
...opensearch/security/action/apitokens/ApiToken.java 91.30% <100.00%> (ø)
...ecurity/action/apitokens/ApiTokenUpdateAction.java 100.00% <100.00%> (ø)
...g/opensearch/security/authtoken/jwt/JwtVendor.java 86.66% <ø> (-2.43%) ⬇️
...g/opensearch/security/ssl/util/ExceptionUtils.java 45.83% <100.00%> (+2.35%) ⬆️
...a/org/opensearch/security/util/AuthTokenUtils.java 66.66% <100.00%> (+4.16%) ⬆️
...search/security/securityconf/impl/v7/ConfigV7.java 83.55% <0.00%> (-0.63%) ⬇️
.../security/action/apitokens/ApiTokenRepository.java 95.74% <93.93%> (ø)
...search/security/identity/SecurityTokenManager.java 81.03% <33.33%> (-8.33%) ⬇️
...y/action/apitokens/ApiTokenUpdateNodeResponse.java 0.00% <0.00%> (ø)
... and 10 more

... and 5 files with indirect coverage changes

derek-ho
derek-ho commented Dec 31, 2024
View reviewed changes
src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
originalSource = (new String(BaseEncoding.base64().decode((String) base64), StandardCharsets.UTF_8));
} else {
originalSource = XContentHelper.convertToJson(originalResult.internalSourceRef(), false, XContentType.JSON);
if (originalSource == null) {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes in this file are to correct a mis-merge that happened in prior PRs to this feature branch.

@derek-ho derek-ho marked this pull request as ready for review December 31, 2024 21:57
@derek-ho derek-ho changed the title Naive authc+z api token implementation Api token authc/z implementation with Cache Dec 31, 2024
cwperks
cwperks reviewed Jan 2, 2025
View reviewed changes
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java Outdated
@@ -45,7 +46,7 @@ public class PrivilegesEvaluationContext {
private final IndexResolverReplacer indexResolverReplacer;
private final IndexNameExpressionResolver indexNameExpressionResolver;
private final Supplier<ClusterState> clusterStateSupplier;

private final ApiTokenIndexListenerCache apiTokenIndexListenerCache = ApiTokenIndexListenerCache.getInstance();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why add this to PrivilegesEvaluatorContext?

I think this should be handled similarly to the security configCache from ConfigurationRepository: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that security uses a publish-subscribe model to notify consumers about changes to the security config. See BackendRegistry.onDynamicConfigModelChanged for an example of a subscriber.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why I am adding the instance to the context is for evaluation within the authz flow. I am not sure if the publish/subscribe model would work well for api tokens, which seems to be different than the other roles within the cluster. I feel like it is wrong to hook it up such that the actionprivileges need to be re-computed for all roles in the cluster on creation of a new api token (which does not affect the existing roles of the cluster). That is why I went forward with the instance approach that can be modified under the hood without re-computation of the other roles datastructures. Is there any concern with this instance approach other than not following the patterns existing within the security repo?

Copy link
Member

@cwperks cwperks Jan 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class is reserved for the context necessary to evaluate privileges on the currently executing ActionRequest. This class may need modification, but can we limit it to the smallest amount of what is required to evaluate privileges for the request? i.e. only the permissions of the token being utilized?

@cwperks cwperks mentioned this pull request Jan 3, 2025
Closed
5 tasks
@derek-ho
Use transport action
bc8aacf 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Cleanup tests and constants
b90bae9 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Fix test
552aeda 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho derek-ho mentioned this pull request Jan 10, 2025
Open
5 tasks
cwperks
cwperks reviewed Jan 13, 2025
View reviewed changes
src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java Outdated

@Test
public void apiToken_explicit_failsWithWildcard() throws Exception {
SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml("test_role:\n" + //
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the roles in this are unused, can we use SecurityDynamicConfiguration.empty(CType.ROLES); instead?

cwperks
cwperks reviewed Jan 13, 2025
View reviewed changes
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java Outdated
@@ -172,4 +173,8 @@ public String toString() {
+ mappedRoles
+ '}';
}

public ApiTokenIndexListenerCache getApiTokenIndexListenerCache() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO Cache is an implementation detail. The class should be about accessing metadata about the tokens like the permissions associated with a token.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See ConfigurationRepository which has methods for accessing the security configuration (from the security index or from the cache). I think repository is a good name here to let the caller of the class know that its used to access info about the security configuration.

@derek-ho
PR review
d9cf78d 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Spotless
d7b7e47 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Fix tests
6571d9d 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
PR review
9fcb720 
Signed-off-by: Derek Ho <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks left review comments

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@derek-ho @cwperks