Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Service account design question and issue tracking #2596

Closed
46 of 47 tasks
Tracked by #2944
stephen-crawford opened this issue Mar 28, 2023 · 1 comment
Closed
46 of 47 tasks
Tracked by #2944

Service account design question and issue tracking #2596

stephen-crawford opened this issue Mar 28, 2023 · 1 comment
Assignees
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@stephen-crawford
Copy link
Contributor

stephen-crawford commented Mar 28, 2023

This issue tracks all the questions and issues associated with supporting permissions for extensions.

NOTE: A checked box means that the linked question has been answered or the linked issue has been resolved.

Questions:

  • [Question] How to determine when a REST request is destined for an extension #2526

    • How to determine if a request is destined for an extension?
      • If a request is destined for an extension the RestHandler will be an instance of RestSendToExtensionAction.
  • [Question] What syntax should extension permissions have and how should they be parsed? #2565

    • What syntax should be used?
      • We will keep the existing permission syntax structure.
    • What parsing method should be used?
      • We will use the existing parsing structure with minimal changes to parse the extension permission type.
  • [Question] How should service account permissions be stored and where? #2566

    • Where should service account permissions be stored?
      • Service account permissions will be stored with internal users for the time being.
    • How should service account permissions be stored?
      • Service account permissions will be stored in the same manner as internal user permissions.
    • Should roles be used for extension service accounts?
      • Extension service accounts will make use of role(s).
    • How should extensions be tracked or managed?
  • [Question] Granting Permissions to Extensions #2552

    • How do extensions get starting permissions?
      • Starting permissions are parsed from the extension's configuration file during installation.
    • How should extensions register ‘predefined’ roles?
      • Custom roles are read from the configuration file during extension installation.
    • How does an admin allow/disallow optional permissions for an extension?
      • There are no optional permissions during an extension's installation process. Additional permissions can be granted by modifying the configuration file or using the internal users API.
    • How and where does the security plugin enforce extension permissions?
      • Enforce extension permissions after the request leaves the extension and returns to the trust zone
  • [Question] How can requests coming from an extension interact with the OpenSearch cluster?  #2572

    • How can an admin grant and revoke service account permissions?
      • Administrators can change permissions for service accounts using the internal user API.
    • How is an extension prevented from elevating its own permissions?
      • Service accounts will not be able to be granted permissions for calling the internal user update API.
    • How does DLS/FLS work for extensions?
      • Service accounts and on-behalf-of tokens will support DLF/FLS, scopes/policies will not.
  • [Question] Service Account Specifications #2597 : Security User Refactor #2594

    • How is extension registration tied to service accounts?
      • Extensions request a service account be created for them immediately on registration.
    • How is a service account represented inside of the Security Plugin?
      • Exactly like a user account except with the attribute "service: true".
    • Is a service account limited/different from normal internal account?
      • For now, service accounts will be treated similarly to user accounts.
    • How can an extension use its service account?
      • The service account will be what an extension acting on its own behalf is authc/authz'd against.
    • Can an extension have more than one service account?
      • For now, service accounts will implicitly be restricted to one per extension since they are tied to the registration process.
    • How to generate passwords for service accounts and recognize them without storing?
      • Randomly generate a password and return it to the extension before storing its hash as part of the internal user.

Issues:

Flow Diagrams:

@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Mar 28, 2023
@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Mar 28, 2023
@stephen-crawford stephen-crawford self-assigned this Mar 29, 2023
@peternied peternied changed the title [META] Question and Issue Tracker for Extension Permissions Service account design question and issue tracking Aug 16, 2023
@peternied
Copy link
Member

Thanks for capturing all of the details here, going to use this as a rollup for all of the design, will use #2944 for the high level meta tracking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
Status: Done
Development

No branches or pull requests

2 participants