Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] Feature OnBehalfOf Authentication #3563

Merged
merged 8 commits into from
Oct 19, 2023
Merged

[Backport 2.x] Feature OnBehalfOf Authentication #3563

merged 8 commits into from
Oct 19, 2023

Conversation

RyanL1997
Copy link
Collaborator

@RyanL1997 RyanL1997 commented Oct 18, 2023
edited
Loading

Description

Backport feature OnBehalfOf Authentication into 2.x branch

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    New feature

Issues Resolved

For completely resolve the above issue, we still need to backport #3421 into 2.x branch. However, since that change also includes something unrelated to OBO Auth, we will backport that separately.

Testing

Unit Tests + Integration Tests included

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@RyanL1997
JwtVendor ready in 2.x
d4cf1fa 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 changed the title JwtVendor ready in 2.x [Backport 2.x] Feature OnBehalfOf Authentication Oct 18, 2023
@codecov
Copy link

codecov bot commented Oct 18, 2023
edited
Loading

Codecov Report

Merging #3563 (94899b0) into 2.x (89910d9) will increase coverage by 0.15%.
Report is 7 commits behind head on 2.x.
The diff coverage is 76.24%.

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #3563      +/-   ##
============================================
+ Coverage     64.71%   64.86%   +0.15%     
- Complexity     3524     3598      +74     
============================================
  Files           274      281       +7     
  Lines         20044    20382     +338     
  Branches       3346     3374      +28     
============================================
+ Hits          12971    13221     +250     
- Misses         5406     5490      +84     
- Partials       1667     1671       +4
Files Coverage Δ
...mazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java 80.00% <100.00%> (-2.36%) ⬇️
.../opensearch/security/OpenSearchSecurityPlugin.java 84.69% <100.00%> (+0.11%) ⬆️
.../org/opensearch/security/auth/BackendRegistry.java 62.54% <100.00%> (-0.30%) ⬇️
...rg/opensearch/security/auth/HTTPAuthenticator.java 100.00% <100.00%> (ø)
...urity/auth/internal/NoOpAuthenticationBackend.java 85.71% <100.00%> (+5.71%) ⬆️
...arch/security/configuration/ClusterInfoHolder.java 68.18% <100.00%> (+2.32%) ⬆️
...ch/security/securityconf/DynamicConfigFactory.java 54.85% <100.00%> (+0.25%) ⬆️
...arch/security/securityconf/DynamicConfigModel.java 100.00% <ø> (ø)
.../org/opensearch/security/user/AuthCredentials.java 71.01% <100.00%> (+2.26%) ⬆️
...ch/security/securityconf/DynamicConfigModelV6.java 0.00% <0.00%> (ø)
... and 10 more

... and 21 files with indirect coverage changes

@RyanL1997
OBOAuthenticator ready in 2.x
3920dee 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 added the v2.12.0 Items targeting 2.12.0 label Oct 18, 2023
@RyanL1997
Generate OBO Endpoint ready in 2.x
02ae55c 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997
Refactor of HTTPJwtAuthenticator ready in 2.x
b36f697 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 marked this pull request as ready for review October 18, 2023 19:22
@RyanL1997 RyanL1997 mentioned this pull request Oct 18, 2023
Closed
@RyanL1997
doPrivileged when initializing the oboauthenticator
cc74769 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997
Add the security manager check and fix the test expectation
227f62e 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
willyborankin
willyborankin previously approved these changes Oct 19, 2023
View reviewed changes
@RyanL1997
Add impersonation check in httpauthenticator interface
a985b46 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997
Fix lint
94899b0 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
@RyanL1997 RyanL1997 merged commit 587d747 into opensearch-project:2.x Oct 19, 2023
58 checks passed
This was referenced Oct 19, 2023
Merged
Merged
stephen-crawford pushed a commit that referenced this pull request Oct 24, 2023
@RyanL1997
[Forwardport main] Switch to supportsImpersonation check for http a…
ccc3e34 
…uth backend and add Privileged Action for `JwtParserBuilder ` (#3579)

### Description
Switch to `supportsImpersonation` check for http auth backend + wrap
JwtParserBuilder with `doPrivileged`

Reference to @cwperks's
[comment](#3563 (comment)):
>As a default implementation the authDomain could have:
>
>```
>default boolean supportsImpersonation() { return true; }
>```
>
>and any authDomain that does not support it can override:
>
>```
>@OverRide
>public boolean supportsImpersonation() { return false; }
>```

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)
Enhancement

### Issues Resolved
* Related #3563

Is this a backport? If so, please add backport PR # and/or commits #
It has already been included in `2.x` 

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Ryan Liang <jiallian@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks approved these changes

@willyborankin willyborankin willyborankin left review comments

@DarshitChanpura DarshitChanpura DarshitChanpura left review comments

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

Assignees
No one assigned
Labels
v2.12.0 Items targeting 2.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RyanL1997 @willyborankin @cwperks @DarshitChanpura