Is your feature request related to a problem? Please describe
Implement security features and integrate with OpenSearch security plugin for production readiness of experimental gRPC transport. It should be the case that security settings for existing http transport maps cleanly onto newly introduced grpc-transport, providing configurable TLS for this new transport implementation.
Security Requirements
TLS/Certificate Management
- Enable selection of a
experimental-secure-transport-grpc aux transport type from the transport-grpc plugin.
- Provide a distinct namespace for aux transport security settings within security plugin
In keeping with previous transport settings: https://opensearch.org/docs/latest/security/configuration/tls/
Aux transports should have keystore and truststore configurable under the plugins.security.ssl.aux prefix.
- Allow users to enable
experimental-secure-transport-grpc SSL only TLS.
- Enable
experimental-secure-transport-grpc handling of pemkey/keystore configurations from security plugin.
- Enable
experimental-secure-transport-grpc handling of pemtrust/trustore configurations from security plugin.
Reach goals:
- Enable hot reloading of SSL context/engine for aux transports.
- Enable separate client/server role configurations for aux transports which plan to make node-to-node requests.
Roadmap
Authentication/Authorization
*Authorization is not covered by this issue and will need to be handled in a follow up when API structure is known for this plugin *
Related component
Plugins
Describe alternatives you've considered
Leaving the grpc-transport unsecured.
Additional context
No response
Is your feature request related to a problem? Please describe
Implement security features and integrate with OpenSearch security plugin for production readiness of experimental gRPC transport. It should be the case that security settings for existing http transport maps cleanly onto newly introduced grpc-transport, providing configurable TLS for this new transport implementation.
Security Requirements
TLS/Certificate Management
experimental-secure-transport-grpcaux transport type from thetransport-grpcplugin.In keeping with previous transport settings: https://opensearch.org/docs/latest/security/configuration/tls/
Aux transports should have keystore and truststore configurable under the
plugins.security.ssl.auxprefix.experimental-secure-transport-grpcSSL only TLS.experimental-secure-transport-grpchandling of pemkey/keystore configurations from security plugin.experimental-secure-transport-grpchandling of pemtrust/trustore configurations from security plugin.Reach goals:
Roadmap
experimental-secure-transport-grpcto gRPC plugin.Enable TLS for Netty4GrpcServerTransport #17796
plugins.security.ssl.auxkeystore and truststore settings to security plugin.TLS support for auxiliary transports security#5375
TLS support for auxiliary transports security#5375
TLS support for auxiliary transports security#5375
[Feature Request] Separation of auxiliary transport SSL configurations #17795
Moving to separate issue: [FEATURE] Enable hot reload of gRPC certificates security#5531
Authentication/Authorization
*Authorization is not covered by this issue and will need to be handled in a follow up when API structure is known for this plugin *
Related component
Plugins
Describe alternatives you've considered
Leaving the grpc-transport unsecured.
Additional context
No response