Identity and access control foundation for OpenSearch

[peternied]

Description

Adding a new module and plugin interface that provides identity and access control inside of OpenSearch. This is the founding building block, see more high level thoughts here on our recent blog.

The new extension point, IdentityPlugin, is added with IdentityService handling that plugin interface. IdentitySevice authenticates users and enables access control systems. Adding HTTP basic authentication in the RestController the default NoopIdentityPlugin changes no behavior.

When the identity feature flag is enabled the identity-shiro module is loaded into the IdentityService. This implementations includes an admin user backed through the Apache Shiro system. By partitioning these features through a plugin interface it isolate the dependencies if we ever switch out the underlying library.

Project tracking addition features and functionality

• https://github.com/orgs/opensearch-project/projects/89?pane=info

Outstanding Changes

• Integration testing
• Unit testing

Issues Resolved

• Closes Initial Identity in OpenSearch #5880
• Related [META] Identity in OpenSearch #5834

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

FYI @opensearch-project/security Please take a look, this is a departure in a couple important ways from what we were doing on the feature branch. I'm going to keep iterating on the todo list, please feel free to comment on things in this pull request or for functionality on the todo list as well.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9556/
• CommitID: 930d667
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[peternied]

@dbwiddis @saratvemulapalli What do you think of adding a new plugin interface, this would be notable since the identity plugin should not be supported via the extensions interface performance would be a killer?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9559/
• CommitID: 798cd2b
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[dbwiddis]

What do you think of adding a new plugin interface ... extensions interface performance would be a killer?

This seems to overly simplify the trade-offs here. We have three locations we can put things: extensions, plugins, or directly in core. I think some/most of the identity functionality should be present in core. What's the use case for putting it in a plugin rather than core?

There might be room for some extensions interacting with identity providers (providing SSO, etc.). Sign-in would generally be a one-time thing where a few milliseconds may not matter as much, while core/plugin would be better for repeated checks during operation.

[cwperks]

@peternied looking at this now. This is a bit of a deviation of what is in feature/identity already, can you elaborate on the differences?

@dbwiddis I'll explain the current thinking and state of the feature/identity branch. So far in feature/identity there are core identity features like an internal IdP (a list of users persisted in an OpenSearch system index), basic and bearer auth handling of requests, APIs for interacting with identity inside of plugins and core and soon-to-be REST APIs for interacting with the internal IdP (create/delete User, change password, update User, whoami) and preliminary work on granting permissions.

The way it is organized is in a library (sandbox/lib/opensearch-authn) and a module (sandbox/modules/identity). These are both sandboxed which is where the developer guide advises to put experimental code: https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#sandbox. Modules are features that are shipped with OpenSearch by default and are not optional the way that plugins are: https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#modules

The library contains the APIs for interacting with security conveniently. This will provide richer APIs for interacting with security than common-utils. This would include methods like Identity.getAuthManager.getSubject() and currentSubject.isPermitted(requestedPermission) which can be used inside of core or plugins to check permissions which currently does not exist.

The identity module is where the internal implementation of security is located and it does use the current plugin extension points of the security plugin to implement REST request authentication via ActionPlugin.getRestHandlerWrapper, register new API actions for interacting with the IdP, register an ActionFilter for authorization, register settings and defining a system index.

This is from the developer guide on modules in OpenSearch:

Features that are shipped with OpenSearch by default but are not built in to the server. We typically separate features from the server because they require permissions that we don't believe all of OpenSearch should have or because they depend on libraries that we don't believe all of OpenSearch should depend on.

We haven't run into any issues building identity as a module, but there's active discussion around leveraging existing extension points vs putting the implementation directly in server.

[peternied]

Basic authentication is working

[2023-01-20T23:43:24,741][INFO ][o.o.r.RestController     ] [runTask-0] Logged in as user ShiroSubject(principal=StringPrincipal(name=admin))

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9702/
• CommitID: 3642a2f
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[peternied]

This is a bit of a deviation of what is in feature/identity already, can you elaborate on the differences?

Yes - we are in heavy-prototyping in the feature branch - which is great. However, following the model established by the extensions team, I want to go directly into what I'd expect to be the final resting place of the identity code and associated module(s). I know this is going to create some complex merge issues in feature/identity, but I've stripped out features that we are not ready to merge into main yet.

Setting aside package naming and file placement, I've created the IdentityPlugin interface to describe the extensibility model, IdentityModule handles picking up the plugin and accessing the functionality throughout the server codebase.

[DarshitChanpura]

@peternied This PR is a good segue into "identity as core feature". Is that the long term vision for this feature? If so how should the task priorities be considered for future development.

[peternied]

Is that the long term vision for this feature?

Yes! This is a refinement of the work done in features/identity [^1] to a digestible chunk of functionality. I'm borrowing heavily from the work recently done by @ryanbogan to integrate extensions which have a similar trajectory.

If so how should the task priorities be considered for future development.

This is a good topic for the meta issue [^2] around this work, but I would say the project board's readme captures the current status the best [^3]

• [^1] https://github.com/opensearch-project/OpenSearch/blob/feature/identity
• [^2] [META] Identity in OpenSearch #5834
• [^3] https://github.com/orgs/opensearch-project/projects/89/views/1?pane=info

[peternied]

@dbwiddis This seems to overly simplify the trade-offs here. We have three locations we can put things: extensions, plugins, or directly in core. I think some/most of the identity functionality should be present in core. What's the use case for putting it in a plugin rather than core?

Security evolved outside of core for many years - there are many external implementations of identity and access controls built as plugins. While we own the Security plugin in this project, there are others customers that want to keep using alternative implementations.

By having the a plugin layer it will protect us from ourselves from too much coupling as we iterate. I recently pushed an implementation of this interface I'd be curious what you think of the module and its separation of responsibility.

[cwperks]

The DefaultSecurityManager will create sessions by default. This will not be stateless as basic auth should be.

[stephen-crawford]

I left some comments places with general notes and a couple of things to check.

[stephen-crawford]

Is this supposed to be a TODO or is that part of the getInternalUser call?

[stephen-crawford]

Should we be including this into main? It seems like this section is still a work in progress.

[stephen-crawford]

Should this be removed?

[peternied]

I need to fix these tests before I can merge, they should be uncommented before then. The TODO above captures

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9798/
• CommitID: d444768
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[RyanL1997]

Do we have the lint check for this PR? As Stephen mentioned above, it seems like we are missing some of the additional line space at end of couple files.

[peternied]

Do we have the lint check for this PR? As Stephen mentioned above, it seems like we are missing some of the additional line space at end of couple files.

This pull request is in draft and fixing all CR checks will be required to merge. I'll get around to these, but the functionality is where I am concentrating my efforts.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/10018/
• CommitID: 57f495b
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/10609/
• CommitID: 81af972
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[peternied]

@reta @nknize @saratvemulapalli I haven't seen any comments - I'm going to flush out the all test and get gradle check passing without waiting on any more feedback.

[reta]

I think this module will be an ideal candidate for sandbox ?

[peternied]

There are a couple of ways to introduce non-GA features into OpenSearch, sandbox changes the build output which is easy to test locally, but difficult from the distribution channels. Using feature flags was recently introduced and is easier to control outside this repository. What do you think of this tradeoff to include the module but have it disabled via feature flag?

OpenSearch/server/src/main/java/org/opensearch/common/util/FeatureFlags.java

Line 60 in 81af972

public static final String IDENTITY = "opensearch.experimental.feature.identity.enabled";

[reta]

I believe there are 2 parts to it:

• the core support (new plugin interfaces), this could be good candidate for feature flags
• the new experimental plugin (like this one), this could go to sandbox

[peternied]

👍 I'll move the module into sandbox

[andrross]

sandbox changes the build output which is easy to test locally, but difficult from the distribution channels

@peternied Feel free to weigh in on #3677

[reta]

We probably could remove the @ThreadLeakScope(ThreadLeakScope.Scope.NONE), the thread leaks have to be detected

[peternied]

Done

[reta]

👍 totally agree, we should not hardcode

[reta]

@reta @nknize @saratvemulapalli I haven't seen any comments - I'm going to flush out the all test and get gradle check passing without waiting on any more feedback.

My apologies @peternied , didn't have time today, did a quick pass but will take a closer look tomorrow, thank you

[reta]

These changes are not related, right?

[peternied]

Bad merge, cleaning up...

[reta]

The authToken is not used here

[peternied]

Good call, cleaning this up.

[reta]

I don't think you need StatelessDAO class, you could just disable session storage (and consequently, the cache if needed):

        final DefaultSessionStorageEvaluator evaluator = new DefaultSessionStorageEvaluator();
        evaluator.setSessionStorageEnabled(false);

        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        subjectDAO.setSessionStorageEvaluator(evaluator);
        setSubjectDAO(subjectDAO);

[peternied]

Thanks for the example, using this.

[reta]

Could either authTokenHandler or subject be null?

[peternied]

They shouldn't be, adding Objects.requireNonNull(...) to ensure this

[reta]

The password is not needed, you convert from char[] to String and back to char[], just use userToken.getPassword() directly

[saratvemulapalli]

+1

[peternied]

Done

[reta]

is this comment still valid?

[peternied]

Nope, removing

[reta]

token could be null here, better to check

[peternied]

Fixed

[reta]

Where this test case is used?

[reta]

This seems to be very limited set of possible principals, I think we should not model it as an enumeration but constants:

public final class BuiltinPrincipals {
    public static final Principal UNAUTHENTICATED = new StringPrincipal("Unauthenticated");
}

[peternied]

I think enums are much more expressive and flexible. I'd like to leave it in, we can clean it up if its cumbersome with further implementation.

[reta]

Enums imply closed set of choices - this is not the case here

[reta]

Should we rename it to UsernamePrincipal instead? StringPrincipal is definitely not giving the context what this principal is about.

[peternied]

To me user implies human, I think we will be using this object to represent segments of the OpenSearch runtime. I believe we will replace many of the ThreadPool.Names with these principals to limit the kinds of access those thread have.

[reta]

Ok, what about NamedPrincipal?

[reta]

I think we should remove the tokenTypeTruncated, it would output weird token types (for example, imagine Digest ... here)

[peternied]

In a debugging scenario, I think seeing those weird token times would be useful if you were expecting the request to authenticated and wasn't sure why. What do you think?

[reta]

I mean, in debugging you could always say that the auth header was not Basic (if you ever need to do that).

[reta]

Could getSubject() return null vaues? If yes, we have to reconsider the API and return Optional<Subject> instead

[peternied]

Subject should never be null.

[reta]

@NotNull on return type?

[saratvemulapalli]

@reta @nknize @saratvemulapalli I haven't seen any comments - I'm going to flush out the all test and get gradle check passing without waiting on any more feedback.

Sorry for not getting back on this, I am resurfacing from hibernation :).
Looking now..

[saratvemulapalli]

Lot of barebones and learning to understand Shiro.
These 2 resources helped me learn:

• https://shiro.apache.org/tutorial.html
• https://shiro.apache.org/architecture.html

Couple of questions and dropped few comments:

• What are your thoughts on re-using existing security plugins authn/authz mechanisms.
  Can we write realms to use all of our business logic we have already built
• I dont see compliance built into the framework, how do you plan to handle it (atleast to start with audit logging).

[saratvemulapalli]

This is assuming changes will not be available in OpenSearch 2.x.
Is that the intention?

[peternied]

Thanks for noticing, I've moved this into the Unreleased 2.x section.

This document is confusing to work with for the first time.

[saratvemulapalli]

No opinions, trying to understand: Looks like a utility class. This class doesn't have any state, probably can we go static?
Are there more implementations which will end up here?

[peternied]

Non static so this class can be dependency injected easily.

[saratvemulapalli]

super nit:

Suggested change

	* Translates shiro auth token from the given header token
	* Translates into shiro auth token from the given header token

[peternied]

Thanks!

[saratvemulapalli]

Isn't authTokenHandler for all subjects the same for OpenSearch?
Does it have to be a member for each subject?

[peternied]

Passing via constructor for dependency injection / testing - is there a convention to follow for classes that aren't guice injected but use DI?

[saratvemulapalli]

+1

[saratvemulapalli]

How do we plan to integrate this with existing security plugin users:

• For new clusters, read through the yml configs and populate them.
• For existing clusters which already has loaded yml configs, load it from security system index.

[peternied]

We've got tasks for building up the UserService and management APIs - when we work on #5883 all these pieces will be included.

[saratvemulapalli]

Do you plan to have multiple realms for OpenSearch (one for authn and one for authz)?

[peternied]

No plans for multiple realms.

[saratvemulapalli]

This is clean!!!

[saratvemulapalli]

I would prefer moving this to L406, lets not get to handleAuthenticateUser if the feature is not enabled.

[peternied]

Moved

[saratvemulapalli]

By default we should always false and return true only when the subject is authenticated (at L537)

[peternied]

Authentication didn't fail so this is accurate, see the other commment thread in this file https://github.com/opensearch-project/OpenSearch/pull/5925/files#r1089137958. Adding a comment in the code that clarifies.

[peternied]

I'll do the migration to sandbox and the test fixes fast following this most recent push

[peternied]

Thanks for noticing, I've moved this into the Unreleased 2.x section.

This document is confusing to work with for the first time.

[peternied]

Bad merge, cleaning up...

[peternied]

Done

[peternied]

Non static so this class can be dependency injected easily.

[peternied]

Thanks!

[peternied]

Subject should never be null.

[peternied]

Moved

[peternied]

This method is authenticate - not authorize. Consider anonymous scenarios, maybe calls like cluster health would be allowed for anonymous requests. These authorizing calls would happen at lower layer where details about the resource associated with the request is against can factor in 403 or allow.

Note; authorization is not included in this change.

[peternied]

Adding this as a comment in the code

[peternied]

Authentication didn't fail so this is accurate, see the other commment thread in this file https://github.com/opensearch-project/OpenSearch/pull/5925/files#r1089137958. Adding a comment in the code that clarifies.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/11329/
• CommitID: a9b4f0d
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[peternied]

This change was merged as part of the following pull request

• [Extensions] Introduce Identity Plugin to Core #7246