[META] Service Accounts

[stephen-crawford]

This tracking issue describes a feature where applications (plugins/extensions) make use of service accounts when completing actions outside the context of an impersonated user.

Service Accounts will officially become a context where there is enforcement of permissions and it is possible to determine the context an application is operating under.

Design

• Service account design question and issue tracking #2596
• How will user names and service account name collisions be handled? #3200

Implementation

• [FEATURE] Add token manager to security plugin  #2939
• [Extensions] Filter internal users for Service Accounts and add associated API #2704

Integration

• [Extensions] Connect auth token generator to service accounts  #2611
• [Extensions] Core-side API to get auth token for service account  #2646
• [FEATURE] Grant a Service Account to an Extension on bootstrap  #2942
  • Issue and ferry a Service Account Token to an Extension on bootstrap #3176
  • Plugin service accounts OpenSearch#8526

Release criteria

• Limit Service Account permissions #3201
• Backport Service Account into 2.x branch #3557
• Service Accounts internal security review process #3199

Follow up

• [FEATURE] Grant a Service Account to a Plugin on bootstrap  #2941
• [FEATURE] Implement permission model of service accounts  #2943

[stephen-crawford]

[Triage] This is a tracking issue for work being done in core around Identity.