Support for FIPS compliance mode #14912
Conversation
|
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
changed the title
beanuwave
force-pushed
the
fips_compliance2
branch
from
8e8ed47
to
6016d5d
Compare
|
❌ Gradle check result for 8e8ed47: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
requested review from
peternied,
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
dblock,
dbwiddis,
gbbafna,
kotwanikunal,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami and
VachaShah
as code owners
There was a problem hiding this comment.
What is the use case of the identity-shiro plugin inside OpenSearch? Is it used as an alternative to the security plugin for authentication or does it have a different use?
As far as I understand we will need to add support for PBKDF2 to this plugin as BCrypt itself is not FIPS validated.
There was a problem hiding this comment.
Yes this is also mine understanding what identity-shiro plugin/adapter is used for. As we do not really rely on BCrypt algo implementation here, it can be replaced by PBKDF2WithHmacSHA256 or similar.
Sidenote: most of the code is just copy&paste from OS security module, as it has password4j BCrypt hashing and matching for password, related to FIPS compliance.
There was a problem hiding this comment.
@dancristiancecoi IMO identity-shiro should be placed sanbox/plugins or sandbox/modules. Its an example implementation of an experimental IdentityPlugin.
Relevant issue: #5834
There was a problem hiding this comment.
Thanks for the clarification @cwperks !!
|
Could use some help maybe from @cwperks or @peternied reviewing this, please. |
| @@ -1182,6 +1182,7 @@ private void createConfiguration() { | |||
| baseConfig.put("indices.breaker.total.use_real_memory", "false"); | |||
| // Don't wait for state, just start up quickly. This will also allow new and old nodes in the BWC case to become the master | |||
| baseConfig.put("discovery.initial_state_timeout", "0s"); | |||
| baseConfig.put("fips.approved", "true"); | |||
There was a problem hiding this comment.
When we proposed a similar flag previously we were encouraged not to use boolean flags to control behaviour like this opensearch-project/security#3420 (comment)
There was a problem hiding this comment.
I am of the opinion that this is fine, in this case, I am not sure what greater configuration would make sense. Unless you can provide different approvers or something, there is no reason for this not to be a boolean.
peternied
changed the title
|
@beanuwave I've marked this pull request as 'draft' in GitHub, feel free to keep iterating and let us know if there is anything you'd like attention on. I'll keep and eye out, but I'll give it a more detailed look when you've marked this change as |
I have replied at opensearch-project/security#4588 (comment) |
|
❌ Gradle check result for 84e7aa9: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
All tests are now successfully running without requiring the BC libraries, by leveraging only the SUN and BCFIPS providers. This demonstrates that including BC libraries in the build process is not essential. The next step is to identify which code cannot operate under FIPS approved-only mode and address these limitations. Notably, the following components have constraints under FIPS compliance (as detailed here):
Plugin support remains an uncertain area. However, as long as plugins do not interfere with the SecurityManager and permissions, there should be minimal concern. |
|
❌ Gradle check result for 219e9dc: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
There can be instances when other plugins interfere with the SecurityManager and permissions as described in this comment. |
beanuwave
force-pushed
the
fips_compliance2
branch
from
219e9dc
to
dc753b0
Compare
|
❌ Gradle check result for dc753b0: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for fd825eb: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance2
branch
from
fd825eb
to
9bb1591
Compare
|
❌ Gradle check result for 9bb1591: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance2
branch
from
9bb1591
to
5ab8df8
Compare
|
❕ Gradle check result for 5ab8df8: UNSTABLE Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #14912 +/- ##
============================================
+ Coverage 71.74% 71.89% +0.14%
+ Complexity 62904 62900 -4
============================================
Files 5178 5179 +1
Lines 295167 294957 -210
Branches 42679 42636 -43
============================================
+ Hits 211774 212063 +289
+ Misses 66011 65472 -539
- Partials 17382 17422 +40 ☔ View full report in Codecov by Sentry. |
|
❌ Gradle check result for 8e5237f: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <[email protected]> # Conflicts: # server/build.gradle
Signed-off-by: Iwan Igonin <[email protected]> # Conflicts: # client/rest/build.gradle # distribution/tools/plugin-cli/build.gradle # server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
…ional tests. Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
beanuwave
force-pushed
the
fips_compliance2
branch
from
8e5237f
to
7e202a2
Compare
|
❌ Gradle check result for 7e202a2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Description
This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.