-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing Identity for OpenSearch blog post #1149
Conversation
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]>
Adding identities image Signed-off-by: Peter Nied <[email protected]>
@opensearch-project/security Could you take a look at how we are presenting identity more broadly to the community? If anyone else wants to get an authorship credit happy to get additional contributors - let me know! |
Actions have an existing protection model – resources of a plugin do not, they must be implemented by each plugin developer separately. Being able to use shared systems for secure access and standard permissions schemes will make adding security features faster with fewer bugs. | ||
|
||
## How to learn more? | ||
Identity features are being built in a feature branch of OpenSearch, features/identity [4]. Roadmaps, documentation, findings, and functionality are in active development of that feature branch. Beginning in December there will be a monthly check-in during the OpenSearch community meeting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@krisfreedain We've discussed a series of presentations/participation in the community meetings that I've hand-waved into this doc. What do you think of the proposal for a monthly update in the community meeting, or is there another format/audience that would better suit this discussion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@krisfreedain Any thoughts?
@peternied Awesome job on this and can't wait to see what comes out of the community discussions! Here's some questions and maybe not so relevant feedback:
Hopefully this is the type of feedback you were looking for and makes sense 😅 |
Great feedback @shanilpa
Oh- good catch. I am referring only to the back-end components in this doc - do you have a recommendation on how I could position the document to make that clear? The front-end ecosystem can certainly use these identities through new APIs. Features for relationship management/sharing scenarios are out of scope for what is planned in the roadmaps - but they could be developed in parallel with the existing security plugin features.
I'll reword to highlight these concepts to be more approachable
I'll do a pass to reword/simplify if you could make comments inline where you have specific suggestions that will make sure I don't miss anything. I'm showing my bias toward complex language
The sources are that bulleted list - but this might be a way I could set up the conceptual model. Ultimately everything is done by users, but sometimes the user does something directly via an API call, and other times they use a 3rd party system to make an API call. IMO we should be able to treat those differently.
I'll expand as well and add a citation to the existing permissions documentation for those that want to dig in. |
Tentatively scheduled for publication on 12/6/2022. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finished a first pass. Thank you for putting this together and making it public @peternied ! I am really looking forward to community input on this initiative.
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some general comments on the structure of the blog. I'll be available to clarify anything or discuss further, if it helps. Looking forward to seeing this rolled out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied Thank you for adding this blogpost. Here are my initial thoughts:
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks everyone for the great feedback, I've restructured the document trying to balance all of this into account. Even if you don't see your individual line item updates, know that I've got like four more technical docs brewing that will use that feedback - so thank you!
Housekeeping wise - pushed this out to a much more achievable mid-January timeframe.
Actions have an existing protection model – resources of a plugin do not, they must be implemented by each plugin developer separately. Being able to use shared systems for secure access and standard permissions schemes will make adding security features faster with fewer bugs. | ||
|
||
## How to learn more? | ||
Identity features are being built in a feature branch of OpenSearch, features/identity [4]. Roadmaps, documentation, findings, and functionality are in active development of that feature branch. Beginning in December there will be a monthly check-in during the OpenSearch community meeting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@krisfreedain Any thoughts?
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the update @peternied! I took a first pass and focused more on high-level content.
I like the conciseness of the post. It conveys a lot of information for a short blog post.
There are a couple of paragraphs that I think could use a bit of improvement when it comes to flow, but the core idea comes across in the post.
Through the post, there are a lot of mentions of extensions and it left me wondering if maybe we can describe it as a paradigm shift
for OpenSearch which spurs the need to rethink security for OpenSearch. Lately, I have been describing the work as building a platform
and the security features necessary to operate the platform securely.
|
||
As the core OpenSearch project begins its shift away from a plugin model to a framework that utilizes extensions, those extensions, its legacy plugins, and the administrators who manage them will need mechanisms for controlling access that are more granular and able to cover a broader range of scenarios where effective access control is critical. We are creating/building out/developing a new suite of features that are designed to provide comprehensive access control to OpenSearch’s ecosystem, and we collectively call these new features Identity. | ||
|
||
The main objectives for Identity include: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙌 I like this structure of listing high-level objectives and diving into each one. These are my main takeaways when reading the post.
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from security developer point of view
@peternied - Please update the publish date for this blog to 1/18/2023. Also, please add front matter to this blog. It should be included just below the title, author, and date at the top of the blog. Here's the content: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied @cwillum Please see my comments and changes and let me know if you have any questions or would like to discuss. Thanks!
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Nate Bower <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@natebower Thanks for all the great feedback; I've made all of those updates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied Just a few more minor changes and you should be good to go.
|
||
And since we operate in the open-source community, we’d like to learn about your ideas and benefit from your contributions as we make progress. | ||
|
||
Watch for further blog posts on specific identity and access control features, and join us for community meetings. Furthermore, you can stay informed of development by visiting the following resources in the OpenSearch repository: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think it would be a good idea to provide links to where the reader can submit their ideas or join a community meeting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a feedback link
Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Nate Bower <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@pajuric @krisfreedain Approved and ready to publish. |
@peternied - Looks like the meta description and keywords fell off the post. Please confirm they are included before publishing. |
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@pajuric I've added those fields, let me know if that captures what you are looking for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied - two minor edits requested - thanks!
Signed-off-by: Peter Nied <[email protected]>
@krisfreedain I've made those updates, thanks |
Description
Introducing Identity for OpenSearch blog post
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the BSD-3-Clause License.