Service account design question and issue tracking

[stephen-crawford]

This issue tracks all the questions and issues associated with supporting permissions for extensions.

NOTE: A checked box means that the linked question has been answered or the linked issue has been resolved.

Questions:

• [Question] How to determine when a REST request is destined for an extension #2526

  • How to determine if a request is destined for an extension?
    • If a request is destined for an extension the RestHandler will be an instance of RestSendToExtensionAction.

• [Question] What syntax should extension permissions have and how should they be parsed? #2565

  • What syntax should be used?
    • We will keep the existing permission syntax structure.
  • What parsing method should be used?
    • We will use the existing parsing structure with minimal changes to parse the extension permission type.

• [Question] How should service account permissions be stored and where? #2566

  • Where should service account permissions be stored?
    • Service account permissions will be stored with internal users for the time being.
  • How should service account permissions be stored?
    • Service account permissions will be stored in the same manner as internal user permissions.
  • Should roles be used for extension service accounts?
    • Extension service accounts will make use of role(s).
  • How should extensions be tracked or managed?
    • Use service accounts: Security User Refactor #2594

• [Question] Granting Permissions to Extensions #2552

  • How do extensions get starting permissions?
    • Starting permissions are parsed from the extension's configuration file during installation.
  • How should extensions register ‘predefined’ roles?
    • Custom roles are read from the configuration file during extension installation.
  • How does an admin allow/disallow optional permissions for an extension?
    • There are no optional permissions during an extension's installation process. Additional permissions can be granted by modifying the configuration file or using the internal users API.
  • How and where does the security plugin enforce extension permissions?
    • Enforce extension permissions after the request leaves the extension and returns to the trust zone

• [Question] How can requests coming from an extension interact with the OpenSearch cluster?  #2572

  • How can an admin grant and revoke service account permissions?
    • Administrators can change permissions for service accounts using the internal user API.
  • How is an extension prevented from elevating its own permissions?
    • Service accounts will not be able to be granted permissions for calling the internal user update API.
  • How does DLS/FLS work for extensions?
    • Service accounts and on-behalf-of tokens will support DLF/FLS, scopes/policies will not.

• [Question] Service Account Specifications #2597 : Security User Refactor #2594

  • How is extension registration tied to service accounts?
    • Extensions request a service account be created for them immediately on registration.
  • How is a service account represented inside of the Security Plugin?
    • Exactly like a user account except with the attribute "service: true".
  • Is a service account limited/different from normal internal account?
    • For now, service accounts will be treated similarly to user accounts.
  • How can an extension use its service account?
    • The service account will be what an extension acting on its own behalf is authc/authz'd against.
  • Can an extension have more than one service account?
    • For now, service accounts will implicitly be restricted to one per extension since they are tied to the registration process.
  • How to generate passwords for service accounts and recognize them without storing?
    • Randomly generate a password and return it to the extension before storing its hash as part of the internal user.

Issues:

• Security User Refactor #2594
• [Extensions] Add service account into internal user storage when extension is registered  #2645
  • Blocked by Security User Refactor #2594
• [Extensions] Add Transport API for fetching Service Account information from security plugin  #2609
• Core-side API handling
  • Blocked by [Extensions] Add Transport API for fetching Service Account information from security plugin  #2609
• [Extensions] Connect auth token generator to service accounts  #2611
  • Blocked by [Security/Extension] JWT Vendor for extensions #2567
• [Extensions] Core-side API to get auth token for service account  #2646
  • Should follow [Extensions] Connect auth token generator to service accounts  #2611
• [Extensions] Generate a password for an extension's service account on installation #2668
• [Extensions] Parse configuration file of extensions during installation, pass this information to the Security Plugin #2667
• [Extensions] Authenticate and authorize from service account token #2703
• Add Identity to Core

Flow Diagrams:

• [Diagram] Service account creation during extension installation #2666
• [Diagram] An extension requests its auth token #2664
  • The service account is enabled
  • The service account is disabled
• [Diagram] An extension tries to execute a request using its auth token #2665
  • The service account has the required permissions
  • The service account does not have the required permissions

[peternied]

Thanks for capturing all of the details here, going to use this as a rollup for all of the design, will use #2944 for the high level meta tracking