Determine how auth tokens are forwarded to Extensions #2764
Comments
github-actions
bot
added
the
untriaged
|
We can use this: opensearch-project/OpenSearch#7452. The security plugin would implement the interface and then the Extension manager could pass everything into the RestSendToExtensionAction. |
cwperks
added
triaged
|
[Triage] Assigned to @scrawfor99 . Please update with more details on what the initial interface will look like. |
|
Overview of the interface: PR opensearch-project/OpenSearch#7452, will introduce a new TokenManager interface to be used as a template for what an IdentityPlugin will expect any implementation to support. The TokenManager Interface defines five operations which are supposed to be implemented:
Each of the implementing methods are relatively straightforward. The only ones which may require complicated handling are token issuance and token revocation. Issuing a token is likely to requiring overloading the method in some implementations of the IdentityPlugin. For example you may need to pass extension information to an IdentityPlugin for a new token to be created for that extension. At the same time, a key-based system could simply generate a random key with no information. Revoking a token can also be complicated depending on the implementation. For example, you would not want to create a revocation list for a token that encoded BasicAuth information. Instead, you may need to erase the token to effectively disable it. |
davidlago
changed the title
|
@scrawfor99 Is there a companion security PR? |
With the security plugin, the auth token to be forwarded to an extension will be generated after successful authentication on a request destined for an extension. The actual request forwarding is performed in the extensions rest handler RestSendToExtensionAction. This handler needs to be able to obtain the generated token to forward to the extension.
The text was updated successfully, but these errors were encountered: