-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue and ferry a Service Account Token to an Extension on bootstrap #3176
Comments
[Triage] Thanks for filing this issue @cwperks. Please add an additional note about what is required for closing. |
[Triage] Hi @cwperks, thanks for adding the action items. This looks like it is clear defined so marking as triaged. |
Still waiting on review in core. Left comment asking for review. |
Still waiting. |
1 similar comment
Still waiting. |
Adding this back to make sure that we check off all the acceptance criteria are complete |
@scrawfor99 If you have any pointers/POCs for how this could be done that would be useful to add to this item |
As part of [META] System Indices access for Extensions, the plan is for an extension that reserves indices to receive a token on bootstrap that the extension can utilize to interact with its reserved indices. This token will be referred to as a Service Account Token because it represents the identity of the extension and can be used by the extension to act as itself when making requests on the extension's reserved indices.
I'm filing an issue to track the work to create an interface within the
IdentityPlugin
extension point of core that can be used to trigger the security plugin's implementation of issuing a service account token. After issuance, the token also needs to be ferried to an extension.I see 2 possible options for ferrying this token to an extension:
As part of the
InitializeExtensionRequest
which is initiated from core and used to initialize an extension. The handler on the SDK side can be found here.As a separate Transport action that is sent after successful initialization. I recommend this option.
You can see a sample implementation of a separate transport action for ferrying service account tokens in here. (There's an open PR on the SDK repo to address token handling on the SDK side that provided implementations of ferrying a service account token and obo token: opensearch-project/opensearch-sdk-java#892)
Sending this as a separate Transport Request potentially allows the transport action to be re-used for token rotation, whereas an initialization request is only meant to be performed once.
Acceptance Criteria:
Future followup:
extensionRestClient
on the SDK sideThe text was updated successfully, but these errors were encountered: