New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup extension TLS #619
Setup extension TLS #619
Conversation
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Merged companion PR on OpenSearch, gradle check should pass. |
@saratvemulapalli The gradle check passed now that the companion PR in core has been merged. Thank you! |
@opensearch-project/opensearch-sdk-java looking for another set of eyes. |
I will create an issue to move the classes in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left a number of comments that I think all bubble up to the notion of having a shared library for SSL. Great job getting this working end to end.
I created 2 follow-up issues around TLS to create integration tests and extract the common code with the security plugin into a library: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM! Sorry for the delay. A quick question though. What if in the future we plan to move the security plugin to core, how will we handle the files/changes that we pulled in this PR directly from security plugin?
@owaiskazi19 In either case with security as a plugin or security in core we would extract the same files that help setup TLS to a library that both can depend on. |
Signed-off-by: Craig Perkins <cwperx@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @cwperks for these changes!!
Getting this working E2E is great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks @cwperks for addressing the comments. Can the reviewers resolve the comments if changes looks good and we can get this in?
@owaiskazi19 I went through each comment marked unresolved and marked them each as resolved. There were a few items from Peter, namely around the placement of the |
Great work, @cwperks Thanks |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-1.x 1.x
# Navigate to the new working tree
pushd ../.worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-619-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b13f257dac430d24404105ae69f31e334ba84df2
# Push it to GitHub
git push --set-upstream origin backport/backport-619-to-1.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-1.x Then, create a pull request where the |
Thanks. Generally, we prefer the reviewer to resolve the comments if the changes requested looks good to them. |
Yes I will raise a manual PR for the 1.x backport. Understood about letting reviewers mark the PR as resolved, this PR was sitting for a while and I was trying to move it forward and use discretion with whether a comment was addressed. This should be the largest PR in size for a while since it added a lot of configurability around TLS, but future security related PRs will be much smaller comparatively. |
* WIP on Handler naming and SSL Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add concept of extension shortname via settings Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on extension ssl Signed-off-by: Craig Perkins <cwperx@amazon.com> * Get registry from runner Signed-off-by: Craig Perkins <cwperx@amazon.com> * Read settings from extension config file Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update license headers Signed-off-by: Craig Perkins <cwperx@amazon.com> * Run spotlessApply Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update cert generation documents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add ssl.transport.enabled in ExtensionsRunner Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge main into branch Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add instructions for running in SSL only mode Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add all SSL settings to extension settings Signed-off-by: Craig Perkins <cwperx@amazon.com> * Set default enforce_hostname_verification Signed-off-by: Craig Perkins <cwperx@amazon.com> * Run spotlessApply Signed-off-by: Craig Perkins <cwperx@amazon.com> * Respond to code review feedback Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix typos in debug messages Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add docstrings Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review feedback Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> (cherry picked from commit b13f257)
@owaiskazi19 Opened up a manual backport PR: #718 |
* Setup extension TLS (#619) * WIP on Handler naming and SSL Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add concept of extension shortname via settings Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on extension ssl Signed-off-by: Craig Perkins <cwperx@amazon.com> * Get registry from runner Signed-off-by: Craig Perkins <cwperx@amazon.com> * Read settings from extension config file Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update license headers Signed-off-by: Craig Perkins <cwperx@amazon.com> * Run spotlessApply Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authz changes and only keep TLS Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update cert generation documents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add ssl.transport.enabled in ExtensionsRunner Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge main into branch Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add instructions for running in SSL only mode Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add all SSL settings to extension settings Signed-off-by: Craig Perkins <cwperx@amazon.com> * Set default enforce_hostname_verification Signed-off-by: Craig Perkins <cwperx@amazon.com> * Run spotlessApply Signed-off-by: Craig Perkins <cwperx@amazon.com> * Respond to code review feedback Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix typos in debug messages Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add docstrings Signed-off-by: Craig Perkins <cwperx@amazon.com> * Address code review feedback Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> (cherry picked from commit b13f257) * Switch configDir to configFile Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Description
Companion PR in core: opensearch-project/OpenSearch#6866
Companion PR in security repo: opensearch-project/security#2599
I am opening a draft PR to solicit feedback for setting up extension TLS. The TLS setup here is modeled after the setup in security plugin, but any reference to http setup was removed and all transport setup kept in. While testing extensions with the Security plugin installed, I ran into issues where the extension was not able to handshake with the cluster as it was hitting this block: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java#L260-L268
This PR updates the handshake process and injects a ThreadContext header (
extension_unique_id
) that is added on all transport requests to core, to identify the transport request as explicitly coming from an extension.For the TLS setup in this PR, I have added a general area in the extension settings (i.e.
helloworld-settings.yml
) where the TLS can be configured using any of the ConfigConstants present in SSLConfigConstants. All settings for SSL setup are prefixes withssl.transport.*
and SSL must be explicitly enabled with default to false (though I imagine this will change in a future PR as the security changes are closer to being finalized for the experimental release).See a snippet from
helloworld-settings.yml
with SSL config:I added commands in
Docs/CERTIFICATE_GENERATION.md
that you can use to generate certs for the extension and for the OS node to test with.I was not sure how to add automated testing for this - I will open up an issue for adding tests
Issues Resolved
opensearch-project/security#2638
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.