Adding end to end endpoint with various changes

[peternied]

Description

I've done a pass over the feature branch and made several updates, so it is more testable and cleaned up some smaller style issues that were nagging at me.

Testing

Testing of the new API was done via ./gradlew test --tests org.opensearch.security.dlic.rest.api.AccountApiTest.testGetAccount --info however, this was done to very quickly access the endpoint and should be properly moved/rearranged

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

Fixed the build break

[peternied]

This test only invokes the new endpoint and this should be deleted and replaced with changes in the integration tests that involve:

• Happy path flow, get token then use to call WhoAmI endpoint
• Basic error checking of the API

[peternied]

This class was hastily created, it should be re-written and compacted significately. I was also betting that we could use the AuthZ on REST requests so transport actions weren't generated. Might make sense to make this follow the transport actions more formally until that has been merged/backported

[peternied]

Need more research into how these roles are populated, I'm not sure if this is correct

[cwperks]

For extensions the token will contain the mapped roles

[peternied]

Still has many opportunities to reuse the JwtVendor within this class rather than duplicate logic, but might be good fast followups rather than block the critical path

[RyanL1997]

I will merge this one into my fork and fix this:

/home/runner/work/security/security/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthorizationHeaderFactory.java:49: error: incompatible types: LongSupplier cannot be converted to Optional<LongSupplier>
		JwtVendor jwtVendor = new JwtVendor(settings, currentTime);

[cwperks]

If this is cluster name then this should be able to be obtained from the ClusterState which you can get in createComponents.

[cwperks]

source is a bit confusing of a name here. This parameter is the audience claim in the JWT which is intended to be a unique identifier of the service/extension that would receive this token. For an endpoint to request the creation of a token, it may make sense to have this as a param.

[peternied]

In this REST API's case, the token was created by self-issued by user. If this was generated by a plugin or extension, then it should be marked with the identifier for traceability. This is good feedback around if we have the correct information in the token for the audit log or other use cases

[cwperks]

IMO 24 hours is too wide of a window. This value should match any currently configured REST Handler timeouts.

[peternied]

Good called, we can change the defaults as needed

[cwperks]

If we expand on this PR to also implement token revocation and richer management of these tokens then it may make sense to create a separate security index for token management. You can look at this PR which creates an index to store security information that is not supposed to be stored in the security configuration index.

[RyanL1997]

If we expand on this PR to also implement token revocation and richer management of these tokens then it may make sense to create a separate security index for token management. You can look at this opensearch-project#2773 which creates an index to store security information that is not supposed to be stored in the security configuration index.

Hi @cwperks, thanks for the info. I would like ask some questions about the index (maybe called tokenManagementIndex?). I will leave some comments on the PR you linked.