Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MD][Meta] Support SigV4 auth types for data source #2110

Closed
noCharger opened this issue Aug 9, 2022 · 6 comments · Fixed by #3058
Closed

[MD][Meta] Support SigV4 auth types for data source #2110

noCharger opened this issue Aug 9, 2022 · 6 comments · Fixed by #3058
Assignees
@zhongnansu
Labels
enhancement New feature or request multiple datasource multiple datasource project v2.6.0

Comments

@noCharger
Copy link
Contributor

No description provided.

@noCharger noCharger mentioned this issue Aug 9, 2022
Closed
54 tasks
@noCharger noCharger changed the title [MD] Support other auth types for credential [MD] Support other auth types for credential (optional) Aug 9, 2022
@noCharger noCharger added the multiple datasource multiple datasource project label Aug 9, 2022
@zhongnansu zhongnansu added the enhancement New feature or request label Sep 28, 2022
@kristenTian kristenTian added v2.5.0 'Issues and PRs related to version v2.5.0' needs research labels Oct 31, 2022
@zhongnansu zhongnansu changed the title [MD] Support other auth types for credential (optional) [MD] Support other auth types for data source Oct 31, 2022
@zhongnansu zhongnansu self-assigned this Oct 31, 2022
@zhongnansu
Copy link
Member

zhongnansu commented Oct 31, 2022
edited
Loading

Problem Statement

Currently in Multiple Datasource we have supported these auth types

  • No auth
  • basic auth

We want to give user a way to add AWS OpenSearch domains with IAM policy as data sources, which means we need to support Sigv4 signing, as a new auth type

In general there're 3 types of IAM access policy.

  1. Resource-based policies
  2. Identity-based policies
  3. IP-based policies

We'll introduce "resource based" IAM access policy in Multiple Datasource, because as the name indicates the "resources" are "data sources" in Multiple Datasource feature. And there're also 2 types of resource based access policy, the implementation will differ

  1. User based: IAM user comes with IAM access key & secret key that can be used to sign the request.
  2. Role based: Assume role with STS service on behalf of a master user, that internally generates "ACCESS KEY", "SECRET KEY" and "SESSION TOKEN" to authenticate the request. **We may not need to support this because it doesn't make sense for user to configure a master user then assume a role. User can just configure a IAM user in the policy and use approach 1 to access the domain **

POC

  • research/poc on using https://www.npmjs.com/package/http-aws-es with client
  • Set up test domain that enables IAM user/role in access policy
    • set up VPC test domain in aws opensearch [doc]
    • set up and programmatically access AWS Opensearch domain with IAM user-based access policy [doc] 
       curl --request GET \
   'https://search-os-test-cognito-zdooa7o3mj3hg6tvpdibrt5k4u.us-west-2.es.amazonaws.com' \
   --aws-sigv4 aws:amz:us-west-2:es \
   --user "${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}" \
   --header 'Accept: application/json'
 {
   "name" : "45fb95e575edc5ee359680cd09594015",
   "cluster_name" : "841677925608:os-test-cognito",
   "cluster_uuid" : "A_x-L1mcQqi6ZoJt_3i3_Q",
   "version" : {
     "distribution" : "opensearch",
     "number" : "1.0.0",
     "build_type" : "tar",
     "build_hash" : "unknown",
     "build_date" : "2021-11-11T13:03:46.725100Z",
     "build_snapshot" : false,
     "lucene_version" : "8.8.2",
     "minimum_wire_compatibility_version" : "6.8.0",
     "minimum_index_compatibility_version" : "6.0.0-beta1"
   },
   "tagline" : "The OpenSearch Project: https://opensearch.org/"
 }
    • Set up IAM role-based access policy in test domain, and create user that can assume role and connect. [ref]
  • poc using latest opensearch-js client with sigV4 natively supported [doc link]
    • Use hardcoded IAM access key & secret key (through AWS credential object) + opensearch client to connect to AOS domains
    • Use aws-sdk sts client + opensearch-js client

Implementation Tasks

@zhongnansu zhongnansu changed the title [MD] Support other auth types for data source [MD] [Research]Support other auth types for data source Oct 31, 2022
@zhongnansu zhongnansu changed the title [MD] [Research]Support other auth types for data source [MD] [Research] Support other auth types for data source Nov 1, 2022
@zhongnansu zhongnansu changed the title [MD] [Research] Support other auth types for data source [MD] [Research] Support SigV4 auth types for data source Nov 8, 2022
@seraphjiang seraphjiang added v2.5.0 'Issues and PRs related to version v2.5.0' and removed v2.5.0 'Issues and PRs related to version v2.5.0' labels Nov 15, 2022
@zhongnansu zhongnansu removed the v2.5.0 'Issues and PRs related to version v2.5.0' label Nov 23, 2022
@zhongnansu zhongnansu mentioned this issue Dec 10, 2022
Merged
8 tasks
@kavilla kavilla linked a pull request Dec 13, 2022 that will close this issue
[MD] Support SigV4 as a new auth type of datasource #3058
Merged
8 tasks
@zhongnansu zhongnansu mentioned this issue Feb 6, 2023
Closed
4 tasks
@zhongnansu zhongnansu changed the title [MD] [Research] Support SigV4 auth types for data source [MD] Support SigV4 auth types for data source Feb 6, 2023
@zhongnansu
Copy link
Member

zhongnansu commented Feb 10, 2023
edited
Loading

demo video with PR #3058

Screen.Recording.2023-02-08.at.12.46.11.PM.mov

@KrooshalUX please leave UI/UX feedbacks on this thread

@KrooshalUX
Copy link

KrooshalUX commented Feb 11, 2023
edited
Loading

@zhongnansu This is a great demo, thanks for putting it together and syncing earlier.

Two small bits of feedback:

  • I recommend removing the confirmations in the update password UI on the object details page (also as @kgcreative mentioned in the PR)
  • A nice to have to consider is converting the authentication type radio buttons to OuiSelect since we now have more than 2. I understand that currently the project only has the 3 and tbd on plans for adding more, so this is not blocking feedback as it can be added in a future iteration as well.

Great job team!

@zhongnansu zhongnansu changed the title [MD] Support SigV4 auth types for data source [MD][Meta] Support SigV4 auth types for data source Feb 14, 2023
@zhongnansu
Copy link
Member

Updated UI for credential update modal
image

@zhongnansu zhongnansu reopened this Feb 18, 2023
@zhongnansu
Copy link
Member

Reopen. Not all task are completed

@zhongnansu zhongnansu mentioned this issue Feb 18, 2023
Merged
8 tasks
@joshuarrrr joshuarrrr added v2.7.0 and removed v2.6.0 labels Feb 20, 2023
@zhongnansu zhongnansu added v2.6.0 and removed v2.7.0 labels Mar 7, 2023
@zhongnansu
Copy link
Member

This can be closed, as we released this feature in 2.6.0

This was referenced Mar 26, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhongnansu zhongnansu

Labels
enhancement New feature or request multiple datasource multiple datasource project v2.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[MD] Support SigV4 as a new auth type of datasource zhongnansu/OpenSearch-Dashboards
6 participants
@seraphjiang @joshuarrrr @zhongnansu @noCharger @kristenTian @KrooshalUX