Remove identity-related feature flagged code from the RestController #15430

cwperks · 2024-08-26T20:54:16Z

Description

This PR is a follow-up to #14630. This PR removes code in the RestController that was behind the opensearch.experimental.feature.identity.enabled feature flag.

The problem with the current code behind the feature flag is that it uses the RestTokenExtractor which assumes that authinfo is provided on the AUTHORIZATION header and is not directly usable by the security plugin in the current state. This PR removes the code to leave it up to the Identity plugin how to provide the subject information. For instance, this PR updates the identity-shiro plugin to utilize ActionPlugin.getRestHandlerWrapper to authenticate a web request and hydrate information about the current subject. The RestTokenExtractor has been moved into the identity-shiro plugin which only supports basic auth with the AUTHORIZATION header in its current state.

I'm opening this PR as a step towards removing the Identity feature flag (but keeping the interface marked as experimental).

I am planning to ask plugin maintainers to remove usages of ThreadContext.stashContext after the experimental feature flag for identity is removed.

Related Issues

Related to opensearch-project/security#4439

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2024-08-26T21:15:00Z

❌ Gradle check result for e6b82ba: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2024-08-27T00:54:38Z

❌ Gradle check result for bc610a2: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2024-08-27T02:30:05Z

❕ Gradle check result for 1abfe97: UNSTABLE

TEST FAILURES:

      2 org.opensearch.cluster.MinimumClusterManagerNodesIT.testThreeNodesNoClusterManagerBlock
      1 org.opensearch.remotestore.RemoteStoreStatsIT.testNonZeroPrimaryStatsOnNewlyCreatedIndexWithZeroDocs

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2024-09-18T21:17:41Z

❌ Gradle check result for 34bc922: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2024-09-19T00:20:45Z

❌ Gradle check result for 34bc922: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2024-09-19T00:48:36Z

❌ Gradle check result for 34bc922: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2024-09-19T02:19:52Z

❌ Gradle check result for c2d9a3a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2024-09-19T04:07:33Z

❌ Gradle check result for c2d9a3a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2024-09-19T12:19:50Z

✅ Gradle check result for c2d9a3a: SUCCESS

opensearch-trigger-bot · 2024-09-19T20:56:05Z

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-15430-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 1bc81d3eee07e96b6c6393510b41d194276e204c
# Push it to GitHub
git push --set-upstream origin backport/backport-15430-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-15430-to-2.x.

reta · 2024-09-19T20:56:32Z

@cwperks could you please backport to 2.x manually? thank you!

…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <[email protected]> * Handle null Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <[email protected]> * Address forbiddenApi Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <[email protected]> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <[email protected]> * Remove change in IdentityService Signed-off-by: Craig Perkins <[email protected]> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <[email protected]> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <[email protected]> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <[email protected]> * Address code review comments Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 1bc81d3)

cwperks · 2024-09-19T21:16:18Z

@reta opened a manual backport that resolves conflicts in the CHANGELOG: #16004

…15430) (#16004) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <[email protected]> * Handle null Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <[email protected]> * Address forbiddenApi Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <[email protected]> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <[email protected]> * Remove change in IdentityService Signed-off-by: Craig Perkins <[email protected]> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <[email protected]> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <[email protected]> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <[email protected]> * Address code review comments Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 1bc81d3) Signed-off-by: Craig Perkins <[email protected]>

…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <[email protected]> * Handle null Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <[email protected]> * Address forbiddenApi Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <[email protected]> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <[email protected]> * Remove change in IdentityService Signed-off-by: Craig Perkins <[email protected]> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <[email protected]> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <[email protected]> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <[email protected]> * Address code review comments Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]>

Add authenticate to IdentityPlugin interface

e6b82ba

Signed-off-by: Craig Perkins <[email protected]>

cwperks mentioned this pull request Aug 26, 2024

Add runAs to Subject interface and introduce IdentityAwarePlugin extension point #14630

Merged

3 tasks

Handle null

bc610a2

Signed-off-by: Craig Perkins <[email protected]>

Fix tests

1abfe97

Signed-off-by: Craig Perkins <[email protected]>

Merge branch 'main' into identity-plugin-authenticate

34bc922

Signed-off-by: Craig Perkins <[email protected]>

opensearch-ci-bot mentioned this pull request Sep 19, 2024

[AUTOCUT] Gradle Check Flaky Test Report for ClientYamlTestSuiteIT #14319

Open

Merge branch 'main' into identity-plugin-authenticate

c2d9a3a

opensearch-ci-bot mentioned this pull request Sep 19, 2024

[AUTOCUT] Gradle Check Flaky Test Report for SpecificClusterManagerNodesIT #15944

Open

reta approved these changes Sep 19, 2024

View reviewed changes

reta merged commit 1bc81d3 into opensearch-project:main Sep 19, 2024
33 of 34 checks passed

opensearch-trigger-bot bot added the backport-failed label Sep 19, 2024

cwperks mentioned this pull request Sep 19, 2024

[Backport 2.x] Remove identity-related feature flagged code from the RestController (#15430) #16004

Merged

cwperks mentioned this pull request Sep 20, 2024

Remove Identity FeatureFlag #16024

Merged

3 tasks

opensearch-ci-bot mentioned this pull request Sep 24, 2024

[AUTOCUT] Gradle Check Flaky Test Report for SearchTimeoutIT #16056

Closed

prudhvigodithi mentioned this pull request Oct 16, 2024

[AUTOCUT] Gradle Check Flaky Test Report for MixedClusterClientYamlTestSuiteIT prudhvigodithi/opensearch-build#82

Open

This was referenced Oct 23, 2024

Remove IdentityService from RestController constructor opensearch-project/performance-analyzer#736

Merged

[Backport 2.x] Remove IdentityService from RestController constructor opensearch-project/performance-analyzer#737

Merged

BrewTestBot mentioned this pull request Nov 6, 2024

opensearch 2.18.0 Homebrew/homebrew-core#196785

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove identity-related feature flagged code from the RestController #15430

Remove identity-related feature flagged code from the RestController #15430

cwperks commented Aug 26, 2024 •

edited

Loading

github-actions bot commented Aug 26, 2024

github-actions bot commented Aug 27, 2024

github-actions bot commented Aug 27, 2024

github-actions bot commented Sep 18, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

opensearch-trigger-bot bot commented Sep 19, 2024

reta commented Sep 19, 2024

cwperks commented Sep 19, 2024

Remove identity-related feature flagged code from the RestController #15430

Remove identity-related feature flagged code from the RestController #15430

Conversation

cwperks commented Aug 26, 2024 • edited Loading

Description

Related Issues

Check List

github-actions bot commented Aug 26, 2024

github-actions bot commented Aug 27, 2024

github-actions bot commented Aug 27, 2024

github-actions bot commented Sep 18, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

github-actions bot commented Sep 19, 2024

opensearch-trigger-bot bot commented Sep 19, 2024

reta commented Sep 19, 2024

cwperks commented Sep 19, 2024

cwperks commented Aug 26, 2024 •

edited

Loading