Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync up security/extensions feature branch with main on 06/13/2023 #2853

Closed
wants to merge 10 commits into from
Closed

Sync up security/extensions feature branch with main on 06/13/2023 #2853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
de170fa
add ml model group system index (#2790)
ylwu-amzn May 25, 2023
df0347e
role.yml changes for lron feature (#2789)
zhichao-aws May 25, 2023
619d869
Remove dependency on javax.annotation implementation as OpenSearch no…
Xtansia May 30, 2023
fdae4cb
[FEATURE] usage of JWKS with JWT (w/o OpenID connect) (#2808)
cwperks May 30, 2023
3ac60e7
Update non java files (#2812)
stephen-crawford May 31, 2023
3bdd2d5
Add release notes for 2.8.0 (#2827)
RyanL1997 Jun 1, 2023
9ec33b7
Match version of zstd-jni from core (#2832)
cwperks Jun 5, 2023
1d30c96
Add Stephen's formatting changes after applying all non java files
RyanL1997 Jun 13, 2023
278e20d
Add Andrey Pleskach (Willyborankin) to Maintainers (#2843)
stephen-crawford Jun 13, 2023
340d17b
Fix JwtAuthenticationTests assertion (#2844)
cwperks Jun 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
View file
Open in desktop
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @cliu123 @cwperks @DarshitChanpura @davidlago @peternied @RyanL1997 @scrawfor99 @reta
* @cliu123 @cwperks @DarshitChanpura @davidlago @peternied @RyanL1997 @scrawfor99 @reta @willyborankin
2 changes: 1 addition & 1 deletion .github/actions/create-bwc-build/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ inputs:
plugin-branch:
description: 'The branch of the plugin that should be built, e.g "2.2", "1.x"'
required: true

outputs:
built-version:
description: 'The version of OpenSearch that was associated with this branch'
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/start-opensearch-with-one-plugin/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ runs:
# Run any configuration scripts
- name: Run Setup Script for Linux
if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }}
run: |
run: |
echo "running linux setup"
chmod +x ./${{ inputs.setup-script-name }}.sh
./${{ inputs.setup-script-name }}.sh
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/delete_backport_branch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: Delete merged branch of the backport PRs
on:
on:
pull_request:
types:
- closed

jobs:
delete-branch:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/plugin_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
if: ${{ runner.os == 'Linux' }}
run: |
cat > setup.sh <<'EOF'
chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh
chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh
/bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh"
EOF

Expand Down
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
OpenSearch is a community project that is built and maintained by people just like **you**.
[This document](https://github.com/opensearch-project/.github/blob/main/CONTRIBUTING.md) explains how you can contribute to this and related projects.

Visit the following link(s) for more information on specific practices:
Visit the following link(s) for more information on specific practices:

- [Triaging](./TRIAGING.md)

Expand Down
6 changes: 3 additions & 3 deletions DEVELOPER_GUIDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,9 @@ The `curl localhost:9200` call should succeed again. Kill the server with `Ctrl+

>Worth noting:\
> The version of OpenSearch and the security plugin must match as there is an explicit version check at startup. This can be a bit confusing as, for example, at the time of writing this guide, the `main` branch of this security plugin builds version `3.0.0.0-SNAPSHOT` compatible with OpenSearch `3.0.0`. Check the expected compatible version in `build.gradle` file [here](https://github.com/opensearch-project/security/blob/main/build.gradle) and make sure you get the correct branch from OpenSearch when building that project.
>
>
> The line to look for: `opensearch_version = System.getProperty("opensearch.version", "x")`
>
>
> Alternatively, you can find the compatible version of OpenSearch by running in project root folder
> ```
> ./gradlew properties -q | grep -E '^version:' | awk '{print $2}'
Expand Down Expand Up @@ -164,7 +164,7 @@ Checkstyle enforces several rules within this codebase. Sometimes it will be nec

*Execute Checkstyle*
```
./gradlew checkstyleMain checkstyleTest
./gradlew checkstyleMain checkstyleTest
```

*Example violation*
Expand Down
34 changes: 17 additions & 17 deletions DEVELOPING_WITH_DOCKER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,40 @@
# Developing with Docker

Docker is a powerful tool that can be used to quickly spin up an OpenSearch cluster. When you follow the steps to run [OpenSearch with Docker](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/), you will find the Security Plugin already included in the basic distribution.
Docker is a powerful tool that can be used to quickly spin up an OpenSearch cluster. When you follow the steps to run [OpenSearch with Docker](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/), you will find the Security Plugin already included in the basic distribution.

- [Developing with Docker](#developing-with-docker)
- [Configuring Security](#configuring-security)
- [Mounting Local Volumes](#mounting-local-volumes)
- [Example docker-compose](#example-docker-compose)


## Configuring Security

By default, the Docker installation of OpenSearch does not enable the Security plugin. In order to enable Security development, you will need set `DISABLE_SECURITY_PLUGIN=false`, as well as change `DISABLE_INSTALL_DEMO_CONFIG` and `DISABLE_SECURITY_DASHBOARDS_PLUGIN`. This will install the demo certificates, and allow you to develop with realistic Security configurations. An example of a completely configured docker-compose file is shown below.
## Configuring Security

By default, the Docker installation of OpenSearch does not enable the Security plugin. In order to enable Security development, you will need set `DISABLE_SECURITY_PLUGIN=false`, as well as change `DISABLE_INSTALL_DEMO_CONFIG` and `DISABLE_SECURITY_DASHBOARDS_PLUGIN`. This will install the demo certificates, and allow you to develop with realistic Security configurations. An example of a completely configured docker-compose file is shown below.

> Warning: You should never use the demo certificates for a production environment. Instead, you will need to follow the steps on [configuring security](https://opensearch.org/docs/latest/security/configuration/index/) before using the cluster for production.

### Mounting Local Volumes
### Mounting Local Volumes

In order to test development changes with an OpenSearch Docker-installation, you will need to mount the volumes in your docker-compose file.
In order to test development changes with an OpenSearch Docker-installation, you will need to mount the volumes in your docker-compose file.

To update your cluster to have local changes, follow these steps:
To update your cluster to have local changes, follow these steps:

1. First you will need to make changes in your local `opensearch-project/security` repository. For this example, assume your fork is cloned into a directory called `security`.
2. After you make changes to your cloned repository, you will need to run `./gradlew assemble`. This will create a `.jar` file you can mount into the Docker container. The file will be located at `./security/build/distributions/opensearch-security-<OPENSEARCH_VERSION>.0-SNAPSHOT.jar`, where the `<OPENSEARCH_VERSION>` field is simply the OpenSearch distribution.
3. You will then need to navigate to your `docker-compose.yml` file where you are running you OpenSearch cluster from. For this example, let us assume this is in another directory called `opensearch-docker`.
4. Modify the compose file, so that in the `volumes:` section of each node configuration (the default configuration will have `opensearch-node1` and `opensearch-node2`), you have a new line which reads `~/security/build/distributions/opensearch-security-<OPENSEARCH_VERSION>.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-<OPENSEARCH_VERSION>.0.jar`. This line should be added to the volumes section of all nodes in the compose file. You will not need to add it to the `opensearch-dashboards` section.
5. You can now restart the Docker container by running `docker-compose down -v` and `docker-compose up`. Your changes will now be live in the OpenSearch cluster instance.
2. After you make changes to your cloned repository, you will need to run `./gradlew assemble`. This will create a `.jar` file you can mount into the Docker container. The file will be located at `./security/build/distributions/opensearch-security-<OPENSEARCH_VERSION>.0-SNAPSHOT.jar`, where the `<OPENSEARCH_VERSION>` field is simply the OpenSearch distribution.
3. You will then need to navigate to your `docker-compose.yml` file where you are running you OpenSearch cluster from. For this example, let us assume this is in another directory called `opensearch-docker`.
4. Modify the compose file, so that in the `volumes:` section of each node configuration (the default configuration will have `opensearch-node1` and `opensearch-node2`), you have a new line which reads `~/security/build/distributions/opensearch-security-<OPENSEARCH_VERSION>.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-<OPENSEARCH_VERSION>.0.jar`. This line should be added to the volumes section of all nodes in the compose file. You will not need to add it to the `opensearch-dashboards` section.
5. You can now restart the Docker container by running `docker-compose down -v` and `docker-compose up`. Your changes will now be live in the OpenSearch cluster instance.

### Example docker-compose
### Example docker-compose

This is an example of a completely configured docker-compose file for a local installation of the 2.5.0 version of OpenSearch.
This is an example of a completely configured docker-compose file for a local installation of the 2.5.0 version of OpenSearch.

```
version: '3'
services:
opensearch-node1:
image: opensearchstaging/opensearch:2.5.0 # This is a image of the 2.5.0 distribution
image: opensearchstaging/opensearch:2.5.0 # This is a image of the 2.5.0 distribution
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
Expand All @@ -58,7 +58,7 @@ services:
# - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml # These paths are relative to the location of the docker-compose file
# - ./config/esnode.pem:/usr/share/opensearch/config/esnode.pem
# - ./config/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
# - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
# - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
# - ./config/opensearch-security/audit.yml:/usr/share/opensearch/config/opensearch-security/audit.yml
# - ./config/opensearch-security/tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
# - /OpenSearch-Snapshots:/mnt/snapshots # This is where your snapshots would be stored
Expand Down Expand Up @@ -86,8 +86,8 @@ services:
# - ./config/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
# - ./config/opensearch-security/audit.yml:/usr/share/opensearch/config/opensearch-security/audit.yml
# - ./config/opensearch-security/tenants.yml:/usr/share/opensearch/config/opensearch-security/tenants.yml
# - /OpenSearch-Snapshots:/mnt/snapshots
# - /security/build/distributions/opensearch-security-2.5.0.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-2.5.0.0.jar
# - /OpenSearch-Snapshots:/mnt/snapshots
# - /security/build/distributions/opensearch-security-2.5.0.0-SNAPSHOT.jar:/usr/share/opensearch/plugins/opensearch-security/opensearch-security-2.5.0.0.jar
networks:
- opensearch-net
opensearch-dashboards:
Expand Down
1 change: 1 addition & 0 deletions MAINTAINERS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
| Ryan Liang | [RyanL1997](https://github.com/RyanL1997) | Amazon |
| Stephen Crawford | [scrawfor99](https://github.com/scrawfor99) | Amazon |
| Andriy Redko | [reta](https://github.com/reta) | Aiven |
| Andrey Pleskach | [willyborankin](https://github.com/willyborankin) | Aiven |

## Practices

Expand Down
12 changes: 6 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[![CI](https://github.com/opensearch-project/security/workflows/CI/badge.svg?branch=main)](https://github.com/opensearch-project/security/actions) [![](https://img.shields.io/github/issues/opensearch-project/security/untriaged?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"untriaged") [![](https://img.shields.io/github/issues/opensearch-project/security/security%20vulnerability?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"security%20vulnerability") [![](https://img.shields.io/github/issues/opensearch-project/security)](https://github.com/opensearch-project/security/issues) [![](https://img.shields.io/github/issues-pr/opensearch-project/security)](https://github.com/opensearch-project/security/pulls)
[![CI](https://github.com/opensearch-project/security/workflows/CI/badge.svg?branch=main)](https://github.com/opensearch-project/security/actions) [![](https://img.shields.io/github/issues/opensearch-project/security/untriaged?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"untriaged") [![](https://img.shields.io/github/issues/opensearch-project/security/security%20vulnerability?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"security%20vulnerability") [![](https://img.shields.io/github/issues/opensearch-project/security)](https://github.com/opensearch-project/security/issues) [![](https://img.shields.io/github/issues-pr/opensearch-project/security)](https://github.com/opensearch-project/security/pulls)
[![](https://img.shields.io/codecov/c/gh/opensearch-project/security)](https://app.codecov.io/gh/opensearch-project/security) [![](https://img.shields.io/github/issues/opensearch-project/security/v2.4.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v2.4.0") [![](https://img.shields.io/github/issues/opensearch-project/security/v3.0.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v3.0.0")
[![Slack](https://img.shields.io/badge/Slack-4A154B?&logo=slack&logoColor=white)](https://opensearch.slack.com/archives/C051Y637FKK)



## Announcement: The Slack workspace is live! Please join the [conversation](https://opensearch.slack.com/archives/C051Y637FKK).
## Announcement: The Slack workspace is live! Please join the [conversation](https://opensearch.slack.com/archives/C051Y637FKK).

<img src="https://opensearch.org/assets/img/opensearch-logo-themed.svg" height="64px">

Expand Down Expand Up @@ -37,7 +37,7 @@ OpenSearch Security is a plugin for OpenSearch that offers encryption, authentic
* Full data in transit encryption
* Node-to-node encryption
* Certificate revocation lists
* Hot Certificate renewal
* Hot Certificate renewal

### Authentication
* Internal user database
Expand All @@ -60,7 +60,7 @@ OpenSearch Security is a plugin for OpenSearch that offers encryption, authentic
* REST management API

### Audit/Compliance logging
* Audit logging
* Audit logging
* Compliance logging for GDPR, HIPAA, PCI, SOX and ISO compliance

### OpenSearch Dashboards multi-tenancy
Expand Down Expand Up @@ -126,7 +126,7 @@ sequenceDiagram
participant OpenSearch
participant SecurityPlugin
participant Cluster as Plugin

Client->>OpenSearch: Request
OpenSearch->>SecurityPlugin: Request
SecurityPlugin->>SecurityPlugin: Add Auth information to request context
Expand Down Expand Up @@ -188,7 +188,7 @@ If you discover a potential security issue in this project we ask that you notif

## License

This code is licensed under the Apache 2.0 License.
This code is licensed under the Apache 2.0 License.

## Copyright

Expand Down
4 changes: 2 additions & 2 deletions TRIAGING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ If you have an issue you'd like to bring forth please consider getting a link to

### Is there an agenda for each week?

Meetings are lightly structured as follows:
Meetings are lightly structured as follows:

1. Announcements: If there are any announcements to be made they will happen at the start of the meeting.
2. Review of new issues: The meetings always start with reviewing all untriaged [issues](https://github.com/search?q=label%3Auntriaged+is%3Aopen++repo%3Aopensearch-project%2Fsecurity+repo%3Aopensearch-project%2Fsecurity-dashboards-plugin&type=issues&ref=advsearch&s=created&o=desc) for the security and security-dashboards repositories.
Expand Down Expand Up @@ -53,7 +53,7 @@ There you can find answers to many common questions as well as speak with implem

### What if my issue is critical to OpenSearch operations, do I have to wait for the weekly meeting for it to be addressed?

All new issues for the [security](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3Auntriaged) repo and [security-dashboards](https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+-label%3Atriaged) repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.
All new issues for the [security](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3Auntriaged) repo and [security-dashboards](https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+-label%3Atriaged) repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.

### Is this where I should bring up potential security vulnerabilities?

Expand Down
Loading