From 21b82c243bfd7d76c76090a69c6712a35c1ebb42 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 6 Dec 2022 15:01:07 -0600 Subject: [PATCH] Add basic auth flow diagrams (#5301) Signed-off-by: Peter Nied --- sandbox/libs/authn/docs/auth_flow.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 sandbox/libs/authn/docs/auth_flow.md diff --git a/sandbox/libs/authn/docs/auth_flow.md b/sandbox/libs/authn/docs/auth_flow.md new file mode 100644 index 0000000000000..1bd4b6213c043 --- /dev/null +++ b/sandbox/libs/authn/docs/auth_flow.md @@ -0,0 +1,11 @@ +# Authentication Flow + +## Authentication from incoming requests + +As requests are received by an OpenSearch node they need to be authenticated. Different modes can be supported such as Http Basic, Http Bearer, Kerberos, etc... these types of authentication are provided by the request source. OpenSearch will translate these into an AuthenticationToken which can be feed into `Subject.login(token)` which will attempt to authenticate the user with the configured authentication providers. + +![Authentication Flow](https://user-images.githubusercontent.com/2754967/202580793-9aab17e0-9645-4216-bcee-efddc932940a.PNG) + +The subject is associated for the lifetime of the request on that node. If the request will be sent to other nodes within the cluster, the authentication information will be attached with a generated access token no matter the AuthenticationToken that was used to authenticate the user. By including expiry on these tokens the exposure of the subjects permissions are greatly limited. + +![AccessToken for inter-node communication](https://user-images.githubusercontent.com/2754967/202580773-9b0ab15f-834c-45dc-9faf-48e6b832f85e.PNG)