Add runAs to Subject interface and introduce IdentityAwarePlugin extension point #14630
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
…stHandling Signed-off-by: Craig Perkins <cwperx@amazon.com>
3 tasks
|
❌ Gradle check result for 444fde7: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
cwperks
requested review from
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
dblock,
dbwiddis,
gbbafna,
kotwanikunal,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja and
sohami
as code owners
akolarkunnu
pushed a commit
to akolarkunnu/OpenSearch
that referenced
this pull request
Sep 10, 2024
…nsion point (opensearch-project#14630) * Create ExecutionContext and show example with ActionPluginProxy Signed-off-by: Craig Perkins <cwperx@amazon.com> * Only allow core to set the ExecutionContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware thread context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Plugin Aware API Handling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test to verify that ExecutionContext is being populated during RestHandling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Clear context in a finally block Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create switchContext method in ThreadContext and make pluginExecutionStack a stack Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware stash context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create class called PluginAwareNodeClient that provides a method called switchContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove ExecutionContext class Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Change createComponents to take in PluginAwareNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update all instances of createComponents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Initialize clients Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove casting Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on notion of ContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make stashContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make markAsSystemContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc on param Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge with main Signed-off-by: Craig Perkins <cwperx@amazon.com> * Cleanup Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemIndexFilter Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add notion of Forbidden Headers to the ThreadContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add method to initialize plugins Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test for setPluginNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove newline Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Subject.runAs and introduce PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Do nothing when runAs is called for ShiroSubject and NoopSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove extraneous changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Test all methods in PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Pass a Callable to runAs Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add final Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove server dependency Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove AbstractSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove unnecessary changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc to NoopPluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to assignSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add experimental label Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add getPluginSubject(plugin) to IdentityPlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make runAs generic Signed-off-by: Craig Perkins <cwperx@amazon.com> * package-private constructor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move IdentityAwarePlugin initialization Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create separate PluginSubject interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate method Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Separate UserSubject and PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Terminate TestThreadPool Signed-off-by: Craig Perkins <cwperx@amazon.com> * mock ThreadPool in RestSendToExtensionActionTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix Thread leak Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to getCurrentSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add type check Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to pluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add runAs to ActionRequest and surround doExecute in AbstractClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Return this Signed-off-by: Craig Perkins <cwperx@amazon.com> * Switch back to void Signed-off-by: Craig Perkins <cwperx@amazon.com> * Revert change to ActionRequest Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
This was referenced Sep 11, 2024
Open
This was referenced Sep 20, 2024
dk2k
pushed a commit
to dk2k/OpenSearch
that referenced
this pull request
Oct 16, 2024
…nsion point (opensearch-project#14630) * Create ExecutionContext and show example with ActionPluginProxy Signed-off-by: Craig Perkins <cwperx@amazon.com> * Only allow core to set the ExecutionContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware thread context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Plugin Aware API Handling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test to verify that ExecutionContext is being populated during RestHandling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Clear context in a finally block Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create switchContext method in ThreadContext and make pluginExecutionStack a stack Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware stash context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create class called PluginAwareNodeClient that provides a method called switchContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove ExecutionContext class Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Change createComponents to take in PluginAwareNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update all instances of createComponents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Initialize clients Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove casting Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on notion of ContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make stashContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make markAsSystemContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc on param Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge with main Signed-off-by: Craig Perkins <cwperx@amazon.com> * Cleanup Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemIndexFilter Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add notion of Forbidden Headers to the ThreadContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add method to initialize plugins Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test for setPluginNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove newline Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Subject.runAs and introduce PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Do nothing when runAs is called for ShiroSubject and NoopSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove extraneous changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Test all methods in PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Pass a Callable to runAs Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add final Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove server dependency Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove AbstractSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove unnecessary changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc to NoopPluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to assignSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add experimental label Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add getPluginSubject(plugin) to IdentityPlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make runAs generic Signed-off-by: Craig Perkins <cwperx@amazon.com> * package-private constructor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move IdentityAwarePlugin initialization Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create separate PluginSubject interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate method Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Separate UserSubject and PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Terminate TestThreadPool Signed-off-by: Craig Perkins <cwperx@amazon.com> * mock ThreadPool in RestSendToExtensionActionTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix Thread leak Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to getCurrentSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add type check Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to pluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add runAs to ActionRequest and surround doExecute in AbstractClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Return this Signed-off-by: Craig Perkins <cwperx@amazon.com> * Switch back to void Signed-off-by: Craig Perkins <cwperx@amazon.com> * Revert change to ActionRequest Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
dk2k
pushed a commit
to dk2k/OpenSearch
that referenced
this pull request
Oct 17, 2024
…nsion point (opensearch-project#14630) * Create ExecutionContext and show example with ActionPluginProxy Signed-off-by: Craig Perkins <cwperx@amazon.com> * Only allow core to set the ExecutionContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware thread context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Plugin Aware API Handling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test to verify that ExecutionContext is being populated during RestHandling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Clear context in a finally block Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create switchContext method in ThreadContext and make pluginExecutionStack a stack Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware stash context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create class called PluginAwareNodeClient that provides a method called switchContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove ExecutionContext class Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Change createComponents to take in PluginAwareNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update all instances of createComponents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Initialize clients Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove casting Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on notion of ContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make stashContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make markAsSystemContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc on param Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge with main Signed-off-by: Craig Perkins <cwperx@amazon.com> * Cleanup Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemIndexFilter Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add notion of Forbidden Headers to the ThreadContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add method to initialize plugins Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test for setPluginNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove newline Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Subject.runAs and introduce PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Do nothing when runAs is called for ShiroSubject and NoopSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove extraneous changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Test all methods in PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Pass a Callable to runAs Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add final Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove server dependency Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove AbstractSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove unnecessary changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc to NoopPluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to assignSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add experimental label Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add getPluginSubject(plugin) to IdentityPlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make runAs generic Signed-off-by: Craig Perkins <cwperx@amazon.com> * package-private constructor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move IdentityAwarePlugin initialization Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create separate PluginSubject interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate method Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Separate UserSubject and PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Terminate TestThreadPool Signed-off-by: Craig Perkins <cwperx@amazon.com> * mock ThreadPool in RestSendToExtensionActionTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix Thread leak Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to getCurrentSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add type check Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to pluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add runAs to ActionRequest and surround doExecute in AbstractClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Return this Signed-off-by: Craig Perkins <cwperx@amazon.com> * Switch back to void Signed-off-by: Craig Perkins <cwperx@amazon.com> * Revert change to ActionRequest Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
dk2k
pushed a commit
to dk2k/OpenSearch
that referenced
this pull request
Oct 21, 2024
…nsion point (opensearch-project#14630) * Create ExecutionContext and show example with ActionPluginProxy Signed-off-by: Craig Perkins <cwperx@amazon.com> * Only allow core to set the ExecutionContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware thread context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Plugin Aware API Handling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test to verify that ExecutionContext is being populated during RestHandling Signed-off-by: Craig Perkins <cwperx@amazon.com> * Clear context in a finally block Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create switchContext method in ThreadContext and make pluginExecutionStack a stack Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on plugin aware stash context Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create class called PluginAwareNodeClient that provides a method called switchContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove ExecutionContext class Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update javadoc Signed-off-by: Craig Perkins <cwperx@amazon.com> * Change createComponents to take in PluginAwareNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update all instances of createComponents Signed-off-by: Craig Perkins <cwperx@amazon.com> * Initialize clients Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove casting Signed-off-by: Craig Perkins <cwperx@amazon.com> * WIP on notion of ContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make stashContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make markAsSystemContext package-private Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc on param Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemContextSwitcher Signed-off-by: Craig Perkins <cwperx@amazon.com> * Merge with main Signed-off-by: Craig Perkins <cwperx@amazon.com> * Cleanup Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove SystemIndexFilter Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add notion of Forbidden Headers to the ThreadContext Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix tests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add method to initialize plugins Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test for setPluginNodeClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove newline Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add another test Signed-off-by: Craig Perkins <cwperx@amazon.com> * Subject.runAs and introduce PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Do nothing when runAs is called for ShiroSubject and NoopSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove extraneous changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Test all methods in PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Pass a Callable to runAs Signed-off-by: Craig Perkins <cwperx@amazon.com> * Update import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add final Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove server dependency Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove AbstractSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove unnecessary changes Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add javadoc to NoopPluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to assignSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add experimental label Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add getPluginSubject(plugin) to IdentityPlugin Signed-off-by: Craig Perkins <cwperx@amazon.com> * Make runAs generic Signed-off-by: Craig Perkins <cwperx@amazon.com> * package-private constructor Signed-off-by: Craig Perkins <cwperx@amazon.com> * Move IdentityAwarePlugin initialization Signed-off-by: Craig Perkins <cwperx@amazon.com> * Create separate PluginSubject interface Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove authenticate method Signed-off-by: Craig Perkins <cwperx@amazon.com> * Remove import Signed-off-by: Craig Perkins <cwperx@amazon.com> * Separate UserSubject and PluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Terminate TestThreadPool Signed-off-by: Craig Perkins <cwperx@amazon.com> * mock ThreadPool in RestSendToExtensionActionTests Signed-off-by: Craig Perkins <cwperx@amazon.com> * Fix Thread leak Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add to CHANGELOG Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to getCurrentSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add type check Signed-off-by: Craig Perkins <cwperx@amazon.com> * Rename to pluginSubject Signed-off-by: Craig Perkins <cwperx@amazon.com> * Add runAs to ActionRequest and surround doExecute in AbstractClient Signed-off-by: Craig Perkins <cwperx@amazon.com> * Return this Signed-off-by: Craig Perkins <cwperx@amazon.com> * Switch back to void Signed-off-by: Craig Perkins <cwperx@amazon.com> * Revert change to ActionRequest Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Companion Security PR: opensearch-project/security#4665
This PR adds new method to the Subject interface called
runAsand introduces a new extension point calledIdentityAwarePlugin. This new method can be utilized to run a callable block of code in the context of the subject.This PR also introduces the notion of an IdentityAwarePlugin which contains a single method to initialize the plugin. The IdentityPlugin will get to define which subject is passed to IdentityAwarePlugins on initialization. Practically, the Security Plugin is the IdentityPlugin and the subject passed to IdentityAwarePlugins is a special pluginSystemSubject which can be utilized to perform transport actions in the plugin system context and outside of the authenticated user context.
Subject.runAs()is intended to be an abstraction and replacement on the current pattern of System index interaction in which plugins will utilize the ThreadContext class and stash the context before performing transport actions on system indices.With the changes in this PR, the
NoopIdentityPluginwill assign aNoopPluginSubjecttoIdentityAwarePlugins. When usingNoopPluginSubject.runAs(() -> { ... })it runs the Callable within a block where the ThreadContext is stashed which is the same behavior plugins use today so its a direct replacement totry (ThreadContext.StoredContext ctx = threadContext.stashContext()) { ... }.By itself, this PR is not very interesting, but with the changes in this PR it enables the Security plugin (the IdentityPlugin) to define an implementation for PluginSubject. If you look at the companion PR, the Security implementation of PluginSubject injects a pluginUser into the ThreadContext so that we can start using the existing security authz mechanisms to gate way plugins can do within the runAs block.
Related Issues
Related to: opensearch-project/security#4439
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.