-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add basic auth flow diagrams (#5301)
Signed-off-by: Peter Nied <[email protected]>
- Loading branch information
Showing
1 changed file
with
11 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Authentication Flow | ||
|
||
## Authentication from incoming requests | ||
|
||
As requests are received by an OpenSearch node they need to be authenticated. Different modes can be supported such as Http Basic, Http Bearer, Kerberos, etc... these types of authentication are provided by the request source. OpenSearch will translate these into an AuthenticationToken which can be feed into `Subject.login(token)` which will attempt to authenticate the user with the configured authentication providers. | ||
|
||
![Authentication Flow](https://user-images.githubusercontent.com/2754967/202580793-9aab17e0-9645-4216-bcee-efddc932940a.PNG) | ||
|
||
The subject is associated for the lifetime of the request on that node. If the request will be sent to other nodes within the cluster, the authentication information will be attached with a generated access token no matter the AuthenticationToken that was used to authenticate the user. By including expiry on these tokens the exposure of the subjects permissions are greatly limited. | ||
|
||
![AccessToken for inter-node communication](https://user-images.githubusercontent.com/2754967/202580773-9b0ab15f-834c-45dc-9faf-48e6b832f85e.PNG) |