-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Failures with Java security.policy when using repository-azure plugin managed identity #15020
Comments
@c3-davidtran repository-azure is an OpenSearch plugin which has its own plugin-security.policy file. This would be the place to add an entry to grant permission to read the file for the plugin. Would it be possible to test an added entry to that file? After modifying the |
@cwperks none of the OpenSearch plugins have access to the file system outside @c3-davidtran this is clearly an issue that was missed, they way we solved it for S3 plugin [1] is by:
We would need similar approach for Azure. |
@reta Can you expand upon your thoughts on solving it through a setting? @chengwushi-netapp Did you not hit this issue while implementing #12559 ? We are using kubernetes and the opensearch-operator. I suppose we can do the symlink in a custom Dockerfile for OpenSearch 🤔 |
Absolutely, thanks @cthtrifork . The idea is to introduce the setting like this:
The lookup in default location (
The plugin should be able to read the |
Hello @cthtrifork, thank you for the question. When I was working on the implementation, I did not encounter the issue you're referring to. This is because the scope of the original ticket, #12423, did not include Workload Identity. As such, I didn't delve into the workings of Workload Identity and might have overlooked that it could be set up with Managed Identity. Consequently, I never tested the setup of Workload Identity with the Managed Identity implemented in #12559. |
@chengwushi-netapp Thank you for clarifying. The landscape in azure for managed identities is quite confusing, as it has had many names and paradigms! Now i understand why you have not had the issue. So are there any other approaches than creating a custom Dockerfile with a It almost seems like updating https://github.com/opensearch-project/OpenSearch/blob/main/plugins/repository-azure/src/main/plugin-metadata/plugin-security.policy is a better approach. What are people thoughts? @chengwushi-netapp @reta |
Thanks @cthtrifork , patching the security policy is not recommended (it opens up yet another can of worms), soft link is the safest option I believe and is aligned with other plugins that support managed identity |
Describe the bug
I've noticed 2 bugs related to java security.policy :
Managed Identity authentication :
SInce Opensearch 2.15, we are now able to authenticate with Azure Managed identity when using repository-azure plugin.
As recommended by Azure, the privileged approach is to use workload identity with a federated Identity.
https://azure.github.io/azure-workload-identity/docs/introduction.html
This will generate a federated token when the pod starts, allowing authentication.
The token is located at path : /var/run/secrets/azure/tokens/azure-identity-token
So when enabling authentication using Managed identity, the plugin fails because it cannot read this file.
To solve it, we need to add a read permission on the java security.policy.
e.g
Related component
Plugins
To Reproduce
Deploy Azure wokload identity controller
Deploy an opensearch cluster :
Expected behavior
Pods java process read /var/run/secrets/azure/tokens/azure-identity-token
Additional Details
Plugins
Please list all plugins currently enabled.
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: