opensearch-project · stephen-crawford · Jul 5, 2023 · Jul 5, 2023 · Jul 5, 2023 · Jul 6, 2023
@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow mmap to use new JDK-19 preview APIs in Apache Lucene 9.4+ ([#5151](https://github.com/opensearch-project/OpenSearch/pull/5151))
 - Add events correlation engine plugin ([#6854](https://github.com/opensearch-project/OpenSearch/issues/6854))
 - Add support for ignoring missing Javadoc on generated code using annotation ([#7604](https://github.com/opensearch-project/OpenSearch/pull/7604))
+- Introduce Service Accounts for Plugins ([#8526](https://github.com/opensearch-project/OpenSearch/pull/8526))
 - Add partial results support for concurrent segment search ([#8306](https://github.com/opensearch-project/OpenSearch/pull/8306))
 
 ### Dependencies

@@ -35,6 +35,7 @@ dependencies {
   testImplementation "org.mockito:mockito-core:${versions.mockito}"
   testImplementation project(path: ':client:rest-high-level')
   testImplementation 'junit:junit:4.13.2'
+	testImplementation project(path: ':server')
 }
 
 /*

@@ -8,15 +8,16 @@
 
 package org.opensearch.identity.shiro;
 
-import org.opensearch.identity.Subject;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.SecurityManager;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.identity.ServiceAccountManager;
+import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.IdentityPlugin;
-import org.opensearch.common.settings.Settings;
 import org.opensearch.plugins.Plugin;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.mgt.SecurityManager;
 
 /**
  * Identity implementation with Shiro
@@ -28,6 +29,7 @@ public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin
 
     private final Settings settings;
     private final ShiroTokenManager authTokenHandler;
+    private final ShiroServiceAccountManager serviceAccountManager;
 
     /**
      * Create a new instance of the Shiro Identity Plugin
@@ -37,6 +39,7 @@ public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin
     public ShiroIdentityPlugin(final Settings settings) {
         this.settings = settings;
         authTokenHandler = new ShiroTokenManager();
+        serviceAccountManager = new ShiroServiceAccountManager();
 
         SecurityManager securityManager = new ShiroSecurityManager();
         SecurityUtils.setSecurityManager(securityManager);
@@ -61,4 +64,9 @@ public Subject getSubject() {
     public TokenManager getTokenManager() {
         return this.authTokenHandler;
     }
+
+    @Override
+    public ServiceAccountManager getServiceAccountManager() {
+        return this.serviceAccountManager;
+    }
 }
@@ -0,0 +1,74 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.security.Principal;
+import java.util.List;
+import java.util.Objects;
+import org.opensearch.Application;
+import org.opensearch.identity.ServiceAccount;
+
+/**
+ * This class defines a ServiceAccount in the context of the Shiro Identity Plugin.
+ *
+ * Here we can see the ShiroServiceAccount implement the ServiceAccount and be used to track permissions assigned to applications.
+ */
+public class ShiroServiceAccount implements ServiceAccount {
+
+    private final Application application;
+    private final Principal name;
+    private List<String> permissions = List.of(); // Fine-grained access controls not yet configured
+
+    /**
+     * Creates a principal for an application identity
+     * @param application The application to be associated with the service account
+     */
+    public ShiroServiceAccount(final Application application) {
+
+        this.application = application;
+        name = application.getPrincipal();
+    }
+
+    /**
+     * This method will not usually exist but is required until fine-grained access controls are implemented
+     *
+     * @param permissions The permissions to assign the service account
+     */
+    public void setPermissions(List<String> permissions) {
+        this.permissions = List.copyOf(permissions);
+    }
+
+    @Override
+    public String getName() {
+        return name.getName();
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        final ServiceAccount that = (ServiceAccount) obj;
+        return Objects.equals(name, that.getName());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name);
+    }
+
+    @Override
+    public String toString() {
+        return "ServiceAccount(" + "name=" + name + ")";
+    }
+
+    @Override
+    public List<String> getPermissions() {
+        return List.copyOf(permissions);
+    }
+}
@@ -0,0 +1,46 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.Application;
+import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.ServiceAccount;
+import org.opensearch.identity.ServiceAccountManager;
+
+/**
+ * Oversees the assignment of ServiceAccounts when using the ShiroIdentityPlugin
+ *
+ * @opensearch.experimental
+ */
+class ShiroServiceAccountManager implements ServiceAccountManager {
+
+    private static final Logger log = LogManager.getLogger(IdentityService.class);
+
+    private static Map<Application, ServiceAccount> applicationServiceAccountMap = new HashMap<>();
+
+    public ShiroServiceAccountManager() {
+
+    }
+
+    @Override
+    public ServiceAccount getServiceAccount(Application app) {
+        if (applicationServiceAccountMap.get(app) == null) {
+            applicationServiceAccountMap.put(app, new ShiroServiceAccount(app));
+        }
+        return applicationServiceAccountMap.get(app);
+    }
+
+    public Map<Application, ServiceAccount> getApplicationServiceAccountMap() {
+        return applicationServiceAccountMap;
+    }
+}
@@ -0,0 +1,127 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.util.Arrays;
+import java.util.List;
+import org.junit.Before;
+import org.opensearch.cluster.ApplicationManager;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.env.Environment;
+import org.opensearch.env.TestEnvironment;
+import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.ServiceAccount;
+import org.opensearch.index.IndexModule;
+import org.opensearch.plugins.IdentityPlugin;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.PluginsService;
+import org.opensearch.test.OpenSearchTestCase;
+
+public class ShiroServiceAccountTests extends OpenSearchTestCase {
+
+    private ShiroServiceAccountManager shiroServiceAccountManager;
+    private ApplicationManager applicationManager;
+    private PluginsService pluginsService;
+    private IdentityService identityService;
+    private IdentityPlugin identityPlugin;
+    private AdditionalSettingsPlugin1 additionalSettingsPlugin1;
+    private AdditionalSettingsPlugin2 additionalSettingsPlugin2;
+
+    Settings settings = Settings.builder()
+        .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir())
+        .put("my.setting", "test")
+        .put(IndexModule.INDEX_STORE_TYPE_SETTING.getKey(), IndexModule.Type.NIOFS.getSettingsKey())
+        .build();
+
+    @SuppressWarnings("unchecked")
+    static PluginsService newPluginsService(
+        Settings settings,
+        ApplicationManager applicationManager,
+        Class<? extends Plugin>... classpathPlugins
+    ) {
+        return new PluginsService(
+            settings,
+            applicationManager,
+            null,
+            null,
+            TestEnvironment.newEnvironment(settings).pluginsDir(),
+            Arrays.asList(classpathPlugins)
+        );
+    }
+
+    public static class AdditionalSettingsPlugin1 extends Plugin {
+        @Override
+        public Settings additionalSettings() {
+            return Settings.builder()
+                .put("foo.bar", "1")
+                .put(IndexModule.INDEX_STORE_TYPE_SETTING.getKey(), IndexModule.Type.MMAPFS.getSettingsKey())
+                .build();
+        }
+    }
+
+    public static class AdditionalSettingsPlugin2 extends Plugin {
+        @Override
+        public Settings additionalSettings() {
+            return Settings.builder().put("test.this", "2").build();
+        }
+    }
+
+    @Before
+    public void setup() {
+        identityPlugin = new ShiroIdentityPlugin(Settings.EMPTY);
+        List<IdentityPlugin> pluginList = List.of(identityPlugin);
+        applicationManager = new ApplicationManager();
+        identityService = new IdentityService(Settings.EMPTY, pluginList);
+        additionalSettingsPlugin1 = new AdditionalSettingsPlugin1();
+        additionalSettingsPlugin2 = new AdditionalSettingsPlugin2();
+        shiroServiceAccountManager = new ShiroServiceAccountManager();
+        applicationManager.register(shiroServiceAccountManager);
+    }
+
+    @SuppressWarnings("unchecked")
+    public void testRegisterSinglePlugin() {
+        pluginsService = newPluginsService(settings, applicationManager, additionalSettingsPlugin1.getClass());
+        ServiceAccount serviceAccount = shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1());
+        assertEquals(pluginsService.plugins.get(0).v1().getPrincipal().getName(), serviceAccount.getName());
+        assertEquals(shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1()), serviceAccount);
+    }
+
+    @SuppressWarnings("unchecked")
+    public void testRegisterMultiplePlugins() {
+        pluginsService = newPluginsService(
+            settings,
+            applicationManager,
+            additionalSettingsPlugin1.getClass(),
+            additionalSettingsPlugin2.getClass()
+        );
+        ServiceAccount serviceAccount1 = shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1());
+        ServiceAccount serviceAccount2 = shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(1).v1());
+        assertEquals(pluginsService.plugins.get(0).v1().getPrincipal().getName(), serviceAccount1.getName());
+        assertEquals(shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1()), serviceAccount1);
+        assertEquals(pluginsService.plugins.get(1).v1().getPrincipal().getName(), serviceAccount2.getName());
+        assertEquals(shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(1).v1()), serviceAccount2);
+    }
+
+    @SuppressWarnings("unchecked")
+    public void testRegisterMultiplePluginsWithSameName() {
+        pluginsService = newPluginsService(
+            settings,
+            applicationManager,
+            additionalSettingsPlugin1.getClass(),
+            additionalSettingsPlugin1.getClass()
+        );
+        ServiceAccount serviceAccount1a = shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1());
+        ServiceAccount serviceAccount1b = shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(1).v1());
+        assertEquals(pluginsService.plugins.get(0).v1().getPrincipal().getName(), serviceAccount1a.getName());
+        assertEquals(shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(0).v1()), serviceAccount1a);
+        assertEquals(pluginsService.plugins.get(1).v1().getPrincipal().getName(), serviceAccount1b.getName());
+        assertEquals(shiroServiceAccountManager.getServiceAccount(pluginsService.plugins.get(1).v1()), serviceAccount1b);
+        assertEquals(serviceAccount1a, serviceAccount1b); // Plugins are identified by their names so same name means same service account
+    }
+}
@@ -32,6 +32,9 @@
 
 package org.opensearch;
 
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Supplier;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.node.DiscoveryNodes;
 import org.opensearch.common.settings.ClusterSettings;
@@ -43,10 +46,6 @@
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestHandler;
 
-import java.util.Collections;
-import java.util.List;
-import java.util.function.Supplier;
-
 public class DieWithDignityPlugin extends Plugin implements ActionPlugin {
 
     public DieWithDignityPlugin() {
@@ -65,5 +64,4 @@ public List<RestHandler> getRestHandlers(
     ) {
         return Collections.singletonList(new RestDieWithDignityAction());
     }
-
 }
@@ -0,0 +1,15 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch;
+
+import org.opensearch.identity.Subject;
+
+/**
+ * A service that transmits data to and/or from OpenSearch
+ *
+ * @opensearch.experimental
+ */
+public interface Application extends Subject {}