[Question] When does Authentication occur? How do we identify extensions? How do we perform the Authorization check? #2534
Assignees
Labels
triaged
Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Comments
github-actions
bot
added
the
untriaged
DarshitChanpura
moved this from In Progress
to Awaiting Review
in Security for Extensions
peternied
removed
the
untriaged
stephen-crawford
added
the
triaged
|
@DarshitChanpura Should this issue be updated or are these questions answered in other issues? |
The issue description is updated. I will close this issue for now. |
github-project-automation
bot
moved this from Awaiting Review
to Done
in Security for Extensions
15 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. When does Authentication occur?
Authentication will happen at REST layer via a wrapper implemented in SecurityRestFilter.java
Users and their roles need to be registered with Security plugin.
a. If authentication is successful, thread context is populated with user info and the request is then passed to original handler for handling.
b. If authentication fails, an exception is thrown and the request is aborted.
Once authn is successful, we authorize the user against the permissible route. If user has permission to invoke an extension endpoint, the request is then sent to extension via SendToExtensionAction which then calls RestExecuteOnExtensionRequest. More details can be found in this Design Doc. A 403 is thrown otherwise.
2. How do we identify extensions?
There are two possible solutions:
1. Create a service account specific to each extension - #2594
2. Provide an API key specific to each extension - [Future scope]
When a request comes from an extension to core, it must be signed by the extension with its own identity (e.g. contain an API key or service account token). Request without token will be deemed invalid. (A service account token must be authenticated). This request will then be mapped against intended route to identify the intended extension. Once we determine that the extension intended by the user and the extension sending the request to the core are the same, we can then proceed to validate API key or service account token passed in the request. Once authenticated, as a next step we can authorize the extension.
3. How do we perform the Authorization check?
Authorization will be performed at REST layer.
Following steps are only applicable to extensions that will interact with the data in core
User's permissions are checked against the requested action. If it fails, send the failure response. (403)
If it succeeds, then extension's permissions will be authorized against requested action. If it fails, send the failure response. (403)
Once both authorizations are successful, we can then populate threadContext with a header that states that this request for User X and Extension Y is authorized to perform this action.
We will need to implement a minimal version of PrivilegesEvaluator, as a start, to evaluate the permissions.
The text was updated successfully, but these errors were encountered: