Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Security plugin integration for grpc-transport plugin #16905

Open
6 tasks
Tracked by #16787
finnegancarroll opened this issue Dec 23, 2024 · 3 comments · May be fixed by #17406
Open
6 tasks
Tracked by #16787

[Feature Request] Security plugin integration for grpc-transport plugin #16905

finnegancarroll opened this issue Dec 23, 2024 · 3 comments · May be fixed by #17406
Assignees
@finnegancarroll
Labels
enhancement Enhancement or improvement to existing feature or request Plugins Roadmap:Cost/Performance/Scale Project-wide roadmap label v3.0.0 Issues and PRs related to version 3.0.0

Comments

@finnegancarroll
Copy link
Contributor

finnegancarroll commented Dec 23, 2024
edited
Loading

Is your feature request related to a problem? Please describe

Implement security features and integrate with OpenSearch security plugin for production readiness of experimental gRPC transport. It should be the case that security settings for existing http transport maps cleanly onto newly introduced grpc-transport, providing configurable TLS for this new transport implementation.

Describe the solution you'd like

Security Requirements

TLS/Certificate Management

  • Enable selection of a experimental-secure-transport-grpc aux transport type from the transport-grpc plugin.
  • Provide a distinct namespace for aux transport security settings within security plugin
    In keeping with previous transport settings: https://opensearch.org/docs/latest/security/configuration/tls/
    Aux transports should have keystore and truststore configurable under the plugins.security.ssl.aux prefix.
  • Allow users to enable experimental-secure-transport-grpc SSL only TLS.
  • Enable experimental-secure-transport-grpc handling of pemkey/keystore configurations from security plugin.
  • Enable experimental-secure-transport-grpc handling of pemtrust/trustore configurations from security plugin.

Reach goals:

  • Enable hot reloading of SSL context/engine for aux transports.
  • Enable separate client/server role configurations for aux transports which plan to make node-to-node requests.

Roadmap

Authentication/Authorization

*Authorization is not covered by this issue and will need to be handled in a follow up when API structure is known for this plugin *

Related component

Plugins

Describe alternatives you've considered

Leaving the grpc-transport unsecured.

Additional context

No response
@finnegancarroll finnegancarroll added enhancement Enhancement or improvement to existing feature or request untriaged labels Dec 23, 2024
@finnegancarroll finnegancarroll mentioned this issue Dec 23, 2024
Closed
1 task
@amberzsy amberzsy mentioned this issue Dec 30, 2024
Open
18 tasks
@finnegancarroll finnegancarroll moved this from Todo to Now (This Quarter) in Performance Roadmap Jan 6, 2025
@krisfreedain
Copy link
Member

Catch All Triage - 1, 2, 3

@getsaurabh02 getsaurabh02 added the Roadmap:Cost/Performance/Scale Project-wide roadmap label label Jan 30, 2025
@getsaurabh02 getsaurabh02 added the v3.0.0 Issues and PRs related to version 3.0.0 label Jan 30, 2025
@getsaurabh02 getsaurabh02 moved this from Now (This Quarter) to In Progress in Performance Roadmap Feb 3, 2025
@finnegancarroll finnegancarroll mentioned this issue Feb 11, 2025
Open
@finnegancarroll finnegancarroll linked a pull request Feb 20, 2025 that will close this issue
Open
3 tasks
@finnegancarroll finnegancarroll moved this from In Progress to In-Review in Performance Roadmap Mar 3, 2025
@finnegancarroll finnegancarroll moved this to In-Review in Performance Roadmap Mar 17, 2025
@aparajita31pandey
Copy link

Hi @finnegancarroll is there any doc or a roadmap available around the implementation of authorization for the gRPC API?

@finnegancarroll
Copy link
Contributor Author

Hi @aparajita31pandey, currently there is not. This issue only covers authentication of users and I have not dug into how that will translate to authorization and back end roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@finnegancarroll finnegancarroll

Labels
enhancement Enhancement or improvement to existing feature or request Plugins Roadmap:Cost/Performance/Scale Project-wide roadmap label v3.0.0 Issues and PRs related to version 3.0.0
Projects
OpenSearch Roadmap
Status: New
Performance Roadmap
Status: In-Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable TLS for Netty4GrpcServerTransport finnegancarroll/OpenSearch
4 participants
@krisfreedain @finnegancarroll @getsaurabh02 @aparajita31pandey