Remove identity-related feature flagged code from the RestController #15430
Conversation
Signed-off-by: Craig Perkins <[email protected]>
cwperks
requested review from
peternied,
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
dblock,
dbwiddis,
gbbafna,
jainankitk,
kotwanikunal,
linuxpi,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami and
VachaShah
as code owners
|
❌ Gradle check result for e6b82ba: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Craig Perkins <[email protected]>
|
❌ Gradle check result for bc610a2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Craig Perkins <[email protected]>
|
❕ Gradle check result for 1abfe97: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
reta
added
backport 2.x
plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java
Outdated
Show resolved
Hide resolved
plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/RestTokenExtractor.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
|
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 34bc922: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for c2d9a3a: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for c2d9a3a: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-15430-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 1bc81d3eee07e96b6c6393510b41d194276e204c
# Push it to GitHub
git push --set-upstream origin backport/backport-15430-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.xThen, create a pull request where the |
|
@cwperks could you please backport to 2.x manually? thank you! |
…pensearch-project#15430) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <[email protected]> * Handle null Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <[email protected]> * Address forbiddenApi Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <[email protected]> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <[email protected]> * Remove change in IdentityService Signed-off-by: Craig Perkins <[email protected]> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <[email protected]> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <[email protected]> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <[email protected]> * Address code review comments Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 1bc81d3)
…15430) (#16004) * Add authenticate to IdentityPlugin interface Signed-off-by: Craig Perkins <[email protected]> * Handle null Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Add DelegatingRestHandlerTests Signed-off-by: Craig Perkins <[email protected]> * Address forbiddenApi Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate from IdentityPlugin and keep RestController feature flagged code removed Signed-off-by: Craig Perkins <[email protected]> * Move RestTokenExtractor to identity-shiro plugin Signed-off-by: Craig Perkins <[email protected]> * Remove change in IdentityService Signed-off-by: Craig Perkins <[email protected]> * Remove changes in ActionModuleTests Signed-off-by: Craig Perkins <[email protected]> * Add tests for RestTokenExtractor Signed-off-by: Craig Perkins <[email protected]> * Remove DelegatingRestHandler Signed-off-by: Craig Perkins <[email protected]> * Call super instead of keeping a reference to the delegated restHandler Signed-off-by: Craig Perkins <[email protected]> * Address code review comments Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit 1bc81d3) Signed-off-by: Craig Perkins <[email protected]>
Description
This PR is a follow-up to #14630. This PR removes code in the RestController that was behind the
opensearch.experimental.feature.identity.enabledfeature flag.The problem with the current code behind the feature flag is that it uses the RestTokenExtractor which assumes that authinfo is provided on the AUTHORIZATION header and is not directly usable by the security plugin in the current state. This PR removes the code to leave it up to the Identity plugin how to provide the subject information. For instance, this PR updates the identity-shiro plugin to utilize ActionPlugin.getRestHandlerWrapper to authenticate a web request and hydrate information about the current subject. The RestTokenExtractor has been moved into the identity-shiro plugin which only supports basic auth with the AUTHORIZATION header in its current state.
I'm opening this PR as a step towards removing the Identity feature flag (but keeping the interface marked as experimental).
I am planning to ask plugin maintainers to remove usages of ThreadContext.stashContext after the experimental feature flag for identity is removed.
Related Issues
Related to opensearch-project/security#4439
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.