From bde639f6c7cb4b5ea3e110c03591bb940d81d27a Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Fri, 24 Jun 2022 00:24:46 +0000 Subject: [PATCH 01/10] Document security scope for extensions While working on extensions there are many considerations for security, this document captures what those areas are as a way to discuss design approaches and codify the current state of affairs. Signed-off-by: Peter Nied --- SECURITY.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..a6136554 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,57 @@ +# Extensions Security Guidelines + +OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them, this creates a larger surface area for misuse, vunerabilities, and malicious interactions. This document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch + +To keep concepts consistant, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). + +Additional terms: +* **Plugin** - reference to the existing functionality to extend OpenSearch functionality. +* **Extension** - reference to the in development functionality to extend OpenSearch. + +## Host security + +The Java Security Manager is the mechanism for ensuring plugins are limited in what they can do to the host operation system resources (cpu/disk/memory/network/...). As there are limitations and its deprecated with removal scheduled in the next release of the JVM. + +The current extensions design they operate via Rest APIs, by isolating extensions from using host they are prevented from executing operation system calls directly on hosts of the cluster. + +## Communications security (COMSEC) + +Data is transferred from the OpenSearch cluster to the extensions. This is done via https requests between the nodes on the cluster and the extensions endpoint(s). + +Extensions should never directly communicate with other extensions, cross extensions work should always be proxied through OpenSearch. + +## Data Security + +OpenSearch stores data in its memory and local file system storage, the security plugin provides mechanisms to control data access within OpenSearch. Extensions have independent data storage. + +Plugins store data inside of the OpenSearch cluster itself such as in system/hidden indices. + +## Access Control + +OpenSearch offers access control through the security plugin, with checks action names and filters. Actions registered within OpenSearch that are not permitted never reach the handler for a plugin or extension execution. + +Resource level access control is governed by the extension, when requests are processed the [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from common-utils is checked for matching backendroles/roles. Access control checks are managed wholy in the plugin. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). + +Available permissions and roles are defined in the security plugin, every extension needs to update the security plugin to provide these values, eg. [roles.xml](https://github.com/opensearch-project/security/blob/main/config/roles.yml). + +## Auditing + +With the security plugin installed, when actions are performed on the OpenSearch cluster they are recorded if filtering criteria are meet to configurable audit log sinks. + +## Installation + +Plugin installation is managed by using a binary on the node that extract plugin.zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. + +## Versioning + +OpenSearch systems have ways to deprecate unsupported patterns, feature, and APIs. + +## Configuration + +Configuration of OpenSearch is split between on disk yml files and various in OpenSearch systems such as cluster settings. + +Plugins configuration is loaded and checked at service startup time for correctness. If there is an error OpenSearch can fail to start. + +## Reliability + +OpenSearch plugins can create node instability if incorrectly configured, or there are code defects. \ No newline at end of file From 403c53f88d8627fec36cdf4f8b0d14f6fafec7d1 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 30 Jun 2022 17:24:07 +0000 Subject: [PATCH 02/10] Initial workwork from comments Signed-off-by: Peter Nied --- SECURITY.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a6136554..07c58490 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,9 @@ # Extensions Security Guidelines -OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them, this creates a larger surface area for misuse, vunerabilities, and malicious interactions. This document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch +OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them. With this increased functionality comes a larger surface area for misuse, vunerabilities, and malicious interactions. + +By capturing the current state of OpenSearch ecocsystem and the plans for extensions this document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch. + To keep concepts consistant, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). @@ -10,15 +13,15 @@ Additional terms: ## Host security -The Java Security Manager is the mechanism for ensuring plugins are limited in what they can do to the host operation system resources (cpu/disk/memory/network/...). As there are limitations and its deprecated with removal scheduled in the next release of the JVM. +Plugins depend on use of the Java Security Manager is use to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. -The current extensions design they operate via Rest APIs, by isolating extensions from using host they are prevented from executing operation system calls directly on hosts of the cluster. +Extensions are sandboxed from the host system by operating via REST APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. ## Communications security (COMSEC) -Data is transferred from the OpenSearch cluster to the extensions. This is done via https requests between the nodes on the cluster and the extensions endpoint(s). +Plugins are loaded into the same java virtual machine instance allowing communicate to OpenSearch through in process java APIs. Plugins can issue REST API requests to the OpenSearch hosts reusing the standard node-to-node communications, internally called the transport client. -Extensions should never directly communicate with other extensions, cross extensions work should always be proxied through OpenSearch. +Extensions of OpenSearch communicate via https requests between the nodes on the cluster and the extensions endpoint(s). This is a bi-direction communication also allows extensions to contact the OpenSearch cluster through its avaliable REST APIs. ## Data Security From 39df54519059b4fcc2199a1f5317bf3b82536684 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 30 Jun 2022 17:45:20 +0000 Subject: [PATCH 03/10] Data security refinement Signed-off-by: Peter Nied --- SECURITY.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 07c58490..d1a46d3f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,17 +25,17 @@ Extensions of OpenSearch communicate via https requests between the nodes on the ## Data Security -OpenSearch stores data in its memory and local file system storage, the security plugin provides mechanisms to control data access within OpenSearch. Extensions have independent data storage. +OpenSearch stores data in memory and local file system storage. This data is stored unencrypted. -Plugins store data inside of the OpenSearch cluster itself such as in system/hidden indices. +Plugins can use the existing data systems of the OpenSearch. Several classes of plugins extend storage options out to external services. -## Access Control +### Access Control -OpenSearch offers access control through the security plugin, with checks action names and filters. Actions registered within OpenSearch that are not permitted never reach the handler for a plugin or extension execution. +With the security plugin installed, role based access control (RBAC) is available with a proprietary policy document format. Access control over native OpenSearch data is possible with this plugin installed. -Resource level access control is governed by the extension, when requests are processed the [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from common-utils is checked for matching backendroles/roles. Access control checks are managed wholy in the plugin. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). +For resource that are managed by plugins, access control is governed within individual plugin, by examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are avaliable for approval/denial. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. -Available permissions and roles are defined in the security plugin, every extension needs to update the security plugin to provide these values, eg. [roles.xml](https://github.com/opensearch-project/security/blob/main/config/roles.yml). +As Extensions do not have access OpenSearch's thread context, identity and its associated prileveages must be communicated through the REST APIs. ## Auditing From 5291308ce375ebacd5f66aaea37ef13d7a5099f5 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 30 Jun 2022 21:37:46 +0000 Subject: [PATCH 04/10] Create document phases to help guide usage and describe whatt critieria should be used to approve pull requesst changes Signed-off-by: Peter Nied --- SECURITY.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index d1a46d3f..1c006848 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,13 +4,24 @@ OpenSearch's support for extensions allows for taking already powerful use cases By capturing the current state of OpenSearch ecocsystem and the plans for extensions this document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch. +## Document Phases +These guidlines and this document are meant to evolve. Some area might be complete adhead of others. Some areas or items might be marked as invalid/removed using markdown's strike-through. +1. [X] Agreement of areas and 'as-is' state of OpenSearch Plugins and Extensions. **<-- Doc is here** +2. [ ] All area have recommendations and areas of investigation are filed as issues and linked back on this document. +3. [ ] All investigation conclusions are captured and linked in this document, effectively define the scope of work for these areas. Implementation of work is can be completed or outstanding. +4. [ ] All planned work has been completed, issues around this work can be completed or outstanding. +5. [ ] Document complete, future work and issue will be captured out of band instead of as updates this document. + +## Terms To keep concepts consistant, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). Additional terms: * **Plugin** - reference to the existing functionality to extend OpenSearch functionality. * **Extension** - reference to the in development functionality to extend OpenSearch. +# Areas + ## Host security Plugins depend on use of the Java Security Manager is use to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. From c78e92b289303d87e8d02e77400122d1e9f752b7 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 30 Jun 2022 22:01:26 +0000 Subject: [PATCH 05/10] Address all other outstanding feedback Signed-off-by: Peter Nied --- SECURITY.md | 18 +++++++++++++----- tatus | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 tatus diff --git a/SECURITY.md b/SECURITY.md index 1c006848..5eb8c581 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -54,18 +54,26 @@ With the security plugin installed, when actions are performed on the OpenSearch ## Installation -Plugin installation is managed by using a binary on the node that extract plugin.zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. +Plugin installation is managed by using a binary on the node that extract plugin zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. + +Extensions installation is managed through on disk configuration. ## Versioning -OpenSearch systems have ways to deprecate unsupported patterns, feature, and APIs. +OpenSearch has a version number following [semver](https://semver.org/). + +Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatiable. + +Extensions version information is not tied to OpenSearch's version. ## Configuration -Configuration of OpenSearch is split between on disk yml files and various in OpenSearch systems such as cluster settings. +Configuration of OpenSearch uses on disk yml configuration files. Other settings are manage in-memory through settings that are modifiable at runtime through APIs or indirectly. + +Plugins configuration is managed through the same systems as OpenSearch. -Plugins configuration is loaded and checked at service startup time for correctness. If there is an error OpenSearch can fail to start. +Extensions configuration setup is tied to OpenSearch settings, extensions configuration are managed independantly of OpenSearch. ## Reliability -OpenSearch plugins can create node instability if incorrectly configured, or there are code defects. \ No newline at end of file +OpenSearch plugins can create cluster or node instability if incorrectly configured or by software defects. \ No newline at end of file diff --git a/tatus b/tatus new file mode 100644 index 00000000..d987f5ef --- /dev/null +++ b/tatus @@ -0,0 +1,38 @@ +diff --git a/SECURITY.md b/SECURITY.md +index 1c00684..5eb8c58 100644 +--- a/SECURITY.md ++++ b/SECURITY.md +@@ -54,18 +54,26 @@ With the security plugin installed, when actions are performed on the OpenSearch +  + ## Installation +  +-Plugin installation is managed by using a binary on the node that extract plugin.zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. ++Plugin installation is managed by using a binary on the node that extract plugin zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. ++ ++Extensions installation is managed through on disk configuration.  +  + ## Versioning +  +-OpenSearch systems have ways to deprecate unsupported patterns, feature, and APIs. ++OpenSearch has a version number following [semver](https://semver.org/). ++ ++Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatiable. ++ ++Extensions version information is not tied to OpenSearch's version. +  + ## Configuration +  +-Configuration of OpenSearch is split between on disk yml files and various in OpenSearch systems such as cluster settings. ++Configuration of OpenSearch uses on disk yml configuration files. Other settings are manage in-memory through settings that are modifiable at runtime through APIs or indirectly. ++ ++Plugins configuration is managed through the same systems as OpenSearch. +  +-Plugins configuration is loaded and checked at service startup time for correctness. If there is an error OpenSearch can fail to start. ++Extensions configuration setup is tied to OpenSearch settings, extensions configuration are managed independantly of OpenSearch. +  + ## Reliability +  +-OpenSearch plugins can create node instability if incorrectly configured, or there are code defects. +\ No newline at end of file ++OpenSearch plugins can create cluster or node instability if incorrectly configured or by software defects. +\ No newline at end of file From 06c972eccef201ac15e9d7dc905d4e7690e890bd Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 30 Jun 2022 22:09:15 +0000 Subject: [PATCH 06/10] Spelling / Grammer pass Signed-off-by: Peter Nied --- SECURITY.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5eb8c581..769208b2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,20 +1,20 @@ # Extensions Security Guidelines -OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them. With this increased functionality comes a larger surface area for misuse, vunerabilities, and malicious interactions. +OpenSearch's support for extensions allows for taking already powerful use cases and expanding on them. With this increased functionality comes a larger surface area for misuse, vulnerabilities, and malicious interactions. -By capturing the current state of OpenSearch ecocsystem and the plans for extensions this document outlines several areas for enhancements, features, and practices to incorperate into extensions for OpenSearch. +By capturing the current state of OpenSearch ecosystem and the plans for extensions this document outlines several areas for enhancements, features, and practices to incorporate into extensions for OpenSearch. ## Document Phases -These guidlines and this document are meant to evolve. Some area might be complete adhead of others. Some areas or items might be marked as invalid/removed using markdown's strike-through. +These guidelines and this document are meant to evolve, the follow list captures the different phases this document will undergo. Some areas might be complete ahead of others. Some areas or items might be marked as invalid/removed using markdown's strike-through. 1. [X] Agreement of areas and 'as-is' state of OpenSearch Plugins and Extensions. **<-- Doc is here** -2. [ ] All area have recommendations and areas of investigation are filed as issues and linked back on this document. +2. [ ] All areas have recommendations and areas of investigation are filed as issues and linked back on this document. 3. [ ] All investigation conclusions are captured and linked in this document, effectively define the scope of work for these areas. Implementation of work is can be completed or outstanding. 4. [ ] All planned work has been completed, issues around this work can be completed or outstanding. 5. [ ] Document complete, future work and issue will be captured out of band instead of as updates this document. ## Terms -To keep concepts consistant, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). +To keep concepts consistent, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). Additional terms: * **Plugin** - reference to the existing functionality to extend OpenSearch functionality. @@ -32,7 +32,7 @@ Extensions are sandboxed from the host system by operating via REST APIs. This Plugins are loaded into the same java virtual machine instance allowing communicate to OpenSearch through in process java APIs. Plugins can issue REST API requests to the OpenSearch hosts reusing the standard node-to-node communications, internally called the transport client. -Extensions of OpenSearch communicate via https requests between the nodes on the cluster and the extensions endpoint(s). This is a bi-direction communication also allows extensions to contact the OpenSearch cluster through its avaliable REST APIs. +Extensions of OpenSearch communicate via https requests between the nodes on the cluster and the extensions endpoint(s). This is a bi-direction communication also allows extensions to contact the OpenSearch cluster through its available REST APIs. ## Data Security @@ -44,9 +44,9 @@ Plugins can use the existing data systems of the OpenSearch. Several classes of With the security plugin installed, role based access control (RBAC) is available with a proprietary policy document format. Access control over native OpenSearch data is possible with this plugin installed. -For resource that are managed by plugins, access control is governed within individual plugin, by examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are avaliable for approval/denial. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. +For resource that are managed by plugins, access control is governed within individual plugin, by examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are available for approval/denial. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. -As Extensions do not have access OpenSearch's thread context, identity and its associated prileveages must be communicated through the REST APIs. +As Extensions do not have access OpenSearch's thread context, identity and its associated privileges must be communicated through the REST APIs. ## Auditing @@ -62,7 +62,7 @@ Extensions installation is managed through on disk configuration. OpenSearch has a version number following [semver](https://semver.org/). -Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatiable. +Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatible. Extensions version information is not tied to OpenSearch's version. @@ -72,7 +72,7 @@ Configuration of OpenSearch uses on disk yml configuration files. Other setting Plugins configuration is managed through the same systems as OpenSearch. -Extensions configuration setup is tied to OpenSearch settings, extensions configuration are managed independantly of OpenSearch. +Extensions configuration setup is tied to OpenSearch settings, extensions configuration are managed independently of OpenSearch. ## Reliability From 910a2c1478e9bb1427acbd9ea409b776f101b5a0 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Fri, 1 Jul 2022 16:48:52 +0000 Subject: [PATCH 07/10] Relateversioning to patching Signed-off-by: Peter Nied --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 769208b2..5cd6e229 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -42,7 +42,7 @@ Plugins can use the existing data systems of the OpenSearch. Several classes of ### Access Control -With the security plugin installed, role based access control (RBAC) is available with a proprietary policy document format. Access control over native OpenSearch data is possible with this plugin installed. +With the security plugin installed, role based access control (RBAC) is available with a policy document format specific to OpenSearch. Access control over native OpenSearch data is possible with this plugin installed. For resource that are managed by plugins, access control is governed within individual plugin, by examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are available for approval/denial. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. @@ -62,9 +62,9 @@ Extensions installation is managed through on disk configuration. OpenSearch has a version number following [semver](https://semver.org/). -Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatible. +Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatible, so to resolve CVE in OpenSearch or in plugins - all components be re-released. -Extensions version information is not tied to OpenSearch's version. +Extensions version information is not tied to OpenSearch's version, extensions and OpenSearch are able to independantly release minor/patch versions to address CVEs. ## Configuration From 3373f8738fe7405ef7a5b53798b25b04be1af144 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 5 Jul 2022 22:17:05 +0000 Subject: [PATCH 08/10] Grammer suggestions Signed-off-by: Peter Nied --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5cd6e229..c8a19cbe 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,7 +24,7 @@ Additional terms: ## Host security -Plugins depend on use of the Java Security Manager is use to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. +Plugins depend on use of the Java Security Manager (JSM) to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. Extensions are sandboxed from the host system by operating via REST APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. @@ -44,7 +44,7 @@ Plugins can use the existing data systems of the OpenSearch. Several classes of With the security plugin installed, role based access control (RBAC) is available with a policy document format specific to OpenSearch. Access control over native OpenSearch data is possible with this plugin installed. -For resource that are managed by plugins, access control is governed within individual plugin, by examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are available for approval/denial. Example from anomaly detection, [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. +For resource that are managed by plugins, access control is governed within individual plugin. By examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are available for approval/denial. An example from anomaly detection is [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. As Extensions do not have access OpenSearch's thread context, identity and its associated privileges must be communicated through the REST APIs. From e1af30b1303e2b7fe25fcb28097337e898eb26ed Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 5 Jul 2022 22:17:56 +0000 Subject: [PATCH 09/10] Delete accidentally included file Signed-off-by: Peter Nied --- tatus | 38 -------------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 tatus diff --git a/tatus b/tatus deleted file mode 100644 index d987f5ef..00000000 --- a/tatus +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/SECURITY.md b/SECURITY.md -index 1c00684..5eb8c58 100644 ---- a/SECURITY.md -+++ b/SECURITY.md -@@ -54,18 +54,26 @@ With the security plugin installed, when actions are performed on the OpenSearch -  - ## Installation -  --Plugin installation is managed by using a binary on the node that extract plugin.zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. -+Plugin installation is managed by using a binary on the node that extract plugin zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. -+ -+Extensions installation is managed through on disk configuration.  -  - ## Versioning -  --OpenSearch systems have ways to deprecate unsupported patterns, feature, and APIs. -+OpenSearch has a version number following [semver](https://semver.org/). -+ -+Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatiable. -+ -+Extensions version information is not tied to OpenSearch's version. -  - ## Configuration -  --Configuration of OpenSearch is split between on disk yml files and various in OpenSearch systems such as cluster settings. -+Configuration of OpenSearch uses on disk yml configuration files. Other settings are manage in-memory through settings that are modifiable at runtime through APIs or indirectly. -+ -+Plugins configuration is managed through the same systems as OpenSearch. -  --Plugins configuration is loaded and checked at service startup time for correctness. If there is an error OpenSearch can fail to start. -+Extensions configuration setup is tied to OpenSearch settings, extensions configuration are managed independantly of OpenSearch. -  - ## Reliability -  --OpenSearch plugins can create node instability if incorrectly configured, or there are code defects. -\ No newline at end of file -+OpenSearch plugins can create cluster or node instability if incorrectly configured or by software defects. -\ No newline at end of file From 3ab63fed4a475a52f1dce46e996777219f84614e Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 6 Jul 2022 21:28:42 +0000 Subject: [PATCH 10/10] Remove 'REST' and cleanup language Signed-off-by: Peter Nied --- SECURITY.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c8a19cbe..7d8dbc2f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,28 +17,28 @@ These guidelines and this document are meant to evolve, the follow list captures To keep concepts consistent, this document is using terminology from [NIST Glossary](https://csrc.nist.gov/glossary). Additional terms: -* **Plugin** - reference to the existing functionality to extend OpenSearch functionality. -* **Extension** - reference to the in development functionality to extend OpenSearch. +* **Plugin** - reference to the existing functionality to extend OpenSearch functionality. Learn more from [Introduction to OpenSearch Plugins](https://opensearch.org/blog/technical-post/2021/12/plugins-intro/). +* **Extension** - reference to the in development functionality to extend OpenSearch. Learn more from [Modular architecture in OpenSearch](https://github.com/opensearch-project/OpenSearch/issues/1422). # Areas ## Host security -Plugins depend on use of the Java Security Manager (JSM) to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. +Plugins depend on use of the Java Security Manager (JSM) to limit interactions on the host operation system resources (cpu/disk/memory/network/...). JSM has been deprecated, with its removal scheduled in the next release of the JVM, see [OpenSearch discussion](https://github.com/opensearch-project/OpenSearch/issues/1687). Additional measures are needed to protect system resources. -Extensions are sandboxed from the host system by operating via REST APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. +Extensions are sandboxed from the host system by operating via APIs. This security boundary isolates extensions from executing operation system calls directly on OpenSearch hosts. ## Communications security (COMSEC) -Plugins are loaded into the same java virtual machine instance allowing communicate to OpenSearch through in process java APIs. Plugins can issue REST API requests to the OpenSearch hosts reusing the standard node-to-node communications, internally called the transport client. +Plugins are loaded into the same java virtual machine instance allowing communicate to OpenSearch through in process java APIs. Plugins can issue API requests to the OpenSearch hosts reusing the standard node-to-node communications, internally called the transport client. -Extensions of OpenSearch communicate via https requests between the nodes on the cluster and the extensions endpoint(s). This is a bi-direction communication also allows extensions to contact the OpenSearch cluster through its available REST APIs. +Extensions of OpenSearch communicate via https requests between the nodes on the cluster and the extensions endpoint(s). This is a bi-direction communication also allows extensions to contact the OpenSearch cluster through its available APIs. ## Data Security OpenSearch stores data in memory and local file system storage. This data is stored unencrypted. -Plugins can use the existing data systems of the OpenSearch. Several classes of plugins extend storage options out to external services. +Plugins can use the existing data systems of the OpenSearch. Several implementations of plugins extend storage options out to external services. ### Access Control @@ -46,7 +46,7 @@ With the security plugin installed, role based access control (RBAC) is availabl For resource that are managed by plugins, access control is governed within individual plugin. By examining [user](https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java) object from OpenSearch's thread context permissions are available for approval/denial. An example from anomaly detection is [checkUserPermissions](https://github.com/opensearch-project/anomaly-detection/blob/875b03c1c7596cb34d74fea285c28d949cfb0d19/src/main/java/org/opensearch/ad/util/ParseUtils.java#L568). Uniform resource controls and models are needed to protect from misconfiguration and code defects. -As Extensions do not have access OpenSearch's thread context, identity and its associated privileges must be communicated through the REST APIs. +As Extensions do not have access OpenSearch's thread context, identity and its associated privileges must be communicated through APIs. ## Auditing @@ -54,7 +54,7 @@ With the security plugin installed, when actions are performed on the OpenSearch ## Installation -Plugin installation is managed by using a binary on the node that extract plugin zip files into the file system, this is done outside the active running of OpenSearch itself. When OpenSearch starts it loads installed plugins into its JVM runtime. +Plugin installation is managed by using a binary on the node, it is used when OpenSearch is not running. The tool can perform signature the native plugins and extracts the plugin zip files into the file system. When OpenSearch starts it discovers and loads installed plugins into its JVM runtime. Extensions installation is managed through on disk configuration. @@ -64,7 +64,7 @@ OpenSearch has a version number following [semver](https://semver.org/). Plugins for OpenSearch must match their version exactly the version of OpenSearch. Older version numbers are not compatible, so to resolve CVE in OpenSearch or in plugins - all components be re-released. -Extensions version information is not tied to OpenSearch's version, extensions and OpenSearch are able to independantly release minor/patch versions to address CVEs. +Extensions version information is not tied to OpenSearch's version, extensions and OpenSearch are able to independently release minor/patch versions to address CVEs. ## Configuration