Skip to content

Add TLS configuration settings/endpoints for auxiliary transports#5152

Closed
finnegancarroll wants to merge 27 commits intoopensearch-project:mainfrom
finnegancarroll:aux-transport
Closed

Add TLS configuration settings/endpoints for auxiliary transports#5152
finnegancarroll wants to merge 27 commits intoopensearch-project:mainfrom
finnegancarroll:aux-transport

Conversation

@finnegancarroll
Copy link
Contributor

@finnegancarroll finnegancarroll commented Mar 5, 2025
edited
Loading

Description

Add settings for configuring keystore/truststore resources for optional auxiliary client/server transports in OpenSearch core which are supplied and registered by plugins. For more information regarding auxiliary transports see opensearch-project/OpenSearch#16534.

Initially aux transports will only support client-certificate authentication:
https://opensearch.org/docs/latest/security/authentication-backends/client-auth/

Similarly no authorization functionality is included in this PR and is planned for follow up work.

Introduces the following settings for configuring TLS for auxiliary transports:

Enable

plugins.security.ssl.http.enabled
plugins.security.ssl.aux.clientauth_mode
plugins.security.ssl.aux.enabled_ciphers
plugins.security.ssl.aux.enabled_protocols

// will respect the following global settings
plugins.security.disabled
plugins.security.ssl_only

Keystore settings

// for keystores
plugins.security.ssl.aux.keystore_type
plugins.security.ssl.aux.keystore_alias
plugins.security.ssl.aux.keystore_filepath
plugins.security.ssl.aux.keystore_password
// for pemkeys
plugins.security.ssl.aux.pemkey_filepath
plugins.security.ssl.aux.pemkey_password

Truststore settings

// for truststore
plugins.security.ssl.aux.truststore_type
plugins.security.ssl.aux.truststore_alias
plugins.security.ssl.aux.truststore_filepath
plugins.security.ssl.aux.truststore_password
// for pemcerts
plugins.security.ssl.aux.pemcert_filepath
plugins.security.ssl.aux.pemtrustedcas_filepath

Issues Resolved

#5104

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

Added tests for SettingsManager and ContextManager for new transport type.
CI will fail due to missing definitions in core since the corresponding PR adding SecureAuxTransportSettingsProvider is still in review.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov
Copy link

codecov bot commented Mar 5, 2025

Codecov Report

Attention: Patch coverage is 70.51282% with 23 lines in your changes missing coverage. Please review.

Project coverage is 71.68%. Comparing base (305df57) to head (04ba906).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
...rg/opensearch/security/ssl/SslSettingsManager.java 79.62% 4 Missing and 7 partials ⚠️
.../opensearch/security/ssl/config/SslParameters.java 21.42% 11 Missing ⚠️
...ensearch/security/ssl/util/SSLConfigConstants.java 83.33% 0 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5152      +/-   ##
==========================================
+ Coverage   71.64%   71.68%   +0.04%     
==========================================
  Files         335      335              
  Lines       22748    22803      +55     
  Branches     3599     3607       +8     
==========================================
+ Hits        16297    16346      +49     
- Misses       4651     4655       +4     
- Partials     1800     1802       +2
Files with missing lines Coverage Δ
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java 87.24% <100.00%> (ø)
...a/org/opensearch/security/ssl/config/CertType.java 100.00% <100.00%> (ø)
...opensearch/security/ssl/util/SSLRequestHelper.java 66.98% <100.00%> (ø)
...ensearch/security/ssl/util/SSLConfigConstants.java 80.76% <83.33%> (+1.60%) ⬆️
...rg/opensearch/security/ssl/SslSettingsManager.java 74.66% <79.62%> (+1.58%) ⬆️
.../opensearch/security/ssl/config/SslParameters.java 53.84% <21.42%> (-3.10%) ⬇️

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@finnegancarroll finnegancarroll mentioned this pull request Mar 13, 2025
Open
27 tasks
@finnegancarroll finnegancarroll mentioned this pull request Mar 23, 2025
Closed
6 tasks
@finnegancarroll finnegancarroll mentioned this pull request Mar 26, 2025
Closed
3 tasks
@finnegancarroll
Spotless apply
e2e31aa 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Fill in additional post-fix literals with constants.
96269e1 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add aux transport constants.
a492af3 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add aux to CertType enum.
c6426b2 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Load aux settings in SslSettingsManager.
449f830 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Comment typos.
3e87d90 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE to openSslWarnings.
11ab6e4 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Consolidate testFailsIfNoConfigDefine tests under single helper.
14c8fc3 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
httpConfigFailsIfHttpEnabledButButNotDefined and transportFailsIfNoCo…
b20b21f 
…nfigDefine(SECURITY_SSL_HTTP_ENABLED) are the same test. Removing dup.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Replace httpConfigFailsIfBothPemAndJDKSettingsWereSet with transport …
dc64854 
…generic helper. Add aux and node-to-node transports.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Replace httpConfigFailsIfClientAuthRequiredAndJdkTrustStoreNotSet wit…
0cbde43 
…h generic transport helper. Add aux transport case.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Fix error message for validate keystore/pemstore - Print missing sett…
c47e295 
…ing name instead of value.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Replace httpConfigFailsIfClientAuthRequiredAndPemTrustedCasNotSet wit…
60688a5 
…h generic helper. Add aux transport case.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add simple asserts for aux transport to SslSettingsManagerTest.
e54ede7 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Update SSLConfigConstants aux constants with new constants.
cbbda6a 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Refactor SslSettingsManagerReloadListenerTest to abstract helpers for…
721296b 
… easier application to each CertType. Add aux transport cases.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Refactor SslParameters to load from CertType instead of 'ishttp' bool.
b32f435 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add aux case for Pem and JDK cert loader tests.
4a9d709 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Abstract getSecureSSLProtocols and getSecureSSLCiphers to handle prov…
e79fef6 
…ider CertType.

Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Add aux cases for SSLConfigConstantsTest.
d48105d 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Implement getSecureAuxTransportSettingsProvider to link with core.
fb30688 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Expose aux settings to core through plugin class.
78efaad 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Remove engine from settings provider. Fetch raw params instead.
61d79f2 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Rebase.
ca85266 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Remove cert revocation settings for aux.
2745eda 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll finnegancarroll marked this pull request as ready for review April 3, 2025 21:06
This was referenced Apr 4, 2025
Closed
Merged
@finnegancarroll finnegancarroll mentioned this pull request Apr 9, 2025
Open
6 tasks
@cwperks cwperks mentioned this pull request Apr 10, 2025
Merged
5 tasks
@finnegancarroll
Copy link
Contributor Author

finnegancarroll commented Apr 10, 2025

Marking this as draft while I revise.
Several key points identified in companion PR tracked in aux transport meta issue.

We will need a more flexible framework for configuring aux transports in security plugin to support:

  • Multiple enabled aux transports at a time
  • Distinct security configurations for each enabled aux transport

@finnegancarroll finnegancarroll marked this pull request as draft April 10, 2025 17:01
@peterzhuamazon peterzhuamazon mentioned this pull request Apr 10, 2025
Closed
66 tasks
@finnegancarroll
Spotless apply
09756ba 
Signed-off-by: Finn Carroll <carrofin@amazon.com>
@finnegancarroll
Copy link
Contributor Author

finnegancarroll commented Jun 6, 2025

Closing this.
For configuring SSL settings of auxiliary transports see:
#5375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@peternied peternied Awaiting requested review from peternied

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 will be requested when the pull request is marked ready for review shikharj05 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@finnegancarroll @willyborankin