Introduce API Tokens with cluster_permissions and index_permissions directly associated with the token

[cwperks]

Description

Re-basing #5225 with latest changes from main.

This PR creates a new capability in the security plugin where users can issue tokens and associate permissions directly with the token.

Currently this is limited to security admins.

What is novel about this PR is that we can associated permissions directly with the token instead of OBO tokens which contain a claim with the user's roles that the OBO authenticator uses for authz. With API Tokens an admin can request that the token is scoped down from their own permissions to give the token exactly the permissions it needs. For instance, if the admin only wants the token to have search permissions on a single index, then that can be configured and the token will be unable to perform any other action.

This is a key building block to be able to deprecate and replace Roles Injection which is the current practice for how plugins ensure that tasks or jobs that run asynchronously run with the same restrictions as the user that created the job. Instead, I envision that we require users to issue tokens scoped to exactly the needs for the job to ensure the job runs with only the permissions it needs and no more (principal of least privilege)

I'll update this PR Description with details about new REST APIs with example request and response.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

Partially resolves #4009, but limited to security admins in initial release

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 71.91011% with 175 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.52%. Comparing base (190b7c7) to head (bdd7d7f).

Files with missing lines	Patch %	Lines
...arch/security/action/apitokens/ApiTokenAction.java	58.43%	61 Missing and 8 partials ⚠️
...pensearch/security/http/ApiTokenAuthenticator.java	65.38%	17 Missing and 10 partials ⚠️
.../security/action/apitokens/ApiTokenRepository.java	81.53%	10 Missing and 2 partials ⚠️
...urity/action/apitokens/ApiTokenUpdateResponse.java	14.28%	12 Missing ⚠️
...ction/apitokens/TransportApiTokenUpdateAction.java	57.69%	11 Missing ⚠️
...ecurity/action/apitokens/ApiTokenIndexHandler.java	82.75%	10 Missing ⚠️
...opensearch/security/action/apitokens/ApiToken.java	90.58%	2 Missing and 6 partials ⚠️
...search/security/identity/SecurityTokenManager.java	73.91%	4 Missing and 2 partials ⚠️
...ecurity/authtoken/jwt/ExpiringBearerAuthToken.java	0.00%	5 Missing ⚠️
...curity/action/apitokens/ApiTokenUpdateRequest.java	33.33%	4 Missing ⚠️
... and 7 more

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #5443    +/-   ##
========================================
  Coverage   73.51%   73.52%            
========================================
  Files         438      451    +13     
  Lines       26710    27323   +613     
  Branches     3956     4023    +67     
========================================
+ Hits        19637    20088   +451     
- Misses       5195     5326   +131     
- Partials     1878     1909    +31     

Files with missing lines	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	85.50% <100.00%> (+0.12%)	⬆️
...ecurity/action/apitokens/ApiTokenUpdateAction.java	100.00% <100.00%> (ø)
...rity/authtoken/jwt/claims/ApiJwtClaimsBuilder.java	100.00% <100.00%> (ø)
...ensearch/security/compliance/ComplianceConfig.java	89.17% <100.00%> (-0.58%)	⬇️
...rg/opensearch/security/dlic/rest/api/Endpoint.java	100.00% <100.00%> (ø)
...dlic/rest/api/RestApiAdminPrivilegesEvaluator.java	74.54% <100.00%> (+0.47%)	⬆️
...h/security/privileges/PrivilegesEvaluatorImpl.java	83.09% <100.00%> (+0.24%)	⬆️
...ch/security/securityconf/DynamicConfigFactory.java	66.66% <100.00%> (+0.21%)	⬆️
...arch/security/securityconf/DynamicConfigModel.java	100.00% <ø> (ø)
...ch/security/securityconf/DynamicConfigModelV7.java	70.16% <100.00%> (+1.56%)	⬆️
... and 20 more

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nibix]

Thanks for this! Cool to see API tokens going forward.

One general question: I am wondering whether we also need to modify the DLS/FLS code to be API token aware. Otherwise, the deny-by-default policy might block index access.

[nibix]

With this, we might need to make the pluginIdToActionPrivileges HashMap thread-safe, for example, by converting it into a ConcurrentHashMap.

Alternatively, we could have two HashMaps, one for plugins and one for API tokens.

[DarshitChanpura]

i vote for single thread-safe map

[nibix]

I see this is getting called when an update action is received. I think I did not see anything regarding initial node startup. Did I miss something?

[DarshitChanpura]

Cache seems to be update only when a token is created or deleted. We should add one that loads on node bootstrap.

[nibix]

This seems to be a quite low limit. Is there a reason for that?

[nibix]

Is the parameter name an identifier for the token? Do we need uniqueness guarantees for this?

[nibix]

Nit: This method is not really necessary. It can be replaced just by log.debug() without any disadvantages. As a slight advantage, one also avoids the codecov warning for missing test coverage.

[nibix]

What do you think about changing RoleV7 into SubjectBasedActionPrivileges here? PrivilegesEvaluator could then retrieve these instances just from here.

[DarshitChanpura]

+1. It might not be straightforward since JTIs seem to be populated on getTokenMetadata request and there doesn't seem to be a way to pass flattenedActionGroups to that call. I may be seeing the complete picture here, but something like updateJTIs(FlattenedAGs) from PrivilegeEvaluator to update jtis and then use that to populate pluginIdToActionPrivileges which will then be used to create PrivilegeEvalContext?

[nibix]

IMHO, this map should be kept private and managed only by this class.

[nibix]

Is this a hs512 key?

[DarshitChanpura]

i think it fails in ApiTokenAuthenticator if it is anything lower than 512 bits.

[nibix]

This feels like a fragile way to deny certain endpoints, especially with the hardcoded path prefixes.

[nibix]

Also, do I understand it correctly that the goal of this code is that we cannot call the "issue API token" API with API tokens?

[DarshitChanpura]

Shouldn't rest-admin-only restriction block access to endpoints anyway?

[DarshitChanpura]

Thank you @cwperks for taking this over. Left some comments around testing and general usage.

[DarshitChanpura]

nit:
can be combined into 1 constructor:

public ApiToken(
            String name,
            List<String> clusterPermissions,
            List<IndexPermission> indexPermissions,
            Instant creationTime,   // nullable
            Long expiration) {

        this.name = name;
        this.clusterPermissions = clusterPermissions;
        this.indexPermissions = indexPermissions;
        this.creationTime = (creationTime != null) ? creationTime : Instant.now();
        this.expiration = expiration;   
    }

Can the name field be null?

[cwperks]

Removed the first constructor and made it so that creationTime should be supplied by the caller.

[DarshitChanpura]

Should this be UUID instead of name? or does the name field have any association with users?

[cwperks]

name is not necessarily unique per token, but it is unique per active token. i.e. on a token's expiry you would be able to regenerate a new one with the same perms.

The metadata which includes the perms for the token is stored as a doc in the .opensearch_security_api_tokens index

[DarshitChanpura]

+1. It might not be straightforward since JTIs seem to be populated on getTokenMetadata request and there doesn't seem to be a way to pass flattenedActionGroups to that call. I may be seeing the complete picture here, but something like updateJTIs(FlattenedAGs) from PrivilegeEvaluator to update jtis and then use that to populate pluginIdToActionPrivileges which will then be used to create PrivilegeEvalContext?

[DarshitChanpura]

we should add a case to test against expired token

[DarshitChanpura]

i think it fails in ApiTokenAuthenticator if it is anything lower than 512 bits.

[DarshitChanpura]

we should add a test for failure path

[DarshitChanpura]

shouldn't signing key at minimum of 512 bits, based on ApiTokenAuthenticator.MINIMUM_SIGNING_KEY_BIT_LENGTH

[DarshitChanpura]

we should add test to check for index permissions, i.e. ability to search from, write to an index.

[DarshitChanpura]

we should do this before we merge this.

[ztomaszewska]

Hi @cwperks ! First I wanted to thank you for your work on this PR. Really appreciate effort you put it in to move forward with this feature! Just wanted to ask whether is there any plan to soon merge your changes? Is there any blocking issues/ any help you would need? It would be really cool to have API tokens feature working :)

[cwperks]

I'll resolve the conflicts ASAP and try to push this forward for V1.

Its important to know that this PR will still have a lot of limitations, but paves the way for expansion. For instance, in this PR only the admin can issue tokens.

[DarshitChanpura]

thank you for picking this up @cwperks . Left a few comments. Main comment is addition of e2e test which checks authn+authz with API token,

[DarshitChanpura]

Let's make this value configurable with default to 100?
maybe maxed at 1k active tokens?

[DarshitChanpura]

this message should be "Failed to update API token"

[DarshitChanpura]

change log needs to be cleaned up to only add this entry.

[DarshitChanpura]

doesn't seem like this is used?

[DarshitChanpura]

we should do this before we merge this.