Lessons learned: Custom Opensearch Dashboards Plugin Security
source link: https://blog.davidvassallo.me/2023/08/31/lessons-learned-custom-opensearch-dashboards-plugin-security/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
To determine the user that is signed in when making a request to your plugin server, or in more formal words the “authentication context” of a request you have two options
Client Side
This is not very secure as it is initiated and consumed by the browser, which is under the complete control of the end user – so do not rely on this method to enforce actions depending on the signed in user as it can be manipulated:
// usually in plugins/PLUGIN_NAME/public/application.ts http.get( '/api/v1/configuration/account' ).then(resp => { console.log(resp) }) |
Server side
This is the preferred approach to enforce authorization depending on the signed in user:
// usually in plugins/PLUGIN_NAME/server/routes/index.ts - in the "defineRoutes" function router.get( { path: '/api/cybersift/whoami' , validate: false , }, async (context, request, response) => { // the below object is the important part console.log(context.core.coreStart.http.auth.get(request)) console.log( "--------------" ) return response.ok({ body: { status: "OK" , }, }); } ) |
Sample response:
{ "status" : "authenticated" , "state" :{ "selectedTenant" : "__user__" , "authInfo" :{ "user" : "User [name=admin, backend_roles=[admin], requestedTenant=__user__]" , "user_name" : "admin" , "user_requested_tenant" : "__user__" , "remote_address" : "127.0.0.1:49404" , "backend_roles" :[ "admin" ], "custom_attribute_names" :[ ], "roles" :[ "own_index" , "all_access" ], "tenants" :{ "global_tenant" : true , "admin_tenant" : true , "admin" : true }, "principal" : null , "peer_certificates" : "0" , "sso_logout_url" : null } } } |
Related
Nugget Post: Upgrading an OpenSearch cluster
In this case, from 1.x to 2.1.0... Upgrading OpenSearch Download and extract the relevant tar file from the opensearch websiteCopy the /config/opensearch.yml from the directory containing your older opensearch to the new directory you just extracted in step (1)If present, copy all /config/*.pem files from the old directory to the…
July 18, 2022In "devops"
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK