5

Lessons learned: Custom Opensearch Dashboards Plugin Security

 8 months ago
source link: https://blog.davidvassallo.me/2023/08/31/lessons-learned-custom-opensearch-dashboards-plugin-security/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

To determine the user that is signed in when making a request to your plugin server, or in more formal words the “authentication context” of a request you have two options

Client Side

This is not very secure as it is initiated and consumed by the browser, which is under the complete control of the end user – so do not rely on this method to enforce actions depending on the signed in user as it can be manipulated:

// usually in plugins/PLUGIN_NAME/public/application.ts
http.get('/api/v1/configuration/account').then(resp => {
console.log(resp)
})

Server side

This is the preferred approach to enforce authorization depending on the signed in user:

// usually in plugins/PLUGIN_NAME/server/routes/index.ts - in the "defineRoutes" function
router.get(
{
path: '/api/cybersift/whoami',
validate: false,
},
async (context, request, response) => {
// the below object is the important part
console.log(context.core.coreStart.http.auth.get(request))
console.log("--------------")
return response.ok({
body: {
status: "OK",
},
});
}
)

Sample response:

{
"status":"authenticated",
"state":{
"selectedTenant":"__user__",
"authInfo":{
"user":"User [name=admin, backend_roles=[admin], requestedTenant=__user__]",
"user_name":"admin",
"user_requested_tenant":"__user__",
"remote_address":"127.0.0.1:49404",
"backend_roles":[
"admin"
],
"custom_attribute_names":[
],
"roles":[
"own_index",
"all_access"
],
"tenants":{
"global_tenant":true,
"admin_tenant":true,
"admin":true
},
"principal":null,
"peer_certificates":"0",
"sso_logout_url":null
}
}
}
Loading...

Related

Nugget Post: Upgrading an OpenSearch cluster

In this case, from 1.x to 2.1.0... Upgrading OpenSearch Download and extract the relevant tar file from the opensearch websiteCopy the /config/opensearch.yml from the directory containing your older opensearch to the new directory you just extracted in step (1)If present, copy all /config/*.pem files from the old directory to the…

July 18, 2022

In "devops"


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK