sql icon indicating copy to clipboard operation
sql copied to clipboard
verified publisher icon opensearch-project

[FEATURE][ODBC] Support SIGV4 along with Basic Auth

Open joshuali925 opened this issue 3 years ago • 8 comments

Is your feature request related to a problem? Currently there are three auth types in ODBC driver: basic, sigv4, none. Users can provide their FGAC credentials (username and password) using basic auth, and sigv4 will read opensearchodbc aws profile which contains IAM credentials.

There is a domain that uses both types of authentication. opensearch.log shows 401 authn error for basic and none auth types, and 403 authz error for sigv4 auth type. Looks like sigv4 got passed the aws validation, but since there were no username and password send, it did not go through the FGAC validation.

Feel free to edit/comment if the above assumption is wrong.

What solution would you like? Provide an option in ODBC driver to allow user use their aws credentials with basic auth (username and password).

What alternatives have you considered? A clear and concise description of any alternative solutions or features you've considered.

Do you have any additional context? Add any other context or screenshots about the feature request here.

joshuali925 avatar Jun 28 '22 19:06 joshuali925

Related bug: https://github.com/opensearch-project/sql/issues/328

acarbonetto avatar Jun 28 '22 19:06 acarbonetto

@joshuali925 do JDBC driver or other clients support using both SIGv4 and FGAC at the same time?

MaxKsyunz avatar Jun 29 '22 17:06 MaxKsyunz

@MaxKsyunz i don't think so, according to its readme auth can only be one of NONE, BASIC, AWS_SIGV4

joshuali925 avatar Jun 29 '22 17:06 joshuali925

@joshuali925 do you think there's value in supporting this scenario across more clients? cc @CEHENKLE

MaxKsyunz avatar Jun 29 '22 22:06 MaxKsyunz

@MaxKsyunz I'm assuming that for a cluster that uses IAM and FGAC, clients needs to get both information from the user in order to connect. If this is true, then i think yes because otherwise the clients using either SIGV4 or FGAC won't be able to connect to the cluster.

joshuali925 avatar Jun 29 '22 22:06 joshuali925

@joshuali925 I'd like to understand this use case better. Here's what I got so far:

  1. There is a domain with a resource-based access policy that uses a particular IAM.
  2. There is an OpenSearch cluster with several roles set up.

Is the problem that

  1. the security plugin is not aware of the SIGv4 key and cannot map it the IAM to a particular role, or
  2. there's a need to use IAM to authenticate application's access to the domain and another authority to authenticate end-users of the application?

MaxKsyunz avatar Jul 01 '22 02:07 MaxKsyunz

@MaxKsyunz The use case is that there is a domain which needs both AWS credentials and username password to access, and we cannot use ODBC to connect to it

For the problem i'm also not sure. i put my assumptions in the description but I felt my understanding of how auth works in this case is probably not accurate

joshuali925 avatar Jul 01 '22 02:07 joshuali925

@MaxKsyunz doesn't look like all clients support SIGv4 yet. https://github.com/opensearch-project/opensearch-clients/issues/22

acarbonetto avatar Jul 19 '22 00:07 acarbonetto