-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for FIPS compliance mode #14912
base: main
Are you sure you want to change the base?
Support for FIPS compliance mode #14912
Conversation
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
8e8ed47
to
6016d5d
Compare
❌ Gradle check result for 8e8ed47: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
.../identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
Outdated
Show resolved
Hide resolved
Could use some help maybe from @cwperks or @peternied reviewing this, please. |
@@ -1182,6 +1182,7 @@ private void createConfiguration() { | |||
baseConfig.put("indices.breaker.total.use_real_memory", "false"); | |||
// Don't wait for state, just start up quickly. This will also allow new and old nodes in the BWC case to become the master | |||
baseConfig.put("discovery.initial_state_timeout", "0s"); | |||
baseConfig.put("fips.approved", "true"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When we proposed a similar flag previously we were encouraged not to use boolean flags to control behaviour like this opensearch-project/security#3420 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am of the opinion that this is fine, in this case, I am not sure what greater configuration would make sense. Unless you can provide different approvers or something, there is no reason for this not to be a boolean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might have missed the part of the thread where that issue came up - I'd rather see crypto.standard=FIPS-140-2
& cypto.standard=any-supported
to help understand what state the server is in when viewing a configuration file. I am definately open to other ideas that clarify what state the cluster is running it, as I think it could be useful to support FIPS-140-3 seperately or other standards/restrictions as they are addopted.
This isn't a blocker - it could be circled back on when we need to support a 3rd mode, the question is if that is a potential near term issue vs later on (or never).
8e5237f
to
7e202a2
Compare
❌ Gradle check result for 7e202a2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
7e202a2
to
bbbafa9
Compare
❌ Gradle check result for bbbafa9: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Previously, my main focus was on running the entire test suite without the BC non-FIPS libraries, which was successfully achieved. Now, the latest changes affect FIPS compatibility by running all tests again with the additional VM parameter
Currently, the AWS S3 plugin is the remaining component that needs adjustment for FIPS mode. However, applying FIPS mode to every security-relevant thread using Another topic to consider is how to extend the Jenkins pipeline to run tasks like |
@peternied Are we moving in the right direction? |
@beanuwave Thanks for making these updates - I'll need a little time to digest them. While I do so could you please address all unresolved comment threads and look into the GitHub action failures? |
modules/reindex/src/test/resources/org/opensearch/index/reindex/README.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Directionally this is looking solid, I've got some background questions to make sure I understand some of the tradeoffs.
Definitely, can we set up a direct call? I've contacted you on slack to find a suitable timeslot. |
Sorry I might have been unclear, I've put those questions in comments on this PR, I don't need to schedule a call, please review the unresolved comment threads for the open questions I have, one for example #14912 (comment) |
Signed-off-by: Iwan Igonin <[email protected]> # Conflicts: # server/build.gradle
Signed-off-by: Iwan Igonin <[email protected]> # Conflicts: # client/rest/build.gradle # distribution/tools/plugin-cli/build.gradle # server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
…ional tests. Signed-off-by: Iwan Igonin <[email protected]>
Signed-off-by: Iwan Igonin <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking much closer
- There are still ~7 comment threads that are open, some of these might impact the scope of this change.
- Looks like there are failures from the gradle-check workflow.
@beanuwave are there other items that you can see need to be invested in before this is merged? Trying to get a sense of how close we are to the finish line, thanks for the hard work!
Signed-off-by: Iwan Igonin <[email protected]>
bbbafa9
to
8228037
Compare
❌ Gradle check result for 8228037: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Description
This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.