Skip to content

[FEATURE] Configuration Option to Set Default Algorithm for Field Masking #4213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
terryquigleysas opened this issue Apr 4, 2024 · 3 comments · Fixed by #4336
Closed

[FEATURE] Configuration Option to Set Default Algorithm for Field Masking #4213

terryquigleysas opened this issue Apr 4, 2024 · 3 comments · Fixed by #4336
Assignees
@terryquigleysas
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@terryquigleysas
Copy link
Contributor

Is your feature request related to a problem?
The field masking algorithm defaults to Blake2b. We'd like to be able to change this via a configuration option.

What solution would you like?
Add configuration option, e.g.
plugins.security.masked_fields.algorithm.default

This can be set to any of the other supported algorithms (e.g. SHA-512) https://opensearch.org/docs/latest/security/access-control/field-masking/#advanced-use-an-alternative-hash-algorithm

Do you have any additional context?
As well as adding functionality for wider use it will also help for adding configurable options for FIPS compliance:
#3420
@terryquigleysas terryquigleysas added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Apr 4, 2024
@terryquigleysas
Copy link
Contributor Author

Please assign to me once triaged.

@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Apr 8, 2024
@cwperks
Copy link
Member

cwperks commented Apr 8, 2024

[Triage] Thank you for filing this issue @terryquigleysas. I have assigned this to you and thank you for providing a reference implementation here.

What do you think about the setting being called plugins.security.masked_fields.algorithm? By having default on the path to the setting (plugins.security.masked_fields.algorithm.default) does this imply that it can be changed without a cluster reboot?

@cwperks cwperks mentioned this issue Apr 8, 2024
Closed
@terryquigleysas
Copy link
Contributor Author

@cwperks The algorithm can be set per field as detailed in https://opensearch.org/docs/latest/security/access-control/field-masking/#advanced-use-an-alternative-hash-algorithm

When no specific algorithm is provided for a field the default is hardcoded to choose Blake2b. We want to provide an option to choose a default of our choice when a field has no algorithm specified. Initially this would be a static setting that would require a reboot.

This was referenced May 13, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terryquigleysas terryquigleysas

Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Configure masking algorithm default terryquigleysas/security
2 participants
@cwperks @terryquigleysas