search

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
961 stars 209 forks source link

Add support for AWSSigV4-based authentication for OpenSearch #488

Open Szasza opened 3 months ago

Szasza commented 3 months ago

AWS OpenSearch has two methods to authenticate with, details can be found at https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-master-user

parsedmarc can access AWS OpenSearch using master user credentials and the internal user database. This however comes with limitations which are outlined in the document linked above.

It would be great to have support for AWSSigV4 to enable a more robust authentication method. opensearch-py already supports it, in the following way:

import boto3
from opensearchpy import OpenSearch, RequestsHttpConnection
import os
from requests_aws4auth import AWS4Auth

region = os.environ['AWS_REGION']
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)
host = 'some_host_here'

os_client = OpenSearch(
        hosts=[host],
        http_auth = awsauth,
        use_ssl = True,
        verify_certs = True,
        ssl_assert_hostname = False,
        ssl_show_warn = False,
        connection_class=RequestsHttpConnection,
)

parsedmarc currently doesn't support this authentication method. A way of implementation could be to add aws_region and authentication_type (basic or awssigv4) to the config ini file's [opensearch] section. Based on the authentication type the OpenSearch connector could create the OpenSearch connection accordingly.

Happy to work on the implementation if the approach is agreed upon, either as above, or in a better way.