Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix remote cluster credential secure settings reload #111535

Merged

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Aug 2, 2024

Due to the cluster:admin/xpack/security action name prefix, the internal action cluster:admin/xpack/security/remote_cluster_credentials/reload to reload remote cluster credentials fails for users that have the manage cluster privilege. This does not align with our documentation and the overall permission requirements for reloading secure settings.

This PR renames the action to match the manage privilege. Since this is a local-only action there are no BWC concerns with this rename.

Fixes: #111543

@n1v0lg n1v0lg added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Aug 2, 2024
@n1v0lg n1v0lg self-assigned this Aug 2, 2024
@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've created a changelog YAML for you.

n1v0lg added 2 commits August 2, 2024 11:34
@n1v0lg n1v0lg added v8.15.0 auto-backport Automatically create backport pull requests when merged labels Aug 2, 2024
@@ -123,6 +123,7 @@ protected NodesReloadSecureSettingsResponse.NodeResponse nodeOperation(
final List<Exception> exceptions = new ArrayList<>();
// broadcast the new settings object (with the open embedded keystore) to all reloadable plugins
pluginsService.filterPlugins(ReloadablePlugin.class).forEach(p -> {
logger.debug("Reloading plugin [" + p.getClass().getSimpleName() + "]");
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems useful for future debugging...

@n1v0lg n1v0lg changed the title Fix reload secure settings privileges Fix remote cluster credential secure settings reload Aug 2, 2024
@n1v0lg n1v0lg marked this pull request as ready for review August 2, 2024 13:02
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 2, 2024
@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've updated the changelog YAML for you.

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@n1v0lg n1v0lg requested a review from jakelandis August 2, 2024 13:06
@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 2, 2024

@elasticmachine update branch

Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question about where we should mark it as the system context.

// Run this action in system context -- it was authorized upstream and should not be tied to end-user permissions
final ThreadContext ctx = getClient().threadPool().getThreadContext();
assert ctx != null : "Thread context must be set for reload call";
try (ThreadContext.StoredContext ignore = ctx.stashContext()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we stash the context and mark as system context from TransportNodesReloadSecureSettingsAction instead of here ? It feels off that we can call this method directly from anywhere that we can reference Security#reload and the work will be done in the system context, possibly having never run any authz.

Since the expectation is that work is implicitly allowed as a sub action from TransportNodesReloadSecureSettingsAction, I think having TransportNodesReloadSecureSettingsAction mark it as the system context is more correct since. It would also apply to all other sub reload actions, but that I think is also more correct since the permissions to use TransportNodesReloadSecureSettingsAction need to converge to a single permission.

Alternatively, I think we could change RELOAD_REMOTE_CLUSTER_CREDENTIALS_ACTION to an actual "internal:" action, helping to re-inforce that this is sub action / implementation detail of another action. But that would I prefer keeping the action name as-is and ensuring that the flip to system context is a bit more isolated to it's usage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included it here primarily because it's an implementation detail that it's an action to begin with -- most other reload calls happen at the "service" layer and are not subject to authz at all -- it would be the same here if we had access to the right services within the Security plugin (we'd just call RemoteClusterService.reload(...) without the action workaround, but unfortunately, RemoteClusterService is not available in Security. To me it actually feels more isolated to have it here.

However, I don't feel strongly -- TransportNodesReloadSecureSettingsAction is a fine place to switch to system context (though we'll have to double-check that we're not somehow switching back out of it along the way) -- let me know if you strongly prefer TransportNodesReloadSecureSettingsAction instead and I pull the switch over there.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed on Slack -- switching to system context in TransportNodesReloadSecureSettingsAction has several downsides.

Since Security#reload is a public method that could (in theory) be called in a context that did not ensure proper authz it's however better to also avoid the system context switch inside reload.

To accommodate this, we've decided to simply rename the action to have a prefix that's covered by manage. Since it's a local-only action there are not BWC concerns with this.

n1v0lg added 2 commits August 5, 2024 19:09
…v0lg/elasticsearch into fix-reload-secure-settings-privileges
@n1v0lg n1v0lg requested a review from a team as a code owner August 5, 2024 18:55
@n1v0lg n1v0lg requested a review from jakelandis August 8, 2024 09:04
Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the iterations.

(super nitpick: the PR description "Due to a missing system context switch,..." part is a bit misleading now)

@n1v0lg n1v0lg added v8.15.1 and removed v8.15.0 labels Aug 9, 2024
@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 9, 2024

@elasticmachine update branch

@n1v0lg n1v0lg added test-update-serverless auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) labels Aug 9, 2024
@elasticsearchmachine elasticsearchmachine merged commit d99f871 into elastic:main Aug 9, 2024
20 checks passed
@n1v0lg n1v0lg deleted the fix-reload-secure-settings-privileges branch August 9, 2024 09:07
n1v0lg added a commit to n1v0lg/elasticsearch that referenced this pull request Aug 9, 2024
Due to the `cluster:admin/xpack/security` action name prefix, the
internal action
`cluster:admin/xpack/security/remote_cluster_credentials/reload` to
reload remote cluster credentials fails for users that have the `manage`
cluster privilege. This does not align with our documentation and the
overall permission requirements for reloading secure settings.  

This PR renames the action to match the `manage` privilege. Since this
is a local-only action there are no BWC concerns with this rename. 

Fixes: elastic#111543
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.15

weizijun added a commit to weizijun/elasticsearch that referenced this pull request Aug 9, 2024
* upstream/main: (22 commits)
  Prune changelogs after 8.15.0 release
  Bump versions after 8.15.0 release
  EIS integration (elastic#111154)
  Skip LOOKUP/INLINESTATS cases unless on snapshot (elastic#111755)
  Always enforce strict role validation (elastic#111056)
  Mute org.elasticsearch.xpack.esql.analysis.VerifierTests testUnsupportedAndMultiTypedFields elastic#111753
  [ML] Force time shift integration test (elastic#111620)
  ESQL: Add tests for sort, where with unsupported type (elastic#111737)
  [ML] Force time shift documentation (elastic#111668)
  Fix remote cluster credential secure settings reload   (elastic#111535)
  ESQL: Fix for overzealous validation in case of invalid mapped fields (elastic#111475)
  Pass allow security manager flag in gradle test policy setup plugin (elastic#111725)
  Rename streamContent/Separator to bulkContent/Separator (elastic#111716)
  Mute org.elasticsearch.tdigest.ComparisonTests testSparseGaussianDistribution elastic#111721
  Remove 8.14 from branches.json
  Only emit product origin in deprecation log if present (elastic#111683)
  Forward port release notes for v8.15.0 (elastic#111714)
  [ES|QL] Combine Disjunctive CIDRMatch (elastic#111501)
  ESQL: Remove qualifier from attrs (elastic#110581)
  Force using the last centroid during merging (elastic#111644)
  ...

# Conflicts:
#	server/src/main/java/org/elasticsearch/TransportVersions.java
#	x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/InferenceNamedWriteablesProvider.java
cbuescher pushed a commit to cbuescher/elasticsearch that referenced this pull request Sep 4, 2024
Due to the `cluster:admin/xpack/security` action name prefix, the
internal action
`cluster:admin/xpack/security/remote_cluster_credentials/reload` to
reload remote cluster credentials fails for users that have the `manage`
cluster privilege. This does not align with our documentation and the
overall permission requirements for reloading secure settings.  

This PR renames the action to match the `manage` privilege. Since this
is a local-only action there are no BWC concerns with this rename. 

Fixes: elastic#111543
davidkyle pushed a commit to davidkyle/elasticsearch that referenced this pull request Sep 5, 2024
Due to the `cluster:admin/xpack/security` action name prefix, the
internal action
`cluster:admin/xpack/security/remote_cluster_credentials/reload` to
reload remote cluster credentials fails for users that have the `manage`
cluster privilege. This does not align with our documentation and the
overall permission requirements for reloading secure settings.  

This PR renames the action to match the `manage` privilege. Since this
is a local-only action there are no BWC concerns with this rename. 

Fixes: elastic#111543
elasticsearchmachine pushed a commit that referenced this pull request Sep 17, 2024
Due to the `cluster:admin/xpack/security` action name prefix, the
internal action
`cluster:admin/xpack/security/remote_cluster_credentials/reload` to
reload remote cluster credentials fails for users that have the `manage`
cluster privilege. This does not align with our documentation and the
overall permission requirements for reloading secure settings.  

This PR renames the action to match the `manage` privilege. Since this
is a local-only action there are no BWC concerns with this rename. 

Fixes: #111543

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Automatically create backport pull requests when merged auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team test-update-serverless v8.15.1 v8.16.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Reloading remote cluster credentials via API fails for users with manage privilege
4 participants