Service Accounts - Initial bootstrap plumbing to add essential classes #70391
Conversation
ywangd
added
>enhancement
:Security/Authentication
|
Pinging @elastic/es-security (Team:Security) |
| if (ElasticServiceAccounts.NAMESPACE.equals(token.getAccountId().namespace()) == false) { | ||
| logger.debug("only [{}] service accounts are supported, but received [{}]", | ||
| ElasticServiceAccounts.NAMESPACE, token.getAccountId().asPrincipal()); | ||
| listener.onResponse(null); | ||
| return; | ||
| } | ||
|
|
||
| final ServiceAccount account = ACCOUNTS.get(token.getAccountId().serviceName()); | ||
| if (account == null) { | ||
| logger.debug("the [{}] service account does not exist", token.getAccountId().asPrincipal()); | ||
| listener.onFailure(null); | ||
| return; | ||
| } | ||
|
|
||
| if (serviceAccountsCredentialStore.authenticate(token)) { | ||
| listener.onResponse(success(account, token, nodeName)); | ||
| } else { | ||
| final ParameterizedMessage message = new ParameterizedMessage( | ||
| "failed to authenticate service account [{}] with token name []", | ||
| token.getAccountId().asPrincipal(), | ||
| token.getTokenName()); | ||
| logger.debug(message); | ||
| throw new ElasticsearchSecurityException(message.getFormattedMessage()); | ||
| } |
There was a problem hiding this comment.
This part will be improved when we refactor the existing AuthenticationResult to be either generic or contain an Authentication object. But for now, I am throwing an exception to signal the termination of the authentication chain and null to mean continuation.
I think we can choose to not fallthrough (continue) in any case once a service account is extracted from the header. We touched on this in previous discussion, but I am not entirely sure now what we agreed upon. Fallthrough is the existing default behaviour, but we probably should be less lenient when it comes to service account. Please let me know your preference.
There was a problem hiding this comment.
I think throwing an exception & terminating is the right approach.
The PoC code was originally written to handle API key auth, in which case there was an argument to be slightly more lenient because there was less guarantee that the header was intended to represent a service account.
Here, once we've deserialized a service account token correctly, I think it's safe to say that the client was intending to authenticate with that token and if that authc fails then the request fails too.
| null, | ||
| null, | ||
| null | ||
| )); |
There was a problem hiding this comment.
I think this descriptor is good for now, but we'll need to check it with the Fleet team later on.
It's not quite identical to the fleet_enroll role that that Fleet creates today, and we'll want to work through the differences.
...in/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccount.java
Outdated
Show resolved
Hide resolved
...rity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java
Outdated
Show resolved
Hide resolved
...rity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java
Show resolved
Hide resolved
...rity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java
Outdated
Show resolved
Hide resolved
| token.getAccountId().asPrincipal(), | ||
| token.getTokenName()); | ||
| logger.debug(message); | ||
| throw new ElasticsearchSecurityException(message.getFormattedMessage()); |
There was a problem hiding this comment.
Despite what I say about throwing below, I think this should be onFailure(new ElasticsearchSecurityException(..)) instead.
There was a problem hiding this comment.
I thought about that, but it seems we mostly use onFailure for system related issues, e.g. security index is not available etc. Also because I plan to refactor this later to return an updated AuthenticationResult which uses terminate instead of onFailure for credential mismatch. So overall I think throwing is ok here and all throwing will become AuthenticationResult#terminate in future. Does it make sense?
There was a problem hiding this comment.
mostly use onFailure for system related issues
That's not intentional. onFailure is for when exceptions happen in async code.
So once serviceAccountsCredentialStore.authenticate becomes asynchronous, this will need to be onFailure because it's too late to throw an exception - control has passed from the original thread to the callback.
In general, it is preferable for code that takes a listener argument to signal all outcomes via onFailure or onResponse and never throw or return
...rity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java
Show resolved
Hide resolved
...rity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java
Outdated
Show resolved
Hide resolved
| final User user = account.asUser(); | ||
| final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef(REALM_NAME, REALM_TYPE, nodeName); | ||
| return new Authentication(user, authenticatedBy, null, Version.CURRENT, Authentication.AuthenticationType.TOKEN, | ||
| Map.of("_token_name", token.getTokenName())); |
There was a problem hiding this comment.
Not strictly necessary since we control service account entirely, but I think it is still better to use a reserved (with the leading _) name. It could be helpful on the client side for clarity.
...curity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountToken.java
Outdated
Show resolved
Hide resolved
…ecurity/authc/service/ServiceAccountToken.java Co-authored-by: Tim Vernum <[email protected]>
...curity/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountToken.java
Outdated
Show resolved
Hide resolved
We will need to change it once the code starts doing async work - but we can leave it until then. |
This is a good point. I was hoping to use |
|
@elasticmachine run elasticsearch-ci/1 elasticsearch-ci/2 elasticsearch-ci/eql-correctness elasticsearch-ci/packaging-sample-windows |
|
@elasticmachine run elasticsearch-ci/2 run elasticsearch-ci/eql-correctness run elasticsearch-ci/packaging-sample-windows |
…lastic#70391) This PR is the initial effort to add essential classes for service accounts to lay down the foundation of future works. The classes are wired in places, but not yet been used. Also intentionally left out the actual credential store implementation. It is a good first commit which does not bring in too many changes.
* Service Accounts - Initial bootstrap plumbing for essential classes (#70391) This PR is the initial effort to add essential classes for service accounts to lay down the foundation of future works. The classes are wired in places, but not yet been used. Also intentionally left out the actual credential store implementation. It is a good first commit which does not bring in too many changes. * Service Accounts - New CLI tool for managing file tokens (#70454) This is the second PR for service accounts. It adds a new CLI tool elasticsearch-service-tokens to manage file tokens. The file tokens are stored in the service_tokens file under the config directory. Out of the planned create, remove and list sub-commands, this PR only implements the create function since it is the most important one. The other two sub-commands will be handled in separate PRs. * Service Accounts - Authentication with file tokens (#70543) This the 3rd PR for service accounts. It adds support for authentication with file tokens. It also adds a cache for performance so that expensive pbkdf2 hashing does not have to be performed on every request. Adding a cache comes with its own housekeeping work around invalidation. This PR ensures that cache gets invalidated when underlying token file is changed. It does not implement APIs for active invalidation. It will be handled in a separate PR after the API token is in place. * [Test] Service Account - fix test assumption * [Test] Service Accounts - handle token names with leading hyphen (#70983) The CLI tool needs an option terminator (--) for another option names that begin with a hyphen. Otherwise it errors out with message of "not recognized option". The service account token name can begin with a hyphen. Hence we need to use -- when it is the case. An example of equivalent command line is ./bin/elasticsearch-service-tokens create elastic/fleet -- -lead-with-hyphen. * Service Accounts - Fleet integration (#70724) This PR implements rest of the pieces needed for Fleet integration, including: * Get service account role descriptor for authorization * API for creating service account token and storing in the security index * API for list tokens for a service account * New named privilege for manage service account * Mandate HTTP TLS for both service account auth and service account related APIs * Tests for API key related operations using service account * [Test] Service Accounts - Remove colon from invalid token name generator (#71099) The colon character is interpreted as the separate between token name and token secret. So if a token name contains a colon, it is in theory invalid. But the parser takes only the part before the colon as the token name and thus consider it as a valid token name. Subsequent authentication will still fail. But for tests, this generates a different exception and fails the expectation. This PR removes the colon char from being used to generate invalid token names for simplicity. * Fix for 7.x quirks
This PR is the initial effort to add essential classes for service accounts. The classes are wired in places, but not yet been used. I also intentionally left out the actual credential store implementation. The changes are largely based on the PoC code with quite a few renames and rearragements. I think this is a good first commit which does not bring in too many changes.
ToDo: