Authentication under domains #82639
Authentication under domains #82639
Conversation
albertzaharovits
added
>feature
:Security/Authentication
There was a problem hiding this comment.
I scanned through the code and didn't read too closely. I have an overall "design" question:
What do you think if we attach all domain information to RealmRef instead of split them between RealmRef and Authentication? I am also thinking promoting Domain into it's own class. So it's something like:
public record Domain(String name, Set<RealmRef> realmRefs) {}
public class RealmRef {
String name;
String type;
String nodeName;
@Nullable Domain domain;
}One advantage of this approach is that we can keep all domain information for both authenticatedBy and lookupBy realms. It is also more expandable if we decide to keep delegate realm info in the future as well. Semantically, domain is also more akin to realm. Another advantage is that it requires no cascading changes to AuthenticationContext.
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Realm.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/AsyncSearchUser.java
Show resolved
Hide resolved
|
Hi @albertzaharovits, I've created a changelog YAML for you. |
We discussed it on another channel, and I agreed that it is a good suggestion that I will follow. |
albertzaharovits
force-pushed
the
authentication-under-domains
branch
from
3d28f78 to
e6bb998
Compare
|
Hi @albertzaharovits, I've created a changelog YAML for you. |
There was a problem hiding this comment.
This is looking great! Thanks for the iterations! I had quite a few comments. But none of them is critical. Also:
- I suggest we update the PR description to replace
realm refwithrealm idas well. - Nothing really to do for this, but I'd like to double click that the
equalsand/orhashCodemethod ofRealmRef(and in turnAuthentication) cannot be relied upon for ownership checking because domain configuration can change independantly.
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Outdated
Show resolved
Hide resolved
| assert authentication.isAuthenticatedInternally(); | ||
| assert false == authentication.isAssignedToDomain(); |
There was a problem hiding this comment.
Nit: Are these assertions necessary given the Authentication object is directly instantiated here?
There was a problem hiding this comment.
I would like to keep the isAssignedToDomain asserts. I like that they document which authentications are outside domains.
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Realm.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
...n/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Realm.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Outdated
Show resolved
Hide resolved
|
Test failure https://gradle-enterprise.elastic.co/s/sqmaob7d4novq is already tracked (and muted) #83516 . |
|
Hi @albertzaharovits, I've updated the changelog YAML for you. |
albertzaharovits
force-pushed
the
authentication-under-domains
branch
from
10d442b to
aceb2f9
Compare
|
Hi @albertzaharovits, I've created a changelog YAML for you. |
|
🎉 |
|
Like we discussed I'm planing to open follow-up PRs for some refactorings that were reverted by 0ebd996 . |
This PR removes conditional check for metadata keys related to API key role descriptors. API key authentication must always have these keys for it to work. The PR adds assertions for these keys and fixes relevant tests. Relates: elastic#82639
) This PR removes conditional check for metadata keys related to API key role descriptors. API key authentication must always have these keys for it to work. The PR adds assertions for these keys and fixes relevant tests. Relates: #82639
This makes the ubiquitous
Authenticationobject contain the domain information that will later be used for access control decisions related to ownership.The domain information is a
SetofRealmIdentifiers of the authentication realms configured under the same domain name.