Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add delegated authorization (lookup realms) to LDAP #32156

Merged
merged 5 commits into from
Jul 19, 2018
Merged

Add delegated authorization (lookup realms) to LDAP #32156

merged 5 commits into from
Jul 19, 2018

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented Jul 18, 2018

This allows an LDAP realm (but not, in this commit, active directory)
to delegate the User construction to one or more other realms.

The LDAP realm caches the user in order to avoid hitting the directory
for to authenticate every action, but this cache is only used for
password checking. The delegated realms are consulted for each request
and this relies on the cache for each of those realms.

@tvernum
Add delegated authorization (lookup realms) LDAP
663647e 
This allows an LDAP realm (but not, in this commit, active directory)
to delegate the User construction to one or more other realms.

The LDAP realm caches the user in order to avoid hitting the directory
for to authenticate every action, but this cache is only used for
password checking. The delegated realms are consulted for each request
and this relies on the cache for each of those realms.
@tvernum tvernum added >feature review :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jul 18, 2018
@tvernum tvernum requested review from bizybot and jaymode July 18, 2018 08:07
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@tvernum tvernum changed the title Add delegated authorization (lookup realms) LDAP Add delegated authorization (lookup realms) to LDAP Jul 18, 2018
jaymode
jaymode approved these changes Jul 18, 2018
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a naming comment but otherwise LGTM

...c/main/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm.java Outdated
* The default implementation returns a {@link AuthenticationResult#success(User) success result} with the
* provided user, but sub-classes can return a different {@code User} object, or an unsuccessful result.
*/
protected void restoreCachedUser(User user, ActionListener<AuthenticationResult> listener) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe handleCachedUser ? I'm not sure what restore means in this case

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

handle is good - I struggled with naming this method.

bizybot
bizybot approved these changes Jul 19, 2018
View reviewed changes
Copy link
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thank you.

@tvernum tvernum merged commit 291433e into elastic:security-lookup-realms Jul 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bizybot bizybot bizybot approved these changes

@jaymode jaymode jaymode approved these changes

Assignees
No one assigned
Labels
>feature :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tvernum @elasticmachine @bizybot @jaymode