-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add delegated authorization (lookup realms) to LDAP #32156
Add delegated authorization (lookup realms) to LDAP #32156
Conversation
This allows an LDAP realm (but not, in this commit, active directory) to delegate the User construction to one or more other realms. The LDAP realm caches the user in order to avoid hitting the directory for to authenticate every action, but this cache is only used for password checking. The delegated realms are consulted for each request and this relies on the cache for each of those realms.
Pinging @elastic/es-security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a naming comment but otherwise LGTM
* The default implementation returns a {@link AuthenticationResult#success(User) success result} with the | ||
* provided user, but sub-classes can return a different {@code User} object, or an unsuccessful result. | ||
*/ | ||
protected void restoreCachedUser(User user, ActionListener<AuthenticationResult> listener) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe handleCachedUser ? I'm not sure what restore means in this case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
handle is good - I struggled with naming this method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thank you.
This allows an LDAP realm (but not, in this commit, active directory)
to delegate the User construction to one or more other realms.
The LDAP realm caches the user in order to avoid hitting the directory
for to authenticate every action, but this cache is only used for
password checking. The delegated realms are consulted for each request
and this relies on the cache for each of those realms.