[Kerberos] Remove Kerberos bootstrap checks #32451
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit removes Kerberos bootstrap checks as they were more validation checks and better done in Kerberos realm constructor than as bootstrap checks. This also moves the check for one Kerberos realm per node to where we initialize realms. This commit adds few validations which were missing earlier like missing read permissions on keytab file or if it is directory to throw exception with error message.
bizybot
added
>bug
review
:Security/Authentication
|
Pinging @elastic/es-security |
|
Thank you @bizybot. |
tvernum
approved these changes
Jul 30, 2018
| if (KerberosRealmSettings.TYPE.equals(type)) { | ||
| if (isKerberosRealmConfigured) { | ||
| throw new IllegalArgumentException( | ||
| "multiple [" + type + "] realms are configured. [" + type + "] can only have one such realm configured"); |
There was a problem hiding this comment.
I know this is the same message as before - but could you extend it to include the names of the realms?
There was a problem hiding this comment.
yes, I have updated the message. Thank you.
| "multiple [" + type + "] realms are configured. [" + type + "] can only have one such realm configured"); | ||
| } | ||
| isKerberosRealmConfigured = true; | ||
| } |
There was a problem hiding this comment.
When lookup-realms is merged, we'll have the initialize method available which would allow us to move this into the realm itself which would be a bit neater.
There was a problem hiding this comment.
I am not sure if I followed your thought here if you could elaborate. I think you want to make this realm singleton and throw an error in initialize if it is being initialized again. Not sure if this is what you had in mind, as does not seem a pattern to create a singleton and then initialize it. Thank you.
There was a problem hiding this comment.
The not-yet-merged initialize method gets passed a list of all the configured realms (which includes access to their type). A Kerberos realm can use that metohd to check that it is the only realm with type == "kerberos" and throw an exception is there are multiple such realms.
That would allow the kerberos has special requirements logic to be contained within the Kerberos realm.
There was a problem hiding this comment.
oh yes, I forgot the list of realms. Thanks.
jaymode
approved these changes
Jul 30, 2018
| @@ -178,6 +180,13 @@ public Realm realm(String name) { | |||
| } | |||
| internalTypes.add(type); | |||
| } | |||
| if (KerberosRealmSettings.TYPE.equals(type)) { | |||
There was a problem hiding this comment.
as a followup PR to this change, lets combine the logic with the internalTypes logic and we can just have the same message that we're using for kerberos.
There was a problem hiding this comment.
Yes, we can discuss this and I will raise followup PR. Thank you.
bizybot
added a commit
that referenced
this pull request
Jul 31, 2018
This commit removes Kerberos bootstrap checks as they were more validation checks and better done in Kerberos realm constructor than as bootstrap checks. This also moves the check for one Kerberos realm per node to where we initialize realms. This commit adds few validations which were missing earlier like missing read permissions on keytab file or if it is directory to throw exception with error message.
bizybot
added a commit
that referenced
this pull request
Jul 31, 2018
This commit removes Kerberos bootstrap checks as they were more validation checks and better done in Kerberos realm constructor than as bootstrap checks. This also moves the check for one Kerberos realm per node to where we initialize realms. This commit adds few validations which were missing earlier like missing read permissions on keytab file or if it is directory to throw exception with error message.
dnhatn
added a commit
that referenced
this pull request
Jul 31, 2018
* master: Logging: Make node name consistent in logger (#31588) Mute SSLTrustRestrictionsTests on JDK 11 Increase max chunk size to 256Mb for repo-azure (#32101) Docs: Fix README upgrade mention (#32313) Changed ReindexRequest to use Writeable.Reader (#32401) Mute KerberosAuthenticationIT Fix AutoIntervalDateHistogram.testReduce random failures (#32301) fix no=>not typo (#32463) Mute QueryProfilerIT#testProfileMatchesRegular() HLRC: Add delete watch action (#32337) High-level client: fix clusterAlias parsing in SearchHit (#32465) Fix calculation of orientation of polygons (#27967) [Kerberos] Add missing javadocs (#32469) [Kerberos] Remove Kerberos bootstrap checks (#32451) Make get all app privs requires "*" permission (#32460) Switch security to new style Requests (#32290) Switch security spi example to new style Requests (#32341) Painless: Add PainlessConstructor (#32447) update rollover to leverage write-alias semantics (#32216) Update Fuzzy Query docs to clarify default behavior re max_expansions (#30819) INGEST: Clean up Java8 Stream Usage (#32059) Ensure KeyStoreWrapper decryption exceptions are handled (#32464)
dnhatn
added a commit
that referenced
this pull request
Aug 2, 2018
* 6.x: Fix scriptdocvalues tests with dates Correct minor typo in explain.asciidoc for HLRC Fix painless whitelist and warnings from backporting #31441 Build: Add elastic maven to repos used by BuildPlugin (#32549) Scripting: Conditionally use java time api in scripting (#31441) [ML] Improve error when no available field exists for rule scope (#32550) [ML] Improve error for functions with limited rule condition support (#32548) [ML] Remove multiple_bucket_spans [ML] Fix thread leak when waiting for job flush (#32196) (#32541) Painless: Clean Up PainlessField (#32525) Add @AwaitsFix for #32554 Remove broken @link in Javadoc Add AwaitsFix to failing test - see #32546 SQL: Added support for string manipulating functions with more than one parameter (#32356) [DOCS] Reloadable Secure Settings (#31713) Fix compilation error introduced by #32339 [Rollup] Remove builders from TermsGroupConfig (#32507) Use hostname instead of IP with SPNEGO test (#32514) Switch x-pack rolling restart to new style Requests (#32339) [DOCS] Small fixes in rule configuration page (#32516) Painless: Clean up PainlessMethod (#32476) SQL: Add test for handling of partial results (#32474) Docs: Add missing migration doc for logging change Build: Remove shadowing from benchmarks (#32475) Docs: Add all JDKs to CONTRIBUTING.md Logging: Make node name consistent in logger (#31588) High-level client: fix clusterAlias parsing in SearchHit (#32465) REST high-level client: parse back _ignored meta field (#32362) backport fix of reduceRandom fix (#32508) Add licensing enforcement for FIPS mode (#32437) INGEST: Clean up Java8 Stream Usage (#32059) (#32485) Improve the error message when an index is incompatible with field aliases. (#32482) Mute testFilterCacheStats Scripting: Fix painless compiler loader to know about context classes (#32385) [ML][DOCS] Fix typo applied_to => applies_to Mute SSLTrustRestrictionsTests on JDK 11 Changed ReindexRequest to use Writeable.Reader (#32401) Increase max chunk size to 256Mb for repo-azure (#32101) Mute KerberosAuthenticationIT fix no=>not typo (#32463) HLRC: Add delete watch action (#32337) Fix calculation of orientation of polygons (#27967) [Kerberos] Add missing javadocs (#32469) Fix missing JavaDoc for @throws in several places in KerberosTicketValidator. Make get all app privs requires "*" permission (#32460) Ensure KeyStoreWrapper decryption exceptions are handled (#32472) update rollover to leverage write-alias semantics (#32216) [Kerberos] Remove Kerberos bootstrap checks (#32451) Switch security to new style Requests (#32290) Switch security spi example to new style Requests (#32341) Painless: Add PainlessConstructor (#32447) Update Fuzzy Query docs to clarify default behavior re max_expansions (#30819) Remove > from Javadoc (fatal with Java 11) Tests: Fix convert error tests to use fixed value (#32415) IndicesClusterStateService should replace an init. replica with an init. primary with the same aId (#32374) auto-interval date histogram - 6.x backport (#32107) [CI] Mute DocumentSubsetReaderTests testSearch [TEST] Mute failing InternalEngineTests#testSeqNoAndCheckpoints TEST: testDocStats should always use forceMerge (#32450) TEST: Avoid deletion in FlushIT AwaitsFix IndexShardTests#testDocStats Painless: Add method type to method. (#32441) Remove reference to non-existent store type (#32418) [TEST] Mute failing FlushIT test Fix ordering of bootstrap checks in docs (#32417) Wrong discovery.type for azure in breaking changes (#32432) Mute ConvertProcessorTests failing tests TESTS: Move netty leak detection to paranoid level (#32354) (#32425) Upgrade to Lucene-7.5.0-snapshot-608f0277b0 (#32390) [Kerberos] Avoid vagrant update on precommit (#32416) TEST: Avoid triggering merges in FlushIT [DOCS] Fixes formatting of scope object in job resource Switch x-pack/plugin to new style Requests (#32327) Release requests in cors handle (#32410) Remove BouncyCastle dependency from runtime (#32402) Copy missing segment attributes in getSegmentInfo (#32396) Rest HL client: Add put license action (#32214) Docs: Correcting a typo in tophits (#32359) Build: Stop double generating buildSrc pom (#32408) Switch x-pack full restart to new style Requests (#32294) Painless: Clean Up PainlessClass Variables (#32380) [ML] Consistent pattern for strict/lenient parser names (#32399) Add Restore Snapshot High Level REST API Update update-settings.asciidoc (#31378) Introduce index store plugins (#32375) Rank-Eval: Reduce scope of an unchecked supression Make sure _forcemerge respects `max_num_segments`. (#32291)
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Aug 3, 2018
* ccr: (24 commits) Remove _xpack from CCR APIs (elastic#32563) TEST: Avoid merges in testRecoveryWithOutOfOrderDelete Logging: Make node name consistent in logger (elastic#31588) Mute SSLTrustRestrictionsTests on JDK 11 Increase max chunk size to 256Mb for repo-azure (elastic#32101) Docs: Fix README upgrade mention (elastic#32313) Changed ReindexRequest to use Writeable.Reader (elastic#32401) Mute KerberosAuthenticationIT Fix AutoIntervalDateHistogram.testReduce random failures (elastic#32301) fix no=>not typo (elastic#32463) Mute QueryProfilerIT#testProfileMatchesRegular() HLRC: Add delete watch action (elastic#32337) High-level client: fix clusterAlias parsing in SearchHit (elastic#32465) Fix calculation of orientation of polygons (elastic#27967) [Kerberos] Add missing javadocs (elastic#32469) [Kerberos] Remove Kerberos bootstrap checks (elastic#32451) Make get all app privs requires "*" permission (elastic#32460) Switch security to new style Requests (elastic#32290) Switch security spi example to new style Requests (elastic#32341) Painless: Add PainlessConstructor (elastic#32447) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit removes Kerberos bootstrap checks as they were more
of validation checks and better done in Kerberos realm constructor
than as bootstrap checks. This also moves one Kerberos realm per node
check to where we initialize realms.
This commit adds few validations which were missing earlier
like missing read permissions on keytab file or if it is a directory
to throw an exception with an error message.