Add support for "authorization_realms" #33262
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Authorizing Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. This commit allows the PKI realm to delegate authorization to any other configured realm
…arch into security-lookup-realms
Makes "authorizing_realms" a platinum (or trial) feature. If the license is not compliant, then any attempt to authenticate will fail in the same way that "cannot find lookup user" fails, but with a "license not compliant" message.
This allows an LDAP realm (but not, in this commit, active directory) to delegate the User construction to one or more other realms. The LDAP realm caches the user in order to avoid hitting the directory for to authenticate every action, but this cache is only used for password checking. The delegated realms are consulted for each request and this relies on the cache for each of those realms.
The previous name incorrectly implies that the realms are actively authorizing something, however the reality is that they are realms that are consulted for the purposes of authorization.
This commit allows Kerberos realm to delegate `User` creation to configured authorization realms. If no authorization realms are configured, then Kerberos realm uses native role mapper to resolve User. In the case of delegated realms, users are not cached.
…urity-lookup-realms
…arch into security-lookup-realms
Allows a SAML realm to lookup user data from another realm (e.g. native, or LDAP) rather than using role mapping from SAML attributes
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
Adds links to the "authorization_realms" (Delegating authorization to another realm) section to each of the applicable realms, and adds the "authorization_realms" setting to the list of realm settings.
Update Kerberos docs to mention authorization_realms as an alternative to role mapping.
If realm "A" delegates authoriaation to realm "B" then it is not permissible for realm "B" to also be using delegated authorization. A realm which is in the value for "authorization_realms" must handle its own authorization.
tvernum
added
>feature
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-security |
|
Every (non-merge) commit in this PR was reviewed before being merged to the
|
|
I've had a thought and we may have discussed it before, but I've lost the outcome of the discussion. I have a strong feeling that we should have a realm setting This is a simple change IMO and I wouldn't hold up this merge for this as we can open a issue and deal with in a follow on if we come to an agreement that this makes sense to add. |
|
You're right. That had been in the back of my head, but I forgot. I raised #33292 with the aim to include it in 6.5 |
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Sep 25, 2018
Authorization Realms allow an authenticating realm to delegate the
task of constructing a User object (with name, roles, etc) to one
or more other realms.
E.g. A client could authenticate using PKI, but then delegate to
an LDAP realm. The LDAP realm performs a "lookup" by principal,
and then does regular role-mapping from the discovered user.
This commit includes:
- authorization_realm support in the pki, ldap, saml & kerberos realms
- docs for authorization_realms
- checks that there are no "authorization chains"
(whereby "realm-a" delegates to "realm-b", but "realm-b"
delegates to "realm-c")
Authorization realms is a platinum feature.
tvernum
added a commit
that referenced
this pull request
Sep 26, 2018
Authorization Realms allow an authenticating realm to delegate the
task of constructing a User object (with name, roles, etc) to one
or more other realms.
E.g. A client could authenticate using PKI, but then delegate to
an LDAP realm. The LDAP realm performs a "lookup" by principal,
and then does regular role-mapping from the discovered user.
This commit includes:
- authorization_realm support in the pki, ldap, saml & kerberos realms
- docs for authorization_realms
- checks that there are no "authorization chains"
(whereby "realm-a" delegates to "realm-b", but "realm-b"
delegates to "realm-c")
Authorization realms is a platinum feature.
colings86
removed
the
:Security/Authentication
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Authorization Realms allow an authenticating realm to delegate the task
of constructing a User object (with name, roles, etc) to one or more
other realms.
E.g. A client could authenticate using PKI, but then delegate to an LDAP
realm. The LDAP realm performs a "lookup" by principal, and then does
regular role-mapping from the discovered user.
This commit includes:
(whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c"
Authorizing_realms is a platinum feature.