Add support for "authorization_realms" #33262
Commits on Jul 17, 2018
-
Add authorizing_realms support to PKI realm (#31643)
Authorizing Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. This commit allows the PKI realm to delegate authorization to any other configured realm
-
Merge branch 'security-lookup-realms' of github.com:elastic/elasticse…
…arch into security-lookup-realms
Commits on Jul 18, 2018
-
Restrict authorizing_realms to platinum only (#32115)
Makes "authorizing_realms" a platinum (or trial) feature. If the license is not compliant, then any attempt to authenticate will fail in the same way that "cannot find lookup user" fails, but with a "license not compliant" message.
Commits on Jul 19, 2018
-
-
Add delegated authorization (lookup realms) to LDAP (#32156)
This allows an LDAP realm (but not, in this commit, active directory) to delegate the User construction to one or more other realms. The LDAP realm caches the user in order to avoid hitting the directory for to authenticate every action, but this cache is only used for password checking. The delegated realms are consulted for each request and this relies on the cache for each of those realms.
Commits on Jul 25, 2018
Commits on Jul 26, 2018
Commits on Jul 30, 2018
Commits on Jul 31, 2018
-
Rename authorizing_realms to authorization_realms (#32391)
The previous name incorrectly implies that the realms are actively authorizing something, however the reality is that they are realms that are consulted for the purposes of authorization.
Commits on Aug 2, 2018
-
[Kerberos] Add authorization realms support to Kerberos realm (#32392)
This commit allows Kerberos realm to delegate `User` creation to configured authorization realms. If no authorization realms are configured, then Kerberos realm uses native role mapper to resolve User. In the case of delegated realms, users are not cached.
Commits on Aug 3, 2018
-
-
Merge remote-tracking branch 'origin/security-lookup-realms' into sec…
…urity-lookup-realms
Commits on Aug 6, 2018
-
Merge branch 'security-lookup-realms' of github.com:elastic/elasticse…
…arch into security-lookup-realms
Commits on Aug 9, 2018
Commits on Aug 10, 2018
-
Add "authorizing_realms" support to SAML realm (#32349)
Allows a SAML realm to lookup user data from another realm (e.g. native, or LDAP) rather than using role mapping from SAML attributes
Commits on Aug 21, 2018
-
Merge branch 'master' into security-lookup-realms
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
Commits on Aug 24, 2018
-
Merge branch 'master' into security-lookup-realms
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
Commits on Aug 28, 2018
-
Docs for authorization_realms (#32765)
Adds links to the "authorization_realms" (Delegating authorization to another realm) section to each of the applicable realms, and adds the "authorization_realms" setting to the list of realm settings.
Commits on Aug 29, 2018
Commits on Aug 30, 2018
-
-
[DOCS] Update Kerberos docs for info on authorization_realms (#33224)
Update Kerberos docs to mention authorization_realms as an alternative to role mapping.
-
Prevent chains in authorization_realms (#32732)
If realm "A" delegates authoriaation to realm "B" then it is not permissible for realm "B" to also be using delegated authorization. A realm which is in the value for "authorization_realms" must handle its own authorization.