-
Notifications
You must be signed in to change notification settings - Fork 24.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add authorizing_realms support to PKI realm (#31643)
Authorizing Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. This commit allows the PKI realm to delegate authorization to any other configured realm
- Loading branch information
Showing
12 changed files
with
669 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
...a/org/elasticsearch/xpack/core/security/authc/support/DelegatedAuthorizationSettings.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.authc.support; | ||
|
||
import org.elasticsearch.common.settings.Setting; | ||
|
||
import java.util.Collection; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.function.Function; | ||
|
||
/** | ||
* Settings related to "Delegated Authorization" (aka Lookup Realms) | ||
*/ | ||
public class DelegatedAuthorizationSettings { | ||
|
||
public static final Setting<List<String>> AUTHZ_REALMS = Setting.listSetting("authorizing_realms", | ||
Collections.emptyList(), Function.identity(), Setting.Property.NodeScope); | ||
|
||
public static Collection<Setting<?>> getSettings() { | ||
return Collections.singleton(AUTHZ_REALMS); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
108 changes: 108 additions & 0 deletions
108
...in/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.security.authc.support; | ||
|
||
import org.apache.logging.log4j.Logger; | ||
import org.elasticsearch.action.ActionListener; | ||
import org.elasticsearch.common.collect.Tuple; | ||
import org.elasticsearch.common.logging.Loggers; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; | ||
import org.elasticsearch.xpack.core.security.authc.Realm; | ||
import org.elasticsearch.xpack.core.security.authc.RealmConfig; | ||
import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings; | ||
import org.elasticsearch.xpack.core.security.user.User; | ||
|
||
import java.util.ArrayList; | ||
import java.util.List; | ||
|
||
import static org.elasticsearch.common.Strings.collectionToDelimitedString; | ||
|
||
/** | ||
* Utility class for supporting "delegated authorization" (aka "authorizing_realms", aka "lookup realms"). | ||
* A {@link Realm} may support delegating authorization to another realm. It does this by registering a | ||
* setting for {@link DelegatedAuthorizationSettings#AUTHZ_REALMS}, and constructing an instance of this | ||
* class. Then, after the realm has performed any authentication steps, if {@link #hasDelegation()} is | ||
* {@code true}, it delegates the construction of the {@link User} object and {@link AuthenticationResult} | ||
* to {@link #resolve(String, ActionListener)}. | ||
*/ | ||
public class DelegatedAuthorizationSupport { | ||
|
||
private final RealmUserLookup lookup; | ||
private final Logger logger; | ||
|
||
/** | ||
* Resolves the {@link DelegatedAuthorizationSettings#AUTHZ_REALMS} setting from {@code config} and calls | ||
* {@link #DelegatedAuthorizationSupport(Iterable, List, ThreadContext)} | ||
*/ | ||
public DelegatedAuthorizationSupport(Iterable<? extends Realm> allRealms, RealmConfig config) { | ||
this(allRealms, DelegatedAuthorizationSettings.AUTHZ_REALMS.get(config.settings()), config.threadContext()); | ||
} | ||
|
||
/** | ||
* Constructs a new object that delegates to the named realms ({@code lookupRealms}), which must exist within | ||
* {@code allRealms}. | ||
* @throws IllegalArgumentException if one of the specified realms does not exist | ||
*/ | ||
protected DelegatedAuthorizationSupport(Iterable<? extends Realm> allRealms, List<String> lookupRealms, ThreadContext threadContext) { | ||
this.lookup = new RealmUserLookup(resolveRealms(allRealms, lookupRealms), threadContext); | ||
this.logger = Loggers.getLogger(getClass()); | ||
} | ||
|
||
/** | ||
* Are there any realms configured for delegated lookup | ||
*/ | ||
public boolean hasDelegation() { | ||
return this.lookup.hasRealms(); | ||
} | ||
|
||
/** | ||
* Attempts to find the user specified by {@code username} in one of the delegated realms. | ||
* The realms are searched in the order specified during construction. | ||
* Returns a {@link AuthenticationResult#success(User) successful result} if a {@link User} | ||
* was found, otherwise returns an | ||
* {@link AuthenticationResult#unsuccessful(String, Exception) unsuccessful result} | ||
* with a meaningful diagnostic message. | ||
*/ | ||
public void resolve(String username, ActionListener<AuthenticationResult> resultListener) { | ||
if (hasDelegation() == false) { | ||
resultListener.onResponse(AuthenticationResult.unsuccessful( | ||
"No [" + DelegatedAuthorizationSettings.AUTHZ_REALMS.getKey() + "] have been configured", null)); | ||
return; | ||
} | ||
ActionListener<Tuple<User, Realm>> userListener = ActionListener.wrap(tuple -> { | ||
if (tuple != null) { | ||
logger.trace("Found user " + tuple.v1() + " in realm " + tuple.v2()); | ||
resultListener.onResponse(AuthenticationResult.success(tuple.v1())); | ||
} else { | ||
resultListener.onResponse(AuthenticationResult.unsuccessful("the principal [" + username | ||
+ "] was authenticated, but no user could be found in realms [" + collectionToDelimitedString(lookup.getRealms(), ",") | ||
+ "]", null)); | ||
} | ||
}, resultListener::onFailure); | ||
lookup.lookup(username, userListener); | ||
} | ||
|
||
private List<Realm> resolveRealms(Iterable<? extends Realm> allRealms, List<String> lookupRealms) { | ||
final List<Realm> result = new ArrayList<>(lookupRealms.size()); | ||
for (String name : lookupRealms) { | ||
result.add(findRealm(name, allRealms)); | ||
} | ||
assert result.size() == lookupRealms.size(); | ||
return result; | ||
} | ||
|
||
private Realm findRealm(String name, Iterable<? extends Realm> allRealms) { | ||
for (Realm realm : allRealms) { | ||
if (name.equals(realm.name())) { | ||
return realm; | ||
} | ||
} | ||
throw new IllegalArgumentException("configured authorizing realm [" + name + "] does not exist (or is not enabled)"); | ||
} | ||
|
||
} |
Oops, something went wrong.