Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.16] Expose cluster-state role mappings in APIs (#114951) #115387

Merged
merged 1 commit into from
Oct 23, 2024
Merged

[8.16] Expose cluster-state role mappings in APIs (#114951) #115387

merged 1 commit into from
Oct 23, 2024

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Oct 23, 2024

Backports #114951 with following commit:

@n1v0lg
Expose cluster-state role mappings in APIs (elastic#114951)
cf55d9b 
This PR exposes operator-defined, cluster-state role mappings in the
[Get role mappings
API](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role-mapping.html).


Cluster-state role mappings are returned with a reserved suffix
`-read-only-operator-mapping`, to disambiguate with native role mappings
stored in the security index. CS role mappings are also marked with a
`_read_only` metadata flag. It's possible to query a CS role mapping
using its name both with and without the suffix.  

CS role mappings can be viewed via the API, but cannot be modified. To
clarify this, the PUT and DELETE role mapping endpoints return header
warnings if native role mappings that name-clash with CS role mappings
are created, modified, or deleted. 

The PR also prevents the creation or role mappings with names ending in
`-read-only-operator-mapping` to ensure that CS role mappings and native
role mappings can always be fully disambiguated.

Finally, the PR changes how CS role mappings are persisted in
cluster-state. CS role mappings are written (and read from disk) in the
`XContent` format. This format omits the role mapping's name. This means
that if CS role mappings are ever recovered from disk (e.g., during a
master-node restart), their names are erased. To address this, this PR
changes CS role mapping serialization to persist the name of a mapping
in a reserved metadata field, and recover it from metadata during
serialization. This allows us to persist the name without BWC-breaks in
role mapping `XContent` format. It also allows us to ensure that role
mappings are re-written to cluster state in the new, name-preserving
format the first time operator file settings are processed.

Depends on: elastic#114295
Relates: ES-9628
@n1v0lg n1v0lg added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) backport Team:Security Meta label for security team v8.16.0 labels Oct 23, 2024
@n1v0lg n1v0lg self-assigned this Oct 23, 2024
@n1v0lg n1v0lg added auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) and removed v8.16.1 labels Oct 23, 2024
@n1v0lg n1v0lg marked this pull request as ready for review October 23, 2024 07:57
@n1v0lg n1v0lg changed the title Expose cluster-state role mappings in APIs (#114951) [8.16] Expose cluster-state role mappings in APIs (#114951) Oct 23, 2024
@elasticsearchmachine elasticsearchmachine merged commit 8761f39 into elastic:8.16 Oct 23, 2024
20 checks passed
@n1v0lg n1v0lg deleted the 8-16-backport-114951 branch October 23, 2024 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@n1v0lg n1v0lg

Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@n1v0lg @elasticsearchmachine