Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename authorizing_realms to authorization_realms #32391

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -415,9 +415,10 @@ public boolean isCustomRoleProvidersAllowed() {
}

/**
* @return whether "authorizing_realms" are allowed based on the license {@link OperationMode}
* @return whether "authorization_realms" are allowed based on the license {@link OperationMode}
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizingRealmAllowed() {
public boolean isAuthorizationRealmAllowed() {
final Status localStatus = status;
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL)
&& localStatus.active;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
*/
public class DelegatedAuthorizationSettings {

public static final Setting<List<String>> AUTHZ_REALMS = Setting.listSetting("authorizing_realms",
public static final Setting<List<String>> AUTHZ_REALMS = Setting.listSetting("authorization_realms",
Collections.emptyList(), Function.identity(), Setting.Property.NodeScope);

public static Collection<Setting<?>> getSettings() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
import static org.elasticsearch.common.Strings.collectionToDelimitedString;

/**
* Utility class for supporting "delegated authorization" (aka "authorizing_realms", aka "lookup realms").
* Utility class for supporting "delegated authorization" (aka "authorization_realms", aka "lookup realms").
* A {@link Realm} may support delegating authorization to another realm. It does this by registering a
* setting for {@link DelegatedAuthorizationSettings#AUTHZ_REALMS}, and constructing an instance of this
* class. Then, after the realm has performed any authentication steps, if {@link #hasDelegation()} is
Expand Down Expand Up @@ -74,7 +74,7 @@ public boolean hasDelegation() {
* with a meaningful diagnostic message.
*/
public void resolve(String username, ActionListener<AuthenticationResult> resultListener) {
if (licenseState.isAuthorizingRealmAllowed() == false) {
if (licenseState.isAuthorizationRealmAllowed() == false) {
resultListener.onResponse(AuthenticationResult.unsuccessful(
DelegatedAuthorizationSettings.AUTHZ_REALMS.getKey() + " are not permitted",
LicenseUtils.newComplianceException(DelegatedAuthorizationSettings.AUTHZ_REALMS.getKey())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ public void init() throws Exception {
defaultGlobalSettings = Settings.builder().put("path.home", createTempDir()).build();
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthorizingRealmAllowed()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
}

@After
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public void setup() throws Exception {
.put("path.home", createTempDir())
.build();
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthorizingRealmAllowed()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
}

public void testTokenSupport() {
Expand Down Expand Up @@ -350,7 +350,7 @@ public void testDelegatedAuthorization() throws Exception {
otherRealm.registerUser(lookupUser);

final Settings realmSettings = Settings.builder()
.putList("authorizing_realms", "other_realm")
.putList("authorization_realms", "other_realm")
.build();
final UserRoleMapper roleMapper = buildRoleMapper(Collections.emptySet(), token.dn());
final PkiRealm pkiRealm = buildRealm(roleMapper, realmSettings, otherRealm);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,13 +75,13 @@ public void testEmptyDelegationList() throws ExecutionException, InterruptedExce
final AuthenticationResult result = future.get();
assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.CONTINUE));
assertThat(result.getUser(), nullValue());
assertThat(result.getMessage(), equalTo("No [authorizing_realms] have been configured"));
assertThat(result.getMessage(), equalTo("No [authorization_realms] have been configured"));
}

public void testMissingRealmInDelegationList() {
final XPackLicenseState license = getLicenseState(true);
final Settings settings = Settings.builder()
.putList("authorizing_realms", "no-such-realm")
.putList("authorization_realms", "no-such-realm")
.build();
final IllegalArgumentException ex = expectThrows(IllegalArgumentException.class, () ->
new DelegatedAuthorizationSupport(realms, buildRealmConfig("r", settings), license)
Expand All @@ -93,7 +93,7 @@ public void testMatchInDelegationList() throws Exception {
final XPackLicenseState license = getLicenseState(true);
final List<MockLookupRealm> useRealms = shuffle(randomSubsetOf(randomIntBetween(1, realms.size()), realms));
final Settings settings = Settings.builder()
.putList("authorizing_realms", useRealms.stream().map(Realm::name).collect(Collectors.toList()))
.putList("authorization_realms", useRealms.stream().map(Realm::name).collect(Collectors.toList()))
.build();
final User user = new User("my_user");
randomFrom(useRealms).registerUser(user);
Expand All @@ -111,7 +111,7 @@ public void testRealmsAreOrdered() throws Exception {
final List<MockLookupRealm> useRealms = shuffle(randomSubsetOf(randomIntBetween(3, realms.size()), realms));
final List<String> names = useRealms.stream().map(Realm::name).collect(Collectors.toList());
final Settings settings = Settings.builder()
.putList("authorizing_realms", names)
.putList("authorization_realms", names)
.build();
final List<User> users = new ArrayList<>(names.size());
final String username = randomAlphaOfLength(8);
Expand All @@ -135,7 +135,7 @@ public void testNoMatchInDelegationList() throws Exception {
final XPackLicenseState license = getLicenseState(true);
final List<MockLookupRealm> useRealms = shuffle(randomSubsetOf(randomIntBetween(1, realms.size()), realms));
final Settings settings = Settings.builder()
.putList("authorizing_realms", useRealms.stream().map(Realm::name).collect(Collectors.toList()))
.putList("authorization_realms", useRealms.stream().map(Realm::name).collect(Collectors.toList()))
.build();
final DelegatedAuthorizationSupport das = new DelegatedAuthorizationSupport(realms, buildRealmConfig("r", settings), license);
assertThat(das.hasDelegation(), equalTo(true));
Expand All @@ -151,7 +151,7 @@ public void testNoMatchInDelegationList() throws Exception {
public void testLicenseRejection() throws Exception {
final XPackLicenseState license = getLicenseState(false);
final Settings settings = Settings.builder()
.putList("authorizing_realms", realms.get(0).name())
.putList("authorization_realms", realms.get(0).name())
.build();
final DelegatedAuthorizationSupport das = new DelegatedAuthorizationSupport(realms, buildRealmConfig("r", settings), license);
assertThat(das.hasDelegation(), equalTo(true));
Expand All @@ -160,14 +160,14 @@ public void testLicenseRejection() throws Exception {
final AuthenticationResult result = future.get();
assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.CONTINUE));
assertThat(result.getUser(), nullValue());
assertThat(result.getMessage(), equalTo("authorizing_realms are not permitted"));
assertThat(result.getMessage(), equalTo("authorization_realms are not permitted"));
assertThat(result.getException(), instanceOf(ElasticsearchSecurityException.class));
assertThat(result.getException().getMessage(), equalTo("current license is non-compliant for [authorizing_realms]"));
assertThat(result.getException().getMessage(), equalTo("current license is non-compliant for [authorization_realms]"));
}

private XPackLicenseState getLicenseState(boolean authzRealmsAllowed) {
final XPackLicenseState license = mock(XPackLicenseState.class);
when(license.isAuthorizingRealmAllowed()).thenReturn(authzRealmsAllowed);
when(license.isAuthorizationRealmAllowed()).thenReturn(authzRealmsAllowed);
return license;
}
}