-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for "authorization_realms" #33262
Conversation
Authorizing Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. This commit allows the PKI realm to delegate authorization to any other configured realm
…arch into security-lookup-realms
Makes "authorizing_realms" a platinum (or trial) feature. If the license is not compliant, then any attempt to authenticate will fail in the same way that "cannot find lookup user" fails, but with a "license not compliant" message.
This allows an LDAP realm (but not, in this commit, active directory) to delegate the User construction to one or more other realms. The LDAP realm caches the user in order to avoid hitting the directory for to authenticate every action, but this cache is only used for password checking. The delegated realms are consulted for each request and this relies on the cache for each of those realms.
The previous name incorrectly implies that the realms are actively authorizing something, however the reality is that they are realms that are consulted for the purposes of authorization.
This commit allows Kerberos realm to delegate `User` creation to configured authorization realms. If no authorization realms are configured, then Kerberos realm uses native role mapper to resolve User. In the case of delegated realms, users are not cached.
…urity-lookup-realms
…arch into security-lookup-realms
Allows a SAML realm to lookup user data from another realm (e.g. native, or LDAP) rather than using role mapping from SAML attributes
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
# Conflicts: # x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java
Adds links to the "authorization_realms" (Delegating authorization to another realm) section to each of the applicable realms, and adds the "authorization_realms" setting to the list of realm settings.
Update Kerberos docs to mention authorization_realms as an alternative to role mapping.
If realm "A" delegates authoriaation to realm "B" then it is not permissible for realm "B" to also be using delegated authorization. A realm which is in the value for "authorization_realms" must handle its own authorization.
Pinging @elastic/es-security |
Every (non-merge) commit in this PR was reviewed before being merged to the
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I've had a thought and we may have discussed it before, but I've lost the outcome of the discussion. I have a strong feeling that we should have a realm setting This is a simple change IMO and I wouldn't hold up this merge for this as we can open a issue and deal with in a follow on if we come to an agreement that this makes sense to add. |
You're right. That had been in the back of my head, but I forgot. I raised #33292 with the aim to include it in 6.5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thank you.
Authorization Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. E.g. A client could authenticate using PKI, but then delegate to an LDAP realm. The LDAP realm performs a "lookup" by principal, and then does regular role-mapping from the discovered user. This commit includes: - authorization_realm support in the pki, ldap, saml & kerberos realms - docs for authorization_realms - checks that there are no "authorization chains" (whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c") Authorization realms is a platinum feature.
Authorization Realms allow an authenticating realm to delegate the task of constructing a User object (with name, roles, etc) to one or more other realms. E.g. A client could authenticate using PKI, but then delegate to an LDAP realm. The LDAP realm performs a "lookup" by principal, and then does regular role-mapping from the discovered user. This commit includes: - authorization_realm support in the pki, ldap, saml & kerberos realms - docs for authorization_realms - checks that there are no "authorization chains" (whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c") Authorization realms is a platinum feature.
Authorization Realms allow an authenticating realm to delegate the task
of constructing a User object (with name, roles, etc) to one or more
other realms.
E.g. A client could authenticate using PKI, but then delegate to an LDAP
realm. The LDAP realm performs a "lookup" by principal, and then does
regular role-mapping from the discovered user.
This commit includes:
(whereby "realm-a" delegates to "realm-b", but "realm-b" delegates to "realm-c"
Authorizing_realms is a platinum feature.