[Kerberos] Add realm name & UPN to user metadata #33338
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have a Kerberos setting to remove realm part from the user principal name (`remove_realm_name`). If this is true then the realm name is removed to form username but in the process, the realm name is lost. For scenarios like Kerberos cross-realm authentication, one could make use of the realm name to determine role mapping for users coming from different realms. This commit adds user metadata for `realm` and `user_principal_name`.
bizybot
added
>feature
review
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-security |
jaymode
approved these changes
Sep 6, 2018
| @@ -197,5 +202,4 @@ public void testDelegatedAuthorization() throws Exception { | |||
| verifyNoMoreInteractions(mockKerberosTicketValidator, mockNativeRoleMappingStore); | |||
| verify(otherRealm, times(2)).lookupUser(eq(expectedUsername), any(ActionListener.class)); | |||
| } | |||
| } | |||
|
|
|||
| } | |||
There was a problem hiding this comment.
nit: leave the newline at the end of the file
tvernum
requested changes
Sep 7, 2018
| final String realmName = (userAndRealmName.length > 1) ? userAndRealmName[1] : null; | ||
| final Map<String, Object> metadata = new HashMap<>(); | ||
| metadata.put("realm", realmName); | ||
| metadata.put("user_principal_name", userPrincipalName); |
There was a problem hiding this comment.
I think these need to be prefixed with kerberos_ (or similar). In particular, adding "realm" metadata that refers to a Kerberos realm rather than an ES realm feels like a problem.
There's precedent here - the LDAP realm uses ldap_dn and ldap_groups.
There was a problem hiding this comment.
Yes, I think the naming was too generic will change it. Thank you.
|
Hi @tvernum, I have changed the name as suggested. Please review when you get some time. Thank you. |
|
Once #33262 (Authorization realms support) is backported, I will backport this change. Thanks. |
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Sep 14, 2018
* master: (24 commits) Only notify ready global checkpoint listeners (elastic#33690) Don't count hits via the collector if the hit count can be computed from index stats. (elastic#33701) Expose retries for CCR fetch failures (elastic#33694) Test fix - Graph vertices could appear in different orders based on map insertion sequence (elastic#33709) Structured audit logging (elastic#31931) Core: Add DateFormatter interface for java time parsing (elastic#33467) [CCR] Check whether the rejected execution exception has the shutdown flag set (elastic#33703) Mute ClusterDisruptionIT#testSendingShardFailure Revert "Mute FullClusterRestartSettingsUpgradeIT" Adjust BWC version on settings upgrade test (elastic#33650) [ML] Allow overrides for some file structure detection decisions (elastic#33630) Adapt skip version for doc_values format deprecation [TEST] wait for no initializing shards [Docs] Minor fix in `has_child` javadoc comment (elastic#33674) Mute FullClusterRestartSettingsUpgradeIT [Kerberos] Add realm name & UPN to user metadata (elastic#33338) [TESTS] Disable specific locales for RestrictedTrustManagerTest (elastic#33299) SQL: Return functions in JDBC driver metadata (elastic#33672) SCRIPTING: Move terms_set Context to its Own Class (elastic#33602) AwaitsFix testRestoreMinmal ...
bizybot
added a commit
that referenced
this pull request
Oct 18, 2018
We have a Kerberos setting to remove realm part from the user principal name (remove_realm_name). If this is true then the realm name is removed to form username but in the process, the realm name is lost. For scenarios like Kerberos cross-realm authentication, one could make use of the realm name to determine role mapping for users coming from different realms. This commit adds user metadata for kerberos_realm and kerberos_user_principal_name.
colings86
removed
the
:Security/Authorization
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have a Kerberos setting to remove realm part from the user
principal name (
remove_realm_name). If this is true thenthe realm name is removed to form username but in the process,
the realm name is lost. For scenarios like Kerberos cross-realm
authentication, one could make use of the realm name to determine
role mapping for users coming from different realms.
This commit adds user metadata for
realmanduser_principal_name.