-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for authentication based predicate for cluster permission #45431
Add support for authentication based predicate for cluster permission #45431
Conversation
Currently, cluster permission checks whether a cluster action is permitted and optionally in the context of a request. There are scenarios where we would want to check whether the cluster action is permitted, optionally in the context of a request and current authentication. For example, management of API keys is only restricted to the API keys owned by the current user. In this case, along with the cluster action and API key request, the check needs to perform whether the currently authenticated user is indeed allowed to operate only on owned API keys. With this commit, we are introducing one more context of the current authentication that can be considered during permission evaluation. Relates: elastic#40031
Pinging @elastic/es-security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless there is a clear motivation why ActionRequestAuthenticationPredicatePermissionCheck
uses a BiPredicate
instead of two predicates, I think this needs change.
Otherwise, LGTM.
.../src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission.java
Outdated
Show resolved
Hide resolved
…based-permission-check
The permission checks that are dependent on actions and optionally on request and/or on authentication, now have a way to specify the predicates. By default the implementation will tests all the predicates to be successful for the operation to be allowed. In case customization is required one has option to implement `PermissionCheck`. - Adds a permission check predicate interface that also allows implementers to specify behavior for `implies`.
Failed with known issue #45605 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…based-permission-check
@elasticmachine run elasticsearch-ci/packaging-sample |
@elasticmachine run elasticsearch-ci/1 |
…based-permission-check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a couple of comments around the exclude patterns.
I'm happy to move forward with this, if you can implement one or the other of those suggestions.
Currently, cluster permission checks whether a cluster action is
permitted and optionally in the context of a request. There are
scenarios where we would want to check whether the cluster action
is permitted, optionally in the context of a request and current
authentication. For example, management of API keys is only
restricted to the API keys owned by the current user. In this case,
along with the cluster action and API key request, the check
needs to perform whether the currently authenticated user is indeed
allowed to operate only on owned API keys.
With this commit, we are introducing one more context of the current
authentication that can be considered during permission evaluation.
Relates: #40031