-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow Password Change when authenticated by Token #49694
Disallow Password Change when authenticated by Token #49694
Conversation
This commit changes that behavior so that we set the authenticatedBy realm reference to _es_token_service in the Authentication object we build and write to the thread context upon successful authentication with an Elasticsearch Token Service access token. This alligns our behavior with the API keys implementation and allows us to make authorization decisions based on the fact that the current request was authenticated by a bearer token ( i.e. disallow change password requests ). The original authentication realm is still available in the token document.
Pinging @elastic/es-security (:Security/Authentication) |
Have we considered any other BWC issues with changing this? We could resolve the password change behaviour by looking at the |
True, this is not the only way to solve the password change behavior but I like it since it's consistent with our behavior for API keys. I looked for other uses of |
Let's discuss this on Thursday morning, I want to get a team view on how we treat/should treat the authenticatedBy attribute of the Authentication object when tokens are used by our own realms ( DelegeatedPKI, OIDC, SAML) |
Changes the approach for disallowing password changes to check the AuthenticationType instead of injecting a custom RealmRef for tokens as the authenticatedBy Realm Reference
@elasticmachine update branch |
// and right now only one can exist in the realm configuration - if this changes we should update this check | ||
final Authentication.AuthenticationType authType = authentication.getAuthenticationType(); | ||
return (authType.equals(Authentication.AuthenticationType.TOKEN) == false | ||
&& authType.equals(Authentication.AuthenticationType.API_KEY) == false ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we blacklist rather than whitelist here?
Shouldn't we just check for the positive authType.equals(Authentication.AuthenticationType.REALM)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're absolutely right
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I haven't tracked the status of the Kibana side of the change, so I'll leave it to you to work out whether it should be in 7.6 or wait for 7.7
Password changes are only allowed when the user is currently authenticated by a realm (that permits the password to be changed) and not when authenticated by a bearer token or an API key.
@jkakavas Is this still |
Password changes are only allowed when the user is currently authenticated by a realm (that permits the password to be changed) and not when authenticated by a bearer token or an API key.
This commit explicitly disallows Change Password requests
when the user performing the request is authenticated with
an Elasticsearch TokenService access token or an API key.
We should coordinate merging this with kibana since the password change feature would stop working when the token authentication provider is in use in Kibana.
Relates: elastic/kibana#49865
Closes: #48752