Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report anonymous roles in authenticate response #61355

Merged
merged 3 commits into from
Aug 24, 2020
Merged

Report anonymous roles in authenticate response #61355

merged 3 commits into from
Aug 24, 2020

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Aug 20, 2020

Report anonymous roles in response to "GET _security/_authenticate" API call when:

  • Anonymous role is enabled
  • User is not the anonymous user
  • Credentials is not an API Key

Previous attempt (#53453) tried to solve this issue by re-locating anonymous role resolution from authz to authc. It has since been reverted (#57853) because of potential issues on how anonymous access can be used with persisted authentication objects, e.g. Watchers (#57711). Hence the current attempt tries to limit the solution to only the reporting side avoid potential implications. I personally feel this is an acceptable solution and it is also consistent with the original ask.

Resolves: #47195

@ywangd ywangd added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.10.0 labels Aug 20, 2020
@ywangd ywangd requested a review from jkakavas August 20, 2020 06:05
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Aug 20, 2020
jkakavas
jkakavas approved these changes Aug 23, 2020
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me Yang! Nits are just that, feel free to change or merge as is. Pinging @elastic/kibana-security as they have some tests that expect roles based on the current behavior of the authenticate API and CI will break

.../src/main/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateAction.java
final String[] allRoleNames = Stream.concat(
Stream.of(user.roles()), Stream.of(anonymousUser.roles())).toArray(String[]::new);
listener.onResponse(new AuthenticateResponse(
new Authentication(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is rather verbose but I don't have any good suggestions to do otherwise and we don't seem to have a generic need for a cloneWithChanges method !

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially had this logic inside the User class, i.e. User#withRoles with the intention to simply things here. But as you said, there is no generic need for this type of method, which made it seem out of place. So I decided to keep everything in this one class. It is verbose but at least self-contained and hopefully easy to understand.

...-security/src/test/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java
@@ -132,7 +132,7 @@ private void checkAuthentication() throws IOException {
final Map<String, Object> auth = getAsMap("/_security/_authenticate");
// From file realm, configured in build.gradle
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a hint that anonymous user is enabled maybe so the test makes more sense when you look at it ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment about anonymous access is configured in build.gradle

...test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java Outdated
} else {
when(anonymousUser.enabled()).thenReturn(false);
}
final String[] roleNames = randomList(1, 4, () -> randomAlphaOfLengthBetween(4, 12)).toArray(new String[0]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this only makes sense in the if branch right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You right. Thanks

@ywangd ywangd merged commit d6a0642 into elastic:master Aug 24, 2020
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Aug 24, 2020
@ywangd
Report anonymous roles in authenticate response (elastic#61355)
772b7da 
Report anonymous roles in response to "GET _security/_authenticate" API call when:
* Anonymous role is enabled
* User is not the anonymous user
* Credentials is not an API Key
ywangd added a commit that referenced this pull request Aug 24, 2020
@ywangd
Report anonymous roles in authenticate response (#61355) (#61454)
f061511 
Report anonymous roles in response to "GET _security/_authenticate" API call when:
* Anonymous role is enabled
* User is not the anonymous user
* Credentials is not an API Key
@Mpdreamz Mpdreamz mentioned this pull request Nov 16, 2020
Closed
61 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkakavas jkakavas jkakavas approved these changes

Assignees
No one assigned
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.10.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authenticate API should return the roles that are inhereted from enabled anonymous access
4 participants
@ywangd @elasticmachine @jkakavas @jakelandis