Migrate custom role providers to licensed feature #79127
Conversation
This changes the license checking for custom role providers to use the new `LicensedFeature` model with feature tracking. To support this, and reduce code complexity the logic for managing role providers has been moved out of the `CompositeRolesStore` into a new `RoleProviders` test.
tvernum
added
>enhancement
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
| List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> rolesProviders = new ArrayList<>(); | ||
|
|
||
| final Map<String, List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>>> customRoleProviders = new HashMap<>( | ||
| securityExtensions.size() |
There was a problem hiding this comment.
I wouldn't worry about setting the size since it will need some larger number of empty entries internally anyways.
| extensionComponents | ||
| ); | ||
| if (providers != null && providers.isEmpty() == false) { | ||
| customRoleProviders.put(extension.toString(), providers); |
There was a problem hiding this comment.
The generic toString include the hashCode of the object. Is that really an useful information to include? It is not stable. I'd think the class name is sufficient and easier to read.
There was a problem hiding this comment.
I agree in principle, however
we already rely on
extension.toString().
I want to follow up by adding a name() method on extension and replace all of these uses with that instead.
| if (activeRoleProviders.equals(previousProviders) == false) { | ||
| changeListeners.forEach(ChangeListener::providersChanged); | ||
| } |
There was a problem hiding this comment.
Does this mean we currently don't invalidate roles from custom roles provider on license downgrade or expiry?
There was a problem hiding this comment.
I think so.
It looks like the multiple instances of CompositeRolesStore in testCustomRolesProvidersLicensing were needed to avoid the cached values.
...lugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RoleProviders.java
Outdated
Show resolved
Hide resolved
| providers.addAll(builtInRoleProviders); | ||
|
|
||
| final XPackLicenseState fixedLicenseState = this.licenseState.copyCurrentLicenseState(); | ||
| this.customRoleProviders.forEach((name, customProviders) -> { |
There was a problem hiding this comment.
Nit: The map is unordered, so in theory it is possible to get a providers that has the same entries as the old one but with different orders on license change. This will in turn lead to an unnecessary invalidateAll() invocation for CompositeRolesStore.
There was a problem hiding this comment.
Good point.
Worse, it means that the order of role retrieval can potentially change which could have a semantic difference.
I'll fix it.
There was a problem hiding this comment.
I think this actually means that the use of a Map here is wrong.
I'm going to switch it to be based on a LinkedHashMap for now, but I think the right answer is to pass in a list of paired objects (extension, providers) which will be easier to do when extension has a name() method.
* upstream/master: (109 commits) Migrate custom role providers to licensed feature (elastic#79127) Remove stale AwaitsFix in InternalEngineTests (elastic#79323) Fix errors in RefreshListenersTests (elastic#79324) Reeable BwC Tests after elastic#79318 (elastic#79320) Mute BwC Tests for elastic#79318 (elastic#79319) Reenable BwC Tests after elastic#79308 (elastic#79313) Disable BwC Tests for elastic#79308 (elastic#79310) Adjust BWC for node-level field cap requests (elastic#79301) Allow total memory to be overridden (elastic#78750) Fix SnapshotBasedIndexRecoveryIT#testRecoveryIsCancelledAfterDeletingTheIndex (elastic#79269) Disable BWC tests Mute GeoIpDownloaderCliIT.testStartWithNoDatabases (elastic#79299) Add alias support to fleet search API (elastic#79285) Create a coordinating node level reader for tsdb (elastic#79197) Route documents to the correct shards in tsdb (elastic#77731) Inject migrate action regardless of allocate action (elastic#79090) Migrate to data tiers should always ensure a TIER_PREFERENCE is set (elastic#79100) Skip building of BWC distributions when building release artifacts (elastic#79180) Default ENFORCE_DEFAULT_TIER_PREFERENCE to true (elastic#79275) Deprecation of transient cluster settings (elastic#78794) ... # Conflicts: # server/src/main/java/org/elasticsearch/index/IndexMode.java # server/src/test/java/org/elasticsearch/index/TimeSeriesModeTests.java
* upstream/master: (521 commits) Migrate custom role providers to licensed feature (elastic#79127) Remove stale AwaitsFix in InternalEngineTests (elastic#79323) Fix errors in RefreshListenersTests (elastic#79324) Reeable BwC Tests after elastic#79318 (elastic#79320) Mute BwC Tests for elastic#79318 (elastic#79319) Reenable BwC Tests after elastic#79308 (elastic#79313) Disable BwC Tests for elastic#79308 (elastic#79310) Adjust BWC for node-level field cap requests (elastic#79301) Allow total memory to be overridden (elastic#78750) Fix SnapshotBasedIndexRecoveryIT#testRecoveryIsCancelledAfterDeletingTheIndex (elastic#79269) Disable BWC tests Mute GeoIpDownloaderCliIT.testStartWithNoDatabases (elastic#79299) Add alias support to fleet search API (elastic#79285) Create a coordinating node level reader for tsdb (elastic#79197) Route documents to the correct shards in tsdb (elastic#77731) Inject migrate action regardless of allocate action (elastic#79090) Migrate to data tiers should always ensure a TIER_PREFERENCE is set (elastic#79100) Skip building of BWC distributions when building release artifacts (elastic#79180) Default ENFORCE_DEFAULT_TIER_PREFERENCE to true (elastic#79275) Deprecation of transient cluster settings (elastic#78794) ... # Conflicts: # rest-api-spec/src/yamlRestTest/resources/rest-api-spec/test/tsdb/10_settings.yml # server/src/main/java/org/elasticsearch/common/settings/IndexScopedSettings.java # server/src/main/java/org/elasticsearch/common/settings/Setting.java # server/src/main/java/org/elasticsearch/index/IndexMode.java # server/src/test/java/org/elasticsearch/index/TimeSeriesModeTests.java
This changes the license checking for custom role providers to use the new `LicensedFeature` model with feature tracking. To support this, and reduce code complexity the logic for managing role providers has been moved out of the `CompositeRolesStore` into a new `RoleProviders` test. Backport of: elastic#79127
This changes the license checking for custom role providers to use the new `LicensedFeature` model with feature tracking. To support this, and reduce code complexity the logic for managing role providers has been moved out of the `CompositeRolesStore` into a new `RoleProviders` test. Backport of: #79127
This changes the license checking for custom role providers to use the
new
LicensedFeaturemodel with feature tracking.To support this, and reduce code complexity the logic for managing
role providers has been moved out of the
CompositeRolesStoreinto anew
RoleProvidersclass.