Pluggable authorization engines

[joshbressers]

The elasticsearch security codebase currently has a single authorization service that is backed by roles for role based access control. As we move forward and consider different methods of authorization we should consider having a different backing that could be supported by policies to accomplish ABAC. This also will provide a way for customers that want to implement their own authorization service a way to do so; many large organizations have a single place where authorization rules are kept and there is a desire to be able to reach out to these to make the authorization decisions.

[elasticmachine]

Pinging @elastic/es-security

[joshbressers]

Here is an idea @jaymode put together for this

• The methods are asynchronous as blocking on a network call is not something that will work in elasticsearch
• Caching is left to the implementer as authorization decisions are not cached in elasticsearch
• Auditing is left to the implementer, which allows for auditing decisions to be made based on a policy
• There is no enum of operations, but instead the action name is passed

public abstract class Authorizer {

    public abstract void authorizeRunAs(User authenticatedUser, User runAsUser, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeCluster(String action, Transport request, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeIndicesAction(String action, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeIndices(String action, TransportRequest request, ActionListener<IndicesAccessControl> listener);

    public static class AuthorizationDecision {
        private final boolean authorized;
        private final String details;

        public AuthorizationDecision(boolean authorized, @Nullable String details) {
            this.authorized = authorized;
            this.details = details;
        }

        public boolean isAuthorized() {
            return authorized;
        }

        @Nullable
        public String getDetails() {
            return details;
        }
    }
}

[bizybot]

I like this and can see from the referenced issues that customers do want it.
Just as we are thinking of ABAC as something that we can accomplish, I think we should also pass on the environment/context(naming!) in which the permissions are being evaluated. Just to elaborate on the environment it could be the time of action, the location of action, device from where action is requested etc. As this could be an API implemented by the third party, an explicit passing of environment might be expected.