Fix can access resource checks for API Keys with run as #84277
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Feb 24, 2022
API Key can run-as since elastic#79809. There are places in the code where we assume API key cannot run-as. Most of them are corrected in elastic#81564. But there are still a few things got missed. This PR fixes the methods for checking owner user realm for API key. Note the resource sharing check (canAccessResourcesOf) also needs to be fixed, this will be handled by elastic#84277
ywangd
reviewed
Feb 24, 2022
...in/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationContext.java
Outdated
Show resolved
Hide resolved
albertzaharovits
added
v8.1.0
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
ywangd
added a commit
that referenced
this pull request
Feb 28, 2022
API Key can run-as since #79809. There are places in the code where we assume API key cannot run-as. Most of them are corrected in #81564. But there are still a few things got missed. This PR fixes the methods for checking owner user realm for API key. This means, when API Keys "running-as" (impersonating other users), we do not expose the authenticating key ID and name to the end-user such as the Authenticate API and the SetSecurityUseringest processor. Only the effective user is revealed, just like in the regular case of a realm user run as. For audit logging, the key's ID and name are not exposed either. But this is mainly because there are no existing fields suitable for these information. We do intend to add them later (#84394) because auditing logging is to consumed by system admin instead of end-users. Note the resource sharing check (canAccessResourcesOf) also needs to be fixed, this will be handled by #84277
ywangd
reviewed
Feb 28, 2022
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Show resolved
Hide resolved
ywangd
approved these changes
Feb 28, 2022
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
Show resolved
Hide resolved
Comment on lines
198
to
206
| if ((false == FileRealmSettings.TYPE.equals(realmRef.getType()) && false == FileRealmSettings.TYPE.equals(otherRealmRef.getType())) | ||
| || (false == NativeRealmSettings.TYPE.equals(realmRef.getType()) | ||
| && false == NativeRealmSettings.TYPE.equals(otherRealmRef.getType()))) { | ||
| Authentication runAs4 = original.runAs(user, otherRealmRef); | ||
| assertCannotAccessResources(original, runAs4); | ||
| assertCannotAccessResources(original.token(), runAs4); | ||
| assertCannotAccessResources(original, runAs4.token()); | ||
| assertCannotAccessResources(original.token(), runAs4.token()); | ||
| } |
There was a problem hiding this comment.
This if check does not seem to be useful since otherRealmRef is created as:
final RealmRef otherRealmRef = randomValueOtherThan(realmRef, () -> randomRealmRef(false));
So it is never equal to realmRef.
There was a problem hiding this comment.
The if is needed, but it was wrong. I've fixed it, and left a comment.
The idea is that the realm refs are different but if they're both file or both native, then the ownership check should pass.
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/async/AsyncTaskServiceTests.java
Outdated
Show resolved
Hide resolved
|
Btw, I think we probably can drop the |
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this pull request
Feb 28, 2022
API Key can run-as since elastic#79809. There are places in the code where we assume API key cannot run-as. Most of them are corrected in elastic#81564. But there are still a few things got missed. This PR fixes the methods for checking owner user realm for API key. This means, when API Keys "running-as" (impersonating other users), we do not expose the authenticating key ID and name to the end-user such as the Authenticate API and the SetSecurityUseringest processor. Only the effective user is revealed, just like in the regular case of a realm user run as. For audit logging, the key's ID and name are not exposed either. But this is mainly because there are no existing fields suitable for these information. We do intend to add them later (elastic#84394) because auditing logging is to consumed by system admin instead of end-users. Note the resource sharing check (canAccessResourcesOf) also needs to be fixed, this will be handled by elastic#84277
elasticsearchmachine
pushed a commit
that referenced
this pull request
Feb 28, 2022
* Fix owner user realm check for API key authentication (#84325) API Key can run-as since #79809. There are places in the code where we assume API key cannot run-as. Most of them are corrected in #81564. But there are still a few things got missed. This PR fixes the methods for checking owner user realm for API key. This means, when API Keys "running-as" (impersonating other users), we do not expose the authenticating key ID and name to the end-user such as the Authenticate API and the SetSecurityUseringest processor. Only the effective user is revealed, just like in the regular case of a realm user run as. For audit logging, the key's ID and name are not exposed either. But this is mainly because there are no existing fields suitable for these information. We do intend to add them later (#84394) because auditing logging is to consumed by system admin instead of end-users. Note the resource sharing check (canAccessResourcesOf) also needs to be fixed, this will be handled by #84277 * fix test
I added a few helper methods to |
Okay, I'll label this |
albertzaharovits
added
auto-backport-and-merge
auto-merge-without-approval
albertzaharovits
added a commit
to albertzaharovits/elasticsearch
that referenced
this pull request
Feb 28, 2022
This fixes two things for the "can access" authz check: * API Keys running as, have access to the resources created by the effective run as user * tokens created by API Keys (with the client credentials) have access to the API Key's resources In addition, this PR moves some of the authz plumbing code from the Async and Scroll services classes under the Security Context class (as a minor refactoring).
elasticsearchmachine
pushed a commit
that referenced
this pull request
Feb 28, 2022
* Fix can access resource checks for API Keys with run as (#84277) This fixes two things for the "can access" authz check: * API Keys running as, have access to the resources created by the effective run as user * tokens created by API Keys (with the client credentials) have access to the API Key's resources In addition, this PR moves some of the authz plumbing code from the Async and Scroll services classes under the Security Context class (as a minor refactoring). * spotless * Merge fallout * AuthenticationTests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes two things for the "can access" authz check:
In addition, this PR moves some of the authz plumbing code from the Async and Scroll services classes under the Security Context class (as a minor refactoring).