Ignore app priv failures when resolving superuser #85519
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In elastic#81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only if other roles or application privileges are unavailable
tvernum
added
>bug
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
|
Hi @tvernum, I've created a changelog YAML for you. |
|
@elasticmachine update branch |
tvernum
added
auto-merge-without-approval
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Apr 1, 2022
In elastic#81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: elastic#85312
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Apr 1, 2022
In elastic#81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: elastic#85312
elasticsearchmachine
pushed a commit
that referenced
this pull request
Apr 1, 2022
In #81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: #85312
elasticsearchmachine
pushed a commit
that referenced
this pull request
Apr 1, 2022
In #81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: #85312
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #81400 we changed
superuserto no longer have every privilege.Consequently, we also removed the special case code that existed that
would ignore all other roles for any user that had superuser role.
However, we added some special handling so that failing to resolve
those other roles would not block superuser access - when a user has
superuser role, any failures in role resolution will be effectively
ignored, and the user will be given the superuser role only.
However, this failure handling did not account for the loading of
application privileges. If application privileges needed to be loaded,
but failed, this could prevent resolution of the superuser role.
This change extends the failure handling to encompass the full
resolution of roles, and fallback to superuser only, whenever other
roles or application privileges are unavailable
Relates: #85312