-
Notifications
You must be signed in to change notification settings - Fork 24.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow native users/roles to be disabled via setting (#98654)
This adds 2 new internal settings that can be used to disable security management APIs without disabling security. - xpack.security.authc.native_users.enabled (default true) controls native user management - xpack.security.authc.native_roles.enabled (default true) controls native role management Neither setting is registered to be available in external config - both of these must be managed by a separate plugin. If native user management is disabled then: - Native user APIs (/_security/user/) return 401 (gone) - The default_native realm is not registered - It is not possible to configure a native realm (the factory is disabled) If native role management is disabled then: - Native role APIs (/_security/role/) other than GET return 401 (gone) - The native roles store never attempts to resolve roles. The disabling of native user APIs may affect management of reserved users as well, and it is intended that the reserve realm be disabled (xpack.security.authc.reserved_realm.enabled) if native users are disabled.
- Loading branch information
Showing
34 changed files
with
433 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
pr: 98654 | ||
summary: Allow native users/roles to be disabled via setting | ||
area: Authentication | ||
type: enhancement | ||
issues: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
...ain/java/org/elasticsearch/xpack/security/rest/action/role/NativeRoleBaseRestHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.security.rest.action.role; | ||
|
||
import org.apache.logging.log4j.LogManager; | ||
import org.apache.logging.log4j.Logger; | ||
import org.elasticsearch.ElasticsearchStatusException; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.license.XPackLicenseState; | ||
import org.elasticsearch.rest.RestRequest; | ||
import org.elasticsearch.rest.RestStatus; | ||
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore; | ||
import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler; | ||
|
||
abstract class NativeRoleBaseRestHandler extends SecurityBaseRestHandler { | ||
|
||
private final Logger logger = LogManager.getLogger(NativeRoleBaseRestHandler.class); | ||
|
||
NativeRoleBaseRestHandler(Settings settings, XPackLicenseState licenseState) { | ||
super(settings, licenseState); | ||
} | ||
|
||
@Override | ||
protected Exception innerCheckFeatureAvailable(RestRequest request) { | ||
final Boolean nativeRolesEnabled = settings.getAsBoolean(NativeRolesStore.NATIVE_ROLES_ENABLED, true); | ||
if (nativeRolesEnabled == false) { | ||
logger.debug( | ||
"Attempt to call [{} {}] but [{}] is [{}]", | ||
request.method(), | ||
request.rawPath(), | ||
NativeRolesStore.NATIVE_ROLES_ENABLED, | ||
settings.get(NativeRolesStore.NATIVE_ROLES_ENABLED) | ||
); | ||
return new ElasticsearchStatusException( | ||
"Native role management is not enabled in this Elasticsearch instance", | ||
RestStatus.GONE | ||
); | ||
} else { | ||
return null; | ||
} | ||
|
||
} | ||
} |
Oops, something went wrong.