Move configuration of special realms to additionalSettings #51387
Labels
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
Possibly related: #36591 #50892
At the moment we have 3 special realms for which we do extra configuration that doesn't use the global
Settings
object.I would like to consider moving all of that config into the
Settings
object, by implementing it inSecurity.additionalSettings()
.In that method we would:
Integer.MIN_VALUE
Integer.MIN_VALUE + 1
Integer.MIN_VALUE + 2
When we consider whether the settings includes a realm, we would treat
enabled: false
as being an included realm, so you could explicitly disable any of those 3 realms by adding them to the YML, and setting enabled to false.This would mean that the node's settings always reflect the actual realm chain.
It would remove the magic setting to disable the reserved realm, and cases where the reserved realm was disabled would be just like any other disabled realm.
We would probably also want to add a validation in
Realms
to check that the reserved realm had the lowest order, and fail if it didn't.We'd need to think about how this might work with dynamic realm configuration, but it potentially makes it easier by making all the realm stuff be done through
Settings
- it would just required that dynamic node config loading andadditionalSettings
played nicely together.The text was updated successfully, but these errors were encountered: