Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect runas auth realm for all API key security operations #51975

Closed
ywangd opened this issue Feb 6, 2020 · 5 comments · Fixed by #52178
Closed

Respect runas auth realm for all API key security operations #51975

ywangd opened this issue Feb 6, 2020 · 5 comments · Fixed by #52178
Assignees
@ywangd
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@ywangd
Copy link
Member

ywangd commented Feb 6, 2020

When user A run as user B and creates an API key, the creator realm is recorded as user B's realm. However, when retrieving or invalidating the above API key, user A's realm will be used. This creates a problem for queries with owner=true and leads to empty result set, e.g. GET -H 'es-security-runas-user: B' /_security/api_key?id=keyId&owner=true.

This feels like a bug and it is better to have consistent behaviour for how runas realm is handled for all API key security operations. But it will be a breaking change if users are relying on the current behaviour.
@ywangd ywangd added >breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0 labels Feb 6, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@ywangd ywangd mentioned this issue Feb 6, 2020
Merged
@albertzaharovits
Copy link
Contributor

I think this is a bug in how the manage_own_api_key privilege works, because it checks ownership as if API keys are created under the realm that did the authentication, but they are actually created under the realm that did the user look-up (the realm that the user running-as is a member of).

@albertzaharovits albertzaharovits changed the title Respect runas auth realm for all API key seucrity operations Respect runas auth realm for all API key security operations Feb 6, 2020
@tvernum
Copy link
Contributor

tvernum commented Feb 10, 2020

I agree. I think, on analysis, that we should call this a bug, and fix it in 7.x (soon).

As always, one person's bug fix is another person's breaking change, but I'm happy that >bug is the right call here.

ywangd added a commit to ywangd/elasticsearch that referenced this issue Feb 11, 2020
@ywangd
Initial fix for elastic#51975
9712caf
@ywangd ywangd mentioned this issue Feb 11, 2020
Merged
@ywangd
Copy link
Member Author

ywangd commented Feb 11, 2020

Reading through the ManageOwnApiKeyClusterPrivilege class, I think checkIfuserIsOwnerOfPApiKeys needs to be updated as well. Maybe it is what @albertzaharovits meant by manage_own_api_privilege. Sorry I am still trying to get my head around this area.

@tvernum
Copy link
Contributor

tvernum commented Feb 11, 2020

@ywangd Yes, I think that needs to change as well.

ywangd added a commit that referenced this issue Feb 27, 2020
@ywangd
Respect runas realm for ApiKey security operations (#52178)
d02e1e3 
When user A runs as user B and performs any API key related operations,
user B's realm should always be used to associate with the API key.
Currently user A's realm is used when getting or invalidating API keys
and owner=true. The PR is to fix this bug.

resolves: #51975
ywangd added a commit to ywangd/elasticsearch that referenced this issue Feb 27, 2020
@ywangd
Respect runas realm for ApiKey security operations (elastic#52178)
a641984 
When user A runs as user B and performs any API key related operations,
user B's realm should always be used to associate with the API key.
Currently user A's realm is used when getting or invalidating API keys
and owner=true. The PR is to fix this bug.

resolves: elastic#51975
@ywangd ywangd mentioned this issue Feb 27, 2020
Merged
ywangd added a commit that referenced this issue Feb 27, 2020
@ywangd
Respect runas realm for ApiKey security operations (#52178) (#52932)
8255352 
When user A runs as user B and performs any API key related operations,
user B's realm should always be used to associate with the API key.
Currently user A's realm is used when getting or invalidating API keys
and owner=true. The PR is to fix this bug.

resolves: #51975
@codebrain codebrain mentioned this issue Apr 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Respect runas realm for ApiKey security operations ywangd/elasticsearch
4 participants
@tvernum @ywangd @albertzaharovits @elasticmachine