New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include user's privileges actions in IdP plugin _has_privileges
request
#104026
Conversation
f85dc83
to
dde73ee
Compare
dde73ee
to
0ffae49
Compare
...ity-provider/src/main/java/org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver.java
Outdated
Show resolved
Hide resolved
...ity-provider/src/main/java/org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver.java
Outdated
Show resolved
Hide resolved
...ity-provider/src/main/java/org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver.java
Outdated
Show resolved
Hide resolved
Pinging @elastic/es-security (Team:Security) |
Hi @s-nel, I've created a changelog YAML for you. |
Co-authored-by: Tim Vernum <tim@adjective.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code itself LGTM
however, not sure I understand the functional side or why this change is needed.
Unless sso:custom is returned in GET /_security/privilege/elastic-cloud, custom role will not be present in the SAML response.
Why would sso:custom
NOT be returned by GET /_security/privilege/elastic-cloud
?
that it misses actions defined in roles that may not be present in the predefined application privileges
Isn't that a good thing ? The input to get the application privs is the application name and why would we want to get all the of the them in the role ? (I see the code filters the role results by application name, so no worries about the code, just trying to understand why this change is needed)
Also tangential to this change ... I noticed that we are doing all of this work on the transport thread. The new action call is all local, so it probably doesn't add much overhead but long term we probably want to fork earlier here to get off the transport thread to allow for more concurrent throughput. As-is we we are not getting much benefit from NIO or the overhead of the creating all of these listeners. (we could probably also do some of this work in parallel too) |
The background is that we want to give users the ability to specify a role that they will get during SSO. This could be any custom role that they've configured and we don't know it in advance. Our approach to support this is to add the action to the user's role. For example
Are you suggesting that I make the change in this PR? |
Caught up with @s-nel in slack...thanks for the additional context !
I see now that the idea is the privilege (sso:custom) will not be registered with the application (elastic-cloud). If it was registered it then this PR would not be needed but we could also introduce a possible issue with the cache and introduce a performance issue since we run all registered privileges through a has_privileges check. Since the number of custom privileges are essentially unbounded we need a way to ensure we don't blow up the cache or performance. The change here allows us not register the privilege with the application and instead read the privilege from the role directly. This mitigates the issue since we will not greatly expand the number of privileges for the application and we can grab this new information from the user's role (in the security cluster) directly. It does slightly muddy the water w.r.t. application level privs since for this specific workflow you can you use privs for an application without declaring those privs for the application ...but in the context of the end goal this makes sense. The end result is that we will have pre-defined privileges registered with the application and purely custom roles (represented as privileges that are then are reflected in the SAML assertion used for role mapping) that live only in the role (in the security cluster).
No .. sorry that was not clear. Just something I noticed while reviewing this PR... that change would be way outside the scope of this change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…uest (elastic#104026) * Include user's privileges actions in IdP plugin has privileges request * Update docs/changelog/104026.yaml * Use `GroupedActionListener` instead of nested listeners Co-authored-by: Tim Vernum <tim@adjective.org> * Fixes after applying review suggestion * Fix IT flakiness --------- Co-authored-by: Tim Vernum <tim@adjective.org>
…uest (elastic#104026) * Include user's privileges actions in IdP plugin has privileges request * Update docs/changelog/104026.yaml * Use `GroupedActionListener` instead of nested listeners Co-authored-by: Tim Vernum <tim@adjective.org> * Fixes after applying review suggestion * Fix IT flakiness --------- Co-authored-by: Tim Vernum <tim@adjective.org>
…uest (#104026) (#105522) * Include user's privileges actions in IdP plugin has privileges request * Update docs/changelog/104026.yaml * Use `GroupedActionListener` instead of nested listeners * Fixes after applying review suggestion * Fix IT flakiness --------- Co-authored-by: Tim Vernum <tim@adjective.org>
Currently the identity provider (IdP) plugin pulls and caches a given application's privileges' actions in
ApplicationActionsResolver
which are used to construct a_has_privileges
request and each that matches the service provider's template will be returned as roles in the SAML response. The problem with this approach is that it misses actions defined in roles that may not be present in the predefined application privileges. For example given this role:and service provider that matches
sso:(.*)
. Unlesssso:custom
is returned inGET /_security/privilege/elastic-cloud
,custom
role will not be present in the SAML response.This PR pulls user privileges from the
GET /_security/user/_privileges
response and includes all actions with the matching application in the_has_privileges
request alongside the cached actions.