Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cluster-state based Security role mapper #107410

Merged
merged 41 commits into from Apr 30, 2024
Merged

Cluster-state based Security role mapper #107410

merged 41 commits into from Apr 30, 2024

Conversation

albertzaharovits
Copy link
Contributor

@albertzaharovits albertzaharovits commented Apr 12, 2024
edited

This implements a new UserRoleMapper that sources the role mapping rules from the cluster state.
The role mapping rules are stored under a new custom cluster state that is persisted (both disk and snapshots).
The role mapper refreshes realm caches when role mapping changes are published.
The role mapper is disabled by default, and it can only be enabled from code, by other plugins.
When enabled, the cluster state role mappings rules, if any, are additive to the rules from
the index-based native role mapping store and the file-based DN one.

@albertzaharovits albertzaharovits self-assigned this Apr 12, 2024
@albertzaharovits albertzaharovits changed the title Cluster state role mapper only Cluster state-based Security role mapper Apr 24, 2024
@albertzaharovits albertzaharovits changed the title Cluster state-based Security role mapper Cluster-state based Security role mapper Apr 24, 2024
@albertzaharovits albertzaharovits added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >enhancement labels Apr 24, 2024
@elasticsearchmachine
Copy link
Collaborator

Hi @albertzaharovits, I've created a changelog YAML for you.

@albertzaharovits albertzaharovits marked this pull request as ready for review April 24, 2024 14:38
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Apr 24, 2024
@albertzaharovits albertzaharovits mentioned this pull request Apr 25, 2024
Merged
gwbrown
gwbrown approved these changes Apr 29, 2024
View reviewed changes
Copy link
Contributor

@gwbrown gwbrown left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your patience on this review. Nice work, I left a couple comments but nothing major - no need for another round of review once they're addressed to your satisfaction.

...alClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRoleMappingsIntegTests.java

@BeforeClass
public static void beforeTests() {
anonymousRole = randomBoolean();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason not to just run both every time? Keep the way the tests are parameterized, just run them both ways instead of making it random.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The xpack.security.authc.anonymous.roles is a static setting, so it's cumbersome to vary from test to test. It's also not super relevant for the scope of the tests.

.../security/src/test/java/org/elasticsearch/xpack/security/authc/RoleMappingMetadataTests.java Outdated
import static org.elasticsearch.xpack.security.authc.support.mapper.ExpressionRoleMappingTests.randomRoleMapping;
import static org.hamcrest.Matchers.is;

public class RoleMappingMetadataTests extends ESTestCase {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not AbstractWireSerializingTestCase?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, pushed: 4135aeb

...est/java/org/elasticsearch/xpack/security/authc/support/mapper/CompositeRoleMapperTests.java Outdated
Comment on lines 37 to 38
verify(userRoleMapper1, times(1)).clearRealmCacheOnChange(eq(realm));
verify(userRoleMapper1, times(1)).clearRealmCacheOnChange(eq(realm));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you meant:

Suggested change
verify(userRoleMapper1, times(1)).clearRealmCacheOnChange(eq(realm));
verify(userRoleMapper1, times(1)).clearRealmCacheOnChange(eq(realm));
verify(userRoleMapper1, times(1)).clearRealmCacheOnChange(eq(realm));
verify(userRoleMapper2, times(1)).clearRealmCacheOnChange(eq(realm));

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Thanks!

@albertzaharovits albertzaharovits merged commit 768a001 into elastic:main Apr 30, 2024
20 checks passed
@albertzaharovits albertzaharovits deleted the cluster-state-role-mapper branch April 30, 2024 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwbrown gwbrown gwbrown approved these changes

Assignees

@albertzaharovits albertzaharovits

Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@albertzaharovits @elasticsearchmachine @gwbrown