Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow an AuthenticationResult to return metadata #34382

Merged
merged 1 commit into from Oct 12, 2018

Conversation

@tvernum
Copy link
Contributor

tvernum commented Oct 10, 2018

PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.

This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.

Closes: #34332

PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.

This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.

Closes: #34332
@elasticmachine

This comment has been minimized.

Copy link
Collaborator

elasticmachine commented Oct 10, 2018

Copy link
Member

jaymode left a comment

LGTM

@@ -54,7 +55,12 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
Authentication originatingAuthentication = Authentication.getAuthentication(threadContext);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authenticationService.authenticate(SamlAuthenticateAction.NAME, request, saml, ActionListener.wrap(authentication -> {
final Map<String, Object> tokenMeta = threadContext.getTransient(SamlRealm.CONTEXT_TOKEN_DATA);
AuthenticationResult result = threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY);

This comment has been minimized.

Copy link
@jaymode

jaymode Oct 10, 2018

Member

I wonder if we should consider putting the metadata object on the authentication object? It might be extra overhead that we don't need so I am not asking for it to be done here.

@rjernst rjernst removed the review label Oct 10, 2018
@tvernum

This comment was marked as outdated.

Copy link
Contributor Author

tvernum commented Oct 11, 2018

run gradle build tests

1 similar comment
@tvernum

This comment has been minimized.

Copy link
Contributor Author

tvernum commented Oct 11, 2018

run gradle build tests

@tvernum tvernum merged commit 8d83688 into elastic:master Oct 12, 2018
4 checks passed
4 checks passed
CLA Commit author is a member of Elasticsearch
Details
elasticsearch-ci Build finished.
Details
elasticsearch-ci/oss-distro-docs Build finished.
Details
elasticsearch-ci/packaging-sample Build finished.
Details
tvernum added a commit that referenced this pull request Oct 12, 2018
PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.

This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.

Closes: #34332
tvernum added a commit that referenced this pull request Oct 12, 2018
PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.

This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.

Closes: #34332
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Oct 15, 2018
* elastic/master:
  Mute PartitionedRoutingIT#testShrinking on Windows
  Mute testToQuery test
  [TEST] Make sure there are shards started so that `ESIntegTestCase#assertSameDocIdsOnShards()` does not fail with shard not found.
  Change shard changes api's threadpool from get to search (elastic#34421)
  Update TESTING.asciidoc title (elastic#34401)
  Tests: Fix DateFormatter equals tests with locale (elastic#34435)
  Docs: Remove unnecessary qualifier from wildcard import note (elastic#34419)
  CCR/TEST: AwaitsFix testFailOverOnFollower
  [Painless] Add a Map for java names to classes for use in the custom classloader (elastic#34424)
  TEST: Fix indentation in FullClusterRestartIT (elastic#34420)
  [WIP] Ingest Attachement: Upgrade tika to v1.19.1 (elastic#33896)
  NETWORKING: Upgrade Netty to 4.1.30 (elastic#34417)
  Allow an AuthenticationResult to return metadata (elastic#34382)
  [ML] Add an ingest pipeline definition to structure finder (elastic#34350)
  Handle pre-6.x time fields (elastic#34373)
  ListenableFuture should preserve ThreadContext (elastic#34394)
kcm added a commit that referenced this pull request Oct 30, 2018
PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.

This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.

Closes: #34332
@jimczi jimczi added v7.0.0-beta1 and removed v7.0.0 labels Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.