-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKIRealm delegation unsupported without a truststore #45011
PKIRealm delegation unsupported without a truststore #45011
Conversation
Pinging @elastic/es-security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thank you.
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…ecurity/authc/pki/PkiRealm.java Co-Authored-By: Yogesh Gaikwad <902768+bizybot@users.noreply.github.com>
@elasticmachine run elasticsearch-ci/default-distro |
@elasticmachine run elasticsearch-ci/bwc |
@elasticmachine run elasticsearch-ci/default-distro |
@elasticmachine run elasticsearch-ci/bwc |
@elasticmachine run elasticsearch-ci/default-distro |
…tion-without-trustore
In the usual scenario, where the
PKIRealm
works without delegation, a trust configuration is not required at the realm settings scope. In this case the client's certificate chain has been validated by the TLS channel (HTTP), and the realm does not enforce any other extra chain validations. In this case the client's certificate is considered authenticated by the realm.This no-op validation, without a trust configuration at the realm level, is incompatible with the delegation use-case. This commit adds a constructor check to the
PKIRealm
that will forbid togglingdelegation.enabled
without also setting a truststore. Otherwise, the delegation feature would not work at run-time (all API calls will be un-authorized).Thanks Tim for pointing out this problem to me!
Relates #34396