Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for authentication based predicate for cluster permission #45431

Conversation

@bizybot
Copy link
Contributor

commented Aug 12, 2019

Currently, cluster permission checks whether a cluster action is
permitted and optionally in the context of a request. There are
scenarios where we would want to check whether the cluster action
is permitted, optionally in the context of a request and current
authentication. For example, management of API keys is only
restricted to the API keys owned by the current user. In this case,
along with the cluster action and API key request, the check
needs to perform whether the currently authenticated user is indeed
allowed to operate only on owned API keys.
With this commit, we are introducing one more context of the current
authentication that can be considered during permission evaluation.

Relates: #40031

Add support for authentication based predicate for cluster permission
Currently, cluster permission checks whether a cluster action is
permitted and optionally in the context of a request. There are
scenarios where we would want to check whether the cluster action
is permitted, optionally in the context of a request and current
authentication. For example, management of API keys is only
restricted to the API keys owned by the current user. In this case,
along with the cluster action and API key request, the check
needs to perform whether the currently authenticated user is indeed
allowed to operate only on owned API keys.
With this commit, we are introducing one more context of the current
authentication that can be considered during permission evaluation.

Relates: #40031
@elasticmachine

This comment has been minimized.

Copy link
Collaborator

commented Aug 12, 2019

@bizybot bizybot requested review from albertzaharovits and tvernum Aug 12, 2019

@bizybot bizybot marked this pull request as ready for review Aug 12, 2019

@albertzaharovits
Copy link
Contributor

left a comment

Unless there is a clear motivation why ActionRequestAuthenticationPredicatePermissionCheck uses a BiPredicate instead of two predicates, I think this needs change.
Otherwise, LGTM.

address review comments
The permission checks that are dependent on actions and
optionally on request and/or on authentication, now
have a way to specify the predicates. By default
the implementation will tests all the predicates to be
successful for the operation to be allowed.
In case customization is required one has option to
implement `PermissionCheck`.

- Adds a permission check predicate interface that also
  allows implementers to specify behavior for `implies`.

@bizybot bizybot requested a review from albertzaharovits Aug 20, 2019

bizybot added some commits Aug 20, 2019

@bizybot

This comment has been minimized.

Copy link
Contributor Author

commented Aug 20, 2019

Failed with known issue #45605
@elasticmachine run elasticsearch-ci/1

@albertzaharovits
Copy link
Contributor

left a comment

LGTM

@bizybot

This comment has been minimized.

Copy link
Contributor Author

commented Aug 21, 2019

@elasticmachine run elasticsearch-ci/packaging-sample

@bizybot

This comment has been minimized.

Copy link
Contributor Author

commented Aug 21, 2019

@elasticmachine run elasticsearch-ci/1

@tvernum
Copy link
Contributor

left a comment

I left a couple of comments around the exclude patterns.
I'm happy to move forward with this, if you can implement one or the other of those suggestions.

bizybot added some commits Aug 22, 2019

@bizybot bizybot merged commit 5661e98 into elastic:manage-own-api-key-privilege Aug 22, 2019

8 checks passed

CLA All commits in pull request signed
Details
elasticsearch-ci/1 Build finished.
Details
elasticsearch-ci/2 Build finished.
Details
elasticsearch-ci/bwc Build finished.
Details
elasticsearch-ci/default-distro Build finished.
Details
elasticsearch-ci/docs Build finished.
Details
elasticsearch-ci/oss-distro-docs Build finished.
Details
elasticsearch-ci/packaging-sample Build finished.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.