New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make user and role name constraint consistent with max document ID. #86728
Make user and role name constraint consistent with max document ID. #86728
Conversation
This change tries to make user and role name constraints consistent with what is currently allowed to store in the native realm (512). Because the document IDs are prefixed by either `user-` or `role-`, the actual possible max length is a funky looking 507 chars. If we choose (in the future) to allow more than 507 chars we should either consider increasing the max allowed size for document ID or consider hashing names longer than 507 in order to fit into document ID. Closes elastic#66020
…er-and-role-name-validation
Pinging @elastic/es-security (Team:Security) |
Hi @slobodanadamovic, I've created a changelog YAML for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
.../core/src/main/java/org/elasticsearch/xpack/core/security/action/user/SetEnabledRequest.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Validation.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Validation.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Validation.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Validation.java
Outdated
Show resolved
Hide resolved
...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java
Outdated
Show resolved
Hide resolved
…er-and-role-name-validation
…er-and-role-name-validation
…er-and-role-name-validation
Some of the tests are failing due to #86877. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks for being thorough.
This change tries to make user and role name constraints consistent with
what is currently allowed to store in the native realm (512).
Because the document IDs are prefixed by either
user-
orrole-
,the actual possible max length is a funky looking 507 chars.
If we choose (in the future) to allow more than 507 chars we should
either consider increasing the max allowed size for document ID or
consider hashing names longer than 507 in order to fit into document ID.
Note: File realm validation is left as it was and allows max 1024 chars.
I'm not sure if this is something we should reflect in the documentation.
Closes #66020