-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Kerberos] Remove Kerberos bootstrap checks #32451
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -35,6 +35,7 @@ | |
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; | ||
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm; | ||
import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; | ||
import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings; | ||
|
||
|
||
/** | ||
|
@@ -152,6 +153,7 @@ protected List<Realm> initRealms() throws Exception { | |
Settings realmsSettings = RealmSettings.get(settings); | ||
Set<String> internalTypes = new HashSet<>(); | ||
List<Realm> realms = new ArrayList<>(); | ||
boolean isKerberosRealmConfigured = false; | ||
for (String name : realmsSettings.names()) { | ||
Settings realmSettings = realmsSettings.getAsSettings(name); | ||
String type = realmSettings.get("type"); | ||
|
@@ -178,6 +180,13 @@ protected List<Realm> initRealms() throws Exception { | |
} | ||
internalTypes.add(type); | ||
} | ||
if (KerberosRealmSettings.TYPE.equals(type)) { | ||
if (isKerberosRealmConfigured) { | ||
throw new IllegalArgumentException( | ||
"multiple [" + type + "] realms are configured. [" + type + "] can only have one such realm configured"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know this is the same message as before - but could you extend it to include the names of the realms? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes, I have updated the message. Thank you. |
||
} | ||
isKerberosRealmConfigured = true; | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When lookup-realms is merged, we'll have the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am not sure if I followed your thought here if you could elaborate. I think you want to make this realm singleton and throw an error in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The not-yet-merged That would allow the kerberos has special requirements logic to be contained within the Kerberos realm. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. oh yes, I forgot the list of realms. Thanks. |
||
realms.add(factory.create(config)); | ||
} | ||
|
||
|
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as a followup PR to this change, lets combine the logic with the internalTypes logic and we can just have the same message that we're using for kerberos.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we can discuss this and I will raise followup PR. Thank you.