Skip to content

User Profile - Update APIs to work with domain #83570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ywangd merged 7 commits into from
Feb 11, 2022
Merged

User Profile - Update APIs to work with domain #83570

ywangd merged 7 commits into from
Feb 11, 2022

Conversation

@ywangd
Copy link
Member

@ywangd ywangd commented Feb 7, 2022

This PR updates the three existing profile APIs to work with the new
security domain concept:

  • Domain info gets recoreded when activating profile
  • Domain info is returned appropriately based on the context
  • "Same" profile is returned based on checking realm name and domain
    definition

@ywangd
User Profile - Update APIs to work with domain
022219a 
This PR updates the three existing profile APIs to work with the new
security domain concept:
* Domain info gets recoreded when activating profile
* Domain info is returned appropriately based on the context
* "Same" profile is returned based on checking realm name and domain
  definition
@ywangd ywangd added >enhancement :Security/Security Security issues without another label v8.2.0 labels Feb 7, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Feb 7, 2022
@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 7, 2022

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 7, 2022

Hi @ywangd, I've created a changelog YAML for you.

albertzaharovits
albertzaharovits reviewed Feb 7, 2022
View reviewed changes
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileDocument.java Outdated

public Profile.ProfileUser toProfileUser(@Nullable String realmDomain) {
return new Profile.ProfileUser(username, roles, realm.getName(), realmDomain, email, fullName, displayName, active);
public Profile.ProfileUser toProfileUser(@Nullable String domainName) {
Copy link
Contributor

@albertzaharovits albertzaharovits Feb 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

domainName can come from realm.getDomain().name(), no? Is there a reason we're not using that?

Copy link
Member Author

@ywangd ywangd Feb 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Short answer: We should just use the domain information from the ProfileDocument itself and I updated accordingly.

Long answer: Yes there was a reason. The domain recorded in the document is a snapshot of the configuration at the moment of creation. We agreed that the actual domain information will still be derived from the incoming authentication (if there is one). That is, the final domain info may not be the same as the one recorded in the doc.
That said, the use cases so far in this PR do not see any difference in the two because the document is either newly created or just updated with the incomig authentication. So the two should always have the identical domain info. For simplicity, I agree that this method should not take parameter and just uses the doc's domain info.

albertzaharovits
albertzaharovits reviewed Feb 7, 2022
View reviewed changes
...k/plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileService.java Outdated
.getDomain()
.realms()
.stream()
.map(RealmConfig.RealmIdentifier::getName)
Copy link
Contributor

@albertzaharovits albertzaharovits Feb 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we were going to rely on the realm name-type tuple for these checks, no?
The fact that realm name is unique in a given node yml config file is not good enough to generally qualify a unique user, as I recall.

Copy link
Member Author

@ywangd ywangd Feb 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are right. I had a different thought (along the direction that we may want ultimately rely only on name). But even that is a thing in the future and for now we should still use both name and type. I updated accordingly.

albertzaharovits
albertzaharovits reviewed Feb 7, 2022
View reviewed changes
...lClusterTest/java/org/elasticsearch/xpack/security/profile/ProfileDomainSingleNodeTests.java
import static org.hamcrest.Matchers.notNullValue;
import static org.hamcrest.Matchers.nullValue;

public class ProfileDomainSingleNodeTests extends AbstractProfileSingleNodeTestCase {
Copy link
Contributor

@albertzaharovits albertzaharovits Feb 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate the conscientiousness in these tests.

albertzaharovits
albertzaharovits reviewed Feb 7, 2022
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a couple of comments, and I'll take another look afterwards to make sure I comprehend it all.

@albertzaharovits
Copy link
Contributor

albertzaharovits commented Feb 7, 2022

Not part of this PR but do you think we should do another profile search after a new one has been created, in order to fail if there is a race?

@ywangd
Copy link
Member Author

ywangd commented Feb 8, 2022

Not part of this PR but do you think we should do another profile search after a new one has been created, in order to fail if there is a race?

We definitely need to handle potential racing condition. It should be of its own PR given the likely complexity. I have some idea and we can discuss about it offline.

albertzaharovits
albertzaharovits approved these changes Feb 10, 2022
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
GH is misbehaving for me, so I'll comment in here:

  • in tests (IT) it would be nice to cover the activate using the token grant
  • the query to search for profiles given a domain, can always use filter instead of should (later, in a follow-up, maybe we can cache it by domain, to avoid the query building on every activate call)

@albertzaharovits
Copy link
Contributor

albertzaharovits commented Feb 10, 2022

always use filter instead of should

I mean instead of must.

@ywangd
Copy link
Member Author

ywangd commented Feb 11, 2022

  • in tests (IT) it would be nice to cover the activate using the token grant

Good point. I updated the test helper method to always randomly activate profile using each the user password or a token created from it.

  • the query to search for profiles given a domain, can always use filter instead of should (later, in a follow-up, maybe we can cache it by domain, to avoid the query building on every activate call)

Yes filter is better since we don't care about score. I have replaced all must with filter.

@ywangd ywangd merged commit 77ace23 into elastic:master Feb 11, 2022
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Feb 22, 2022
@ywangd
User Profile - Use only realmType for file and native realms
880b858 
When locating existing profile document for the given authentication,
use only realm type to search for file and native realms. This is
because there can only ever be a single file or native realm and it does
not matter what name it takes.

Relates: elastic#83570
@ywangd ywangd mentioned this pull request Feb 22, 2022
Merged
ywangd added a commit that referenced this pull request Feb 24, 2022
@ywangd
User Profile - Use only realmType for file and native realms (#84205)
883b312 
When locating existing profile document for the given authentication,
use only realm type to search for file and native realms. This is
because there can only ever be a single file or native realm and it does
not matter what name it takes.

Relates: #83570
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees

No one assigned

Labels

>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team v8.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ywangd @elasticmachine @elasticsearchmachine @albertzaharovits