Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorization: introduce anonymous + agent/service-specific auth #5422

Merged
merged 5 commits into from
Jun 10, 2021
Merged

authorization: introduce anonymous + agent/service-specific auth #5422

merged 5 commits into from
Jun 10, 2021

Conversation

axw
Copy link
Member

@axw axw commented Jun 8, 2021
edited
Loading

Motivation/summary

Introduce the concept of "anonymous access", i.e. what we do for RUM today. Currently anonymous access is restricted to RUM, but we would like to extend this to the iOS agent.

In addition, we would like to be be able to restrict anonymous access to sending data for a fixed set of service names, to ensure they cannot create arbitrary data streams. To achieve this we change the authorization.Authorization interface's AuthorizedFor method to accept a new authorization.Resource type (replacing the old elasticsearch.Resource param) which may contain an agent and/or service name. The authorization implementation can use these to restrict access, either through config or later for API Keys through additional _has_privilege queries.

Checklist

- [ ] Update CHANGELOG.asciidoc
- [ ] Documentation has been updated

How to test these changes

Non-functional change.

Related issues

#5347

axw added 3 commits June 8, 2021 12:50
@axw
beater/authorization: introduce Resource type
e3274f5 
Introduce a Resource type, which describes a specific
resource for which authorization is being queried. This
can later be used to restrict access to specific agents
and services.

If the supplied resource is the zero value, then the
query is interpreted as checking if the requester has
any access at all. If the resource is non-zero, then
the query is interpreted as checking if the requester
has access to that specific resource (agent/service).
@axw
beater/authorization: add context functions
9fc0446
@axw
beater/authorization: introduce AnonymousAuth
d825b0f
@apmmachine
Copy link
Contributor

apmmachine commented Jun 8, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #5422 updated

  • Start Time: 2021-06-10T09:59:51.403+0000

  • Duration: 37 min 46 sec

  • Commit: 360813d

Test stats 🧪

Test Results
Failed 0
Passed 6086
Skipped 120
Total 6206

Trends 🧪

Image of Build Times

Image of Tests

simitt
simitt reviewed Jun 9, 2021
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall changes look good. Left two comments that are no blockers.

beater/api/mux.go Outdated Show resolved Hide resolved
beater/authprocessor.go Show resolved Hide resolved
@axw axw marked this pull request as ready for review June 9, 2021 07:19
@axw axw requested a review from simitt June 9, 2021 07:20
@axw axw added the v7.14.0 label Jun 9, 2021
simitt
simitt approved these changes Jun 10, 2021
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good.

@axw axw enabled auto-merge (squash) June 10, 2021 10:05
@axw axw merged commit 05cde22 into elastic:master Jun 10, 2021
mergify bot pushed a commit that referenced this pull request Jun 10, 2021
@axw
authorization: introduce anonymous + agent/service-specific auth (#5422)
57732ac 
* beater/authorization: introduce Resource type

Introduce a Resource type, which describes a specific
resource for which authorization is being queried. This
can later be used to restrict access to specific agents
and services.

If the supplied resource is the zero value, then the
query is interpreted as checking if the requester has
any access at all. If the resource is non-zero, then
the query is interpreted as checking if the requester
has access to that specific resource (agent/service).

* beater/authorization: add context functions

* beater/authorization: introduce AnonymousAuth

* beater: check authorization for agent+service

(cherry picked from commit 05cde22)
@mergify mergify bot mentioned this pull request Jun 10, 2021
Merged
@axw axw deleted the authorization-params branch June 10, 2021 13:10
axw added a commit that referenced this pull request Jun 10, 2021
@mergify @axw
authorization: introduce anonymous + agent/service-specific auth (#5422
5544efb 
…) (#5434)

* beater/authorization: introduce Resource type

Introduce a Resource type, which describes a specific
resource for which authorization is being queried. This
can later be used to restrict access to specific agents
and services.

If the supplied resource is the zero value, then the
query is interpreted as checking if the requester has
any access at all. If the resource is non-zero, then
the query is interpreted as checking if the requester
has access to that specific resource (agent/service).

* beater/authorization: add context functions

* beater/authorization: introduce AnonymousAuth

* beater: check authorization for agent+service

(cherry picked from commit 05cde22)

Co-authored-by: Andrew Wilkins <axw@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simitt simitt simitt approved these changes

Assignees
No one assigned
Labels
test-plan-skip v7.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@axw @apmmachine @simitt @stuartnelson3