-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a licensed feature per realm-type (+custom) #78810
Changes from 4 commits
e4df2a1
c0c27a4
61beeec
d3add15
3388c54
88951d6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,9 +7,12 @@ | |
package org.elasticsearch.xpack.security.authc; | ||
|
||
import org.elasticsearch.bootstrap.BootstrapCheck; | ||
import org.elasticsearch.common.Strings; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.common.util.set.Sets; | ||
import org.elasticsearch.core.Nullable; | ||
import org.elasticsearch.env.Environment; | ||
import org.elasticsearch.license.LicensedFeature; | ||
import org.elasticsearch.threadpool.ThreadPool; | ||
import org.elasticsearch.watcher.ResourceWatcherService; | ||
import org.elasticsearch.xpack.core.security.authc.Realm; | ||
|
@@ -23,6 +26,7 @@ | |
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings; | ||
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; | ||
import org.elasticsearch.xpack.core.ssl.SSLService; | ||
import org.elasticsearch.xpack.security.Security; | ||
import org.elasticsearch.xpack.security.authc.esnative.NativeRealm; | ||
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore; | ||
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm; | ||
|
@@ -37,7 +41,6 @@ | |
import org.elasticsearch.xpack.security.support.SecurityIndexManager; | ||
|
||
import java.util.Collection; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.Map; | ||
import java.util.Objects; | ||
|
@@ -52,36 +55,64 @@ | |
*/ | ||
public final class InternalRealms { | ||
|
||
static final String RESERVED_TYPE = ReservedRealm.TYPE; | ||
static final String NATIVE_TYPE = NativeRealmSettings.TYPE; | ||
static final String FILE_TYPE = FileRealmSettings.TYPE; | ||
static final String LDAP_TYPE = LdapRealmSettings.LDAP_TYPE; | ||
static final String AD_TYPE = LdapRealmSettings.AD_TYPE; | ||
static final String PKI_TYPE = PkiRealmSettings.TYPE; | ||
static final String SAML_TYPE = SamlRealmSettings.TYPE; | ||
static final String OIDC_TYPE = OpenIdConnectRealmSettings.TYPE; | ||
static final String KERBEROS_TYPE = KerberosRealmSettings.TYPE; | ||
|
||
private static final Set<String> BUILTIN_TYPES = Set.of(NATIVE_TYPE, FILE_TYPE); | ||
|
||
/** | ||
* The list of all <em>internal</em> realm types, excluding {@link ReservedRealm#TYPE}. | ||
* The map of all <em>licensed</em> internal realm types to their licensed feature | ||
*/ | ||
private static final Set<String> XPACK_TYPES = Collections | ||
.unmodifiableSet(Sets.newHashSet(NativeRealmSettings.TYPE, FileRealmSettings.TYPE, LdapRealmSettings.AD_TYPE, | ||
LdapRealmSettings.LDAP_TYPE, PkiRealmSettings.TYPE, SamlRealmSettings.TYPE, KerberosRealmSettings.TYPE, | ||
OpenIdConnectRealmSettings.TYPE)); | ||
private static final Map<String, LicensedFeature.Persistent> LICENSED_REALMS = Map.ofEntries( | ||
Map.entry(AD_TYPE, Security.AD_REALM_FEATURE), | ||
Map.entry(LDAP_TYPE, Security.LDAP_REALM_FEATURE), | ||
Map.entry(PKI_TYPE, Security.PKI_REALM_FEATURE), | ||
Map.entry(SAML_TYPE, Security.SAML_REALM_FEATURE), | ||
Map.entry(KERBEROS_TYPE, Security.KERBEROS_REALM_FEATURE), | ||
Map.entry(OIDC_TYPE, Security.OIDC_REALM_FEATURE) | ||
); | ||
|
||
/** | ||
* The list of all standard realm types, which are those provided by x-pack and do not have extensive | ||
* interaction with third party sources | ||
* The set of all <em>internal</em> realm types, excluding {@link ReservedRealm#TYPE} | ||
* @deprecated Use of this method (other than in tests) is discouraged. | ||
*/ | ||
private static final Set<String> STANDARD_TYPES = Collections.unmodifiableSet(Sets.newHashSet(NativeRealmSettings.TYPE, | ||
FileRealmSettings.TYPE, LdapRealmSettings.AD_TYPE, LdapRealmSettings.LDAP_TYPE, PkiRealmSettings.TYPE)); | ||
|
||
@Deprecated | ||
public static Collection<String> getConfigurableRealmsTypes() { | ||
return Collections.unmodifiableSet(XPACK_TYPES); | ||
return Set.copyOf(Sets.union(BUILTIN_TYPES, LICENSED_REALMS.keySet())); | ||
} | ||
|
||
/** | ||
* Determines whether <code>type</code> is an internal realm-type that is provided by x-pack, | ||
* excluding the {@link ReservedRealm} and realms that have extensive interaction with | ||
* third party sources | ||
*/ | ||
static boolean isStandardRealm(String type) { | ||
return STANDARD_TYPES.contains(type); | ||
static boolean isInternalRealm(String type) { | ||
return RESERVED_TYPE.equals(type) || BUILTIN_TYPES.contains(type) || LICENSED_REALMS.containsKey(type); | ||
} | ||
|
||
static boolean isBuiltinRealm(String type) { | ||
return FileRealmSettings.TYPE.equals(type) || NativeRealmSettings.TYPE.equals(type); | ||
return BUILTIN_TYPES.contains(type); | ||
} | ||
|
||
/** | ||
* @return The licensed feature for the given realm type, or {@code null} if the realm does not require a specific license type | ||
* @throws IllegalArgumentException if the provided type is not an {@link #isInternalRealm(String) internal realm} | ||
*/ | ||
@Nullable | ||
static LicensedFeature.Persistent getLicensedFeature(String type) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am not sure about this method. It exists really just for I'd personally move it as a private method in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My concern in that we already have too many places that try and keep track of all the builtin realm types. I don't think it's wise for both I can rework There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I changed things around a bit. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. One thing to note is that
And then have a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks Tim. You proposal of having a class of * "Concept level" may not be really descriptive for its purpose. My intention is to differentiate it from the runtime class |
||
if (Strings.isNullOrEmpty(type)) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Blanks will still fail below when This code forces clear failures in things that don't implement a type (e.g. poorly configured mocks), but I don't think we need to go out of our way to deal with whitespace there. |
||
throw new IllegalArgumentException("Empty realm type [" + type + "]"); | ||
} | ||
if (type.equals(RESERVED_TYPE) || isBuiltinRealm(type)) { | ||
return null; | ||
} | ||
final LicensedFeature.Persistent feature = LICENSED_REALMS.get(type); | ||
if (feature == null) { | ||
throw new IllegalArgumentException("Unsupported realm type [" + type + "]"); | ||
} | ||
return feature; | ||
} | ||
|
||
/** | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we please use
active-directory
here for consistency with other new features that are using dashes instead of underscore?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can, but the realm type in settings is
active_directory
so we'll lose that consistency.