Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert security auth feature objects to LicensedFeature #79213

Merged
merged 4 commits into from
Oct 18, 2021
Merged

Convert security auth feature objects to LicensedFeature #79213

merged 4 commits into from
Oct 18, 2021

Conversation

rjernst
Copy link
Member

@rjernst rjernst commented Oct 15, 2021

This commit moves the security auth realm and engine license
checks to use the new LicensedFeature class.

@rjernst
Convert security auth feature objects to LicensedFeature
b2f823b 
This commit moves the security auth realm and engine license
checks to use the new LicensedFeature class.
@rjernst rjernst added >refactoring :Security/License License functionality for commercial features v8.0.0 v7.16.0 labels Oct 15, 2021
@rjernst rjernst requested a review from ywangd October 15, 2021 03:02
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Oct 15, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@rjernst rjernst added the auto-backport-and-merge Automatically create backport pull requests and merge when ready label Oct 15, 2021
tvernum
tvernum reviewed Oct 15, 2021
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code changes seem fine, but

  1. I don't think we want to group these 2 features under a family
  2. I don't think the behaviour we'll get (which is the same as we currently have) is actually what we'll want.

I guess we can tackle item 2 later, but probably need to decide on item 1 now so that we introduce stable names into the API.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
@@ -376,6 +376,12 @@
public static final LicensedFeature.Persistent CUSTOM_REALMS_FEATURE =
LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM);

private static final String AUTHORIZATION_FEATURE_FAMILY = "security-authorization";
public static final LicensedFeature.Momentary AUTHORIZATION_REALM_FEATURE =
LicensedFeature.momentary(AUTHORIZATION_FEATURE_FAMILY, "realm", License.OperationMode.PLATINUM);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect authorization realms should be persistent.
They're "in use" by virtue of a setting on a realm, more than because someone authenticated using one. I think we would prefer to have them track the same way realms do (by configuration not active use).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree we should use explicit tracking, I'm just not sure all that will entail. At this point I'm just trying to remove remaining uses of XPackLicenseState.Feature so that there is no confusion or possibility of adding new values there for the life of 7.16.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
@@ -376,6 +376,12 @@
public static final LicensedFeature.Persistent CUSTOM_REALMS_FEATURE =
LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM);

private static final String AUTHORIZATION_FEATURE_FAMILY = "security-authorization";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think bundling these under a feature family is meaningful (unless we bundle all of security under a common family).
Authorization realms and Authorization engines don't have any relationship with one another other than both being security features (and having similar words in the name).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'll remove the family, the similarity of the name made me think they were related. With that in mind, is there a more descriptive name we can use for these? "security-authorization-realm" is going to be confusing with the security realms feature?

Copy link
Contributor

@tvernum tvernum Oct 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The public Yaml setting is authorization_realms, and the internal classes refer to it as DelegatedAuthorization

The docs uses both terms (they refer to the concept as "Delegating Authorization ...", but also reference the name of the setting.

My feeling was that authorization-realm[s] is more helpful because it ties into something tangible in the docs (a specific setting), but delegated-authorization would be fine.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
public static final LicensedFeature.Momentary AUTHORIZATION_REALM_FEATURE =
LicensedFeature.momentary(AUTHORIZATION_FEATURE_FAMILY, "realm", License.OperationMode.PLATINUM);
public static final LicensedFeature.Momentary AUTHORIZATION_ENGINE_FEATURE =
LicensedFeature.momentary(AUTHORIZATION_FEATURE_FAMILY, "engine", License.OperationMode.PLATINUM);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the same is true for an AuthorizationEngine. It's a type of plugin, and I think we want to consider it to be in use any time one is installed in the cluster.

@ywangd
Copy link
Member

ywangd commented Oct 15, 2021

I am reomving myself as a reviewer since @tvernum is already on it.

@ywangd ywangd removed their request for review October 15, 2021 04:14
tvernum
tvernum approved these changes Oct 18, 2021
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
If you want to change the feature name from security-authorization-realm to security-delegated-authorization (or a variant on that) that's fine too.

@rjernst
Copy link
Member Author

rjernst commented Oct 18, 2021

Thanks, I updated the name as suggested.

@rjernst rjernst merged commit 444d7ca into elastic:master Oct 18, 2021
@rjernst rjernst deleted the license/security_auth branch October 18, 2021 16:16
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 79213

rjernst added a commit to rjernst/elasticsearch that referenced this pull request Oct 18, 2021
@rjernst
Convert security auth feature objects to LicensedFeature (elastic#79213)
91d16b4 
This commit moves the security auth realm and engine license
checks to use the new LicensedFeature class.
elasticsearchmachine pushed a commit that referenced this pull request Oct 18, 2021
@rjernst
Convert security auth feature objects to LicensedFeature (#79213) (#7…
40c02ef 
…9386)

This commit moves the security auth realm and engine license
checks to use the new LicensedFeature class.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
auto-backport-and-merge Automatically create backport pull requests and merge when ready >refactoring :Security/License License functionality for commercial features Team:Security Meta label for security team v7.16.0 v8.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rjernst @elasticmachine @ywangd @elasticsearchmachine @tvernum @jakelandis