Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable native & file realms unless explicitly disabled #50892

Closed
tvernum opened this issue Jan 13, 2020 · 3 comments · Fixed by #69096
Closed

Enable native & file realms unless explicitly disabled #50892

tvernum opened this issue Jan 13, 2020 · 3 comments · Fixed by #69096
Assignees
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.0.0-alpha1

Comments

@tvernum
Copy link
Contributor

tvernum commented Jan 13, 2020

At the moment we enable "default_native" and "default_file" realms if there are no other realms in the realm chain.

So, the out-of-the-box experience is that native users work.

If you add a realm to the realm chain you lose both the native and file realm, and are expected to configure them explictly.

So, for example, when an admin configures a SAML realm, but fails to add a native or file realm, then their native users will lose acess to the cluster.
The admin will do some research & work out the problem and then configure the native realm, but will often not add the file realm back.

There are 2 problems here.

  1. The experience is painful & unexpected - adding 1 thing breaks something else.
  2. File realms are helpful, and ought to be enabled by default, but this process leads to them often being disabled.

I propose that, in ES 8.0, we add a native and file realm to the realm chain unless the configuration explicitly disables them.

I think there are 3 rough options:

  1. Add new setting(s) like xpack.security.authc.enable_native that default to true. If true, we add a native & file realm to the realm chain, unless they are already in the realm chain.
  2. Don't add any new settings, but always add native & file realms to the realm chain, if they do not already exist. To explicitly disable these realms you would put them in the realm chain with enabled: false.
  3. Make it an error to specify a realm chain that lacks the native & file types (but they may be disabled).

Option (3) is the most explicit. The realm chain is always a true reflection of the cluster's security configuration, and we never mess with it behind the scenes. However, it is not very user friendly. The example above of configuring the SAML realm would fail and we would force the admin to jump through hoops to make the node start.

Option (1) doesn't feel like it adds anything over option (2).

Based on favouring user friendliness over explicit (though an admin can chose to be explicit if they want), I favour option (2).

@tvernum tvernum added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) team-discuss labels Jan 13, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@tvernum tvernum changed the title Enabled native & file realms unless explicitly disabled Enable native & file realms unless explicitly disabled Jan 13, 2020
@ywangd
Copy link
Member

ywangd commented Feb 13, 2020

I don't think the code well supports multiple file realms? I mean you can add multiple file realms but they end up using the same backing file. If user configures a file realm with name other than "default_file", I think we should also disable the default one.

With option 2, what should the code do if user writes xpack.security.authc.realms.file.my-own-file-realm.enabled: false. Should we add the default file realm or report error or something else?

@tvernum
Copy link
Contributor Author

tvernum commented Feb 13, 2020

We discussed in the Security Area meeting and agreed that we want to do this (keep file+native realms enabled unless explicitly disabled) but did not reach a consensus on which implementation option was preferred.

I'm removing team-discuss because I think whoever end up picking up this issue can take responsibility for getting input from others and then making a decision.

@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@ywangd ywangd self-assigned this Feb 16, 2021
@ywangd ywangd added the v8.0.0 label Feb 25, 2021
ywangd added a commit that referenced this issue Mar 15, 2021
…9320)

As a precursor for #50892, this PR deprecate the behaviour of file and/or
native realm being implicitly disabled when there are other explicitly
configured realms.

With this change, the recommend way of disabling file/native realm is to
explicitly set enabled to false, e.g.:

xpack.security.authc.realms.file.default_file.enabled: false

This PR ensures that a warning is generated whenever file and/or native realm
is implicitly disabled.

This change also brings a question about the order parameter. Currently, the
order parameter is mandatory in 8.0 and gets a warning message if it is missing
in 7.x. However, it makes sense to not specify the order parameter if the realm
is disabled. So I also updated the order parameter related code to do just
that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.0.0-alpha1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants