-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow realm names with a leading underscore #73250
Labels
>breaking
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
Comments
ywangd
added
>breaking
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
labels
May 19, 2021
Pinging @elastic/es-security (Team:Security) |
ywangd
added a commit
to ywangd/elasticsearch
that referenced
this issue
May 25, 2021
Deprecation warning is now issued if any realm is configured with a name prefixed with an underscore. This applies to all realms regardless whether they are enabled or not. Relates: elastic#73250
ywangd
added a commit
that referenced
this issue
Jun 15, 2021
Deprecation warning is now issued if any realm is configured with a name prefixed with an underscore. This applies to all realms regardless whether they are enabled or not. Relates: #73250
ywangd
added a commit
that referenced
this issue
Jun 15, 2021
UPDATE Since the realm name plays an important role in API key ownership, this makes it hard for cluster admins to change the realm names. Therefore we decided to only deprecate it for now, including 8.0. Removal will be re-considered in future. |
masseyke
added a commit
that referenced
this issue
Sep 2, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
>breaking
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
The underscore character is often used inside Elasticsearch to signal a string being reserved, e.g. metadata keys. For realm names, elasticsearch also creates synthetic realm name with a leading underscore. But currently it is not reserved which means an user can configure a realm which looks like a synthetic realm. This creates confusion. We should deprecate realm names with leading underscore in 7.x and
disallow it in 8.0The text was updated successfully, but these errors were encountered: