Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow realm names with a leading underscore #73250

Open
ywangd opened this issue May 19, 2021 · 2 comments
Open

Disallow realm names with a leading underscore #73250

ywangd opened this issue May 19, 2021 · 2 comments
Assignees
Labels
>breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@ywangd
Copy link
Member

ywangd commented May 19, 2021

The underscore character is often used inside Elasticsearch to signal a string being reserved, e.g. metadata keys. For realm names, elasticsearch also creates synthetic realm name with a leading underscore. But currently it is not reserved which means an user can configure a realm which looks like a synthetic realm. This creates confusion. We should deprecate realm names with leading underscore in 7.x and disallow it in 8.0

@ywangd ywangd added >breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels May 19, 2021
@ywangd ywangd self-assigned this May 19, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label May 19, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

ywangd added a commit to ywangd/elasticsearch that referenced this issue May 25, 2021
Deprecation warning is now issued if any realm is configured with a name
prefixed with an underscore. This applies to all realms regardless
whether they are enabled or not.

Relates: elastic#73250
ywangd added a commit that referenced this issue Jun 15, 2021
Deprecation warning is now issued if any realm is configured with a name
prefixed with an underscore. This applies to all realms regardless
whether they are enabled or not.

Relates: #73250
ywangd added a commit that referenced this issue Jun 15, 2021
Deprecation warning is now issued if any realm is configured with a name
prefixed with an underscore. This applies to all realms regardless
whether they are enabled or not.

Relates: #73250
@ywangd
Copy link
Member Author

ywangd commented Jun 15, 2021

UPDATE

Since the realm name plays an important role in API key ownership, this makes it hard for cluster admins to change the realm names. Therefore we decided to only deprecate it for now, including 8.0. Removal will be re-considered in future.

masseyke added a commit that referenced this issue Sep 2, 2021
Originally realm names starting with '_' were going to be prohibited in 8.0. However it was later decided
to just leave them deprecated. See #73250 (comment).
Relates #73250 #73366
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Development

No branches or pull requests

2 participants