Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review and correct checks for AuthenticationType.API_KEY #81425

Closed
ywangd opened this issue Dec 7, 2021 · 1 comment · Fixed by #81564
Closed

Review and correct checks for AuthenticationType.API_KEY #81425

ywangd opened this issue Dec 7, 2021 · 1 comment · Fixed by #81564
Assignees
@ywangd
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@ywangd
Copy link
Member

ywangd commented Dec 7, 2021

ES code has some specially handlings for API key authentication (by checking AuthenticationType.API_KEY). Some of these checks assume API key cannot run-as other users, which is no longer true since #79809. For example, GET _security/_authenticate does not print anonymous roles if the authentication type is API key. But this is incorrect if the API key run-as a regular user. Another example is Authentication#canAccessResourceOf which grants access if the API key is the same. But even when the API key is the same, it can run-as different users.
@ywangd ywangd added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Dec 7, 2021
@ywangd ywangd self-assigned this Dec 7, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 7, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd mentioned this issue Dec 8, 2021
Merged
ywangd added a commit that referenced this issue Jan 18, 2022
@ywangd
Fix incorrect assumptions for api_key authentication type (#81564)
223e375 
This is essentially a follow-up PR for #79809 which enables run-as for API keys.
The code still has a few places where it assumes API keys cannot perform run-as. 
This PR fixes the incorrect assumptions and adds relevant tests.

Resolves: #81425
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix incorrect assumptions for api_key authentication type ywangd/elasticsearch
2 participants
@ywangd @elasticmachine