Expose lookup of realm domain config by realm id #106424
Conversation
| * for the passed in {@link RealmConfig.RealmIdentifier}. | ||
| * If the realm is not currently configured, {@code null} is returned. | ||
| */ | ||
| public @Nullable Authentication.RealmRef getRealmRef(RealmConfig.RealmIdentifier realmIdentifier) { |
There was a problem hiding this comment.
This is the goal of this PR.
It exposes the domain configuration (the set of realm ids) for a given realm id.
The plan is to use the realm id of the API Key owner to retrieve the domain using this method. Then retrieve the profiles associated to any of the realms in the domain.
| if (FileRealmSettings.TYPE.equals(realmIdentifier.getType())) { | ||
| return getFileRealmRef(); | ||
| } else if (NativeRealmSettings.TYPE.equals(realmIdentifier.getType())) { | ||
| return getNativeRealmRef(); |
There was a problem hiding this comment.
The kink here is that the name of the native or file realms is irrelevant, when considering the domain configuration, see also
. Moreover there is always exactly one RealmRef for both file and native realms (which may contain the domain conf). The rationale is that the file and native realms always refer to the same corpus of internal users.| } else if (ReservedRealm.TYPE.equals(realmIdentifier.getType())) { | ||
| return getReservedRealmRef(); |
There was a problem hiding this comment.
The reserved realm is less relevant in the domain context, because it cannot be assigned to any.
albertzaharovits
changed the title
albertzaharovits
added
>refactoring
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
| builder.put("xpack.security.authc.realms.native." + nativeRealmName + ".order", 4); | ||
| String fileRealmName = randomFrom("f" + randomAlphaOfLength(8), FileRealmSettings.DEFAULT_NAME); | ||
| builder.put("xpack.security.authc.realms.file." + fileRealmName + ".enabled", randomBoolean()); | ||
| builder.put("xpack.security.authc.realms.file." + fileRealmName + ".order", 5); |
There was a problem hiding this comment.
Optional since that's really not the focus of the PR, but for coverage we might also randomly disable the reserved realm via builder.put("xpack.security.authc.reserved_realm.enabled", randomBoolean());
There was a problem hiding this comment.
Good tip, thanks!
Pushed 2aa73cd.
|
Thanks for the speedy review, @n1v0lg! |
The scope here is to expose a method (
Realms#getRealmRef) that can be usedto retrieve the realm domain assignments for any realm id.