From a646e42a7c7129d7d7638d253b0bf0b6cdc38af9 Mon Sep 17 00:00:00 2001 From: jimczi Date: Sat, 4 Apr 2020 10:46:11 +0200 Subject: [PATCH 1/2] Fix transport serialization of AsyncSearchUser This change ensures that the AsyncSearchUser is correctly (de)serialized when an action executed by this user is sent to a remote node internally (via transport client). --- .../user/InternalUserSerializationHelper.java | 5 +++++ .../xpack/security/authz/AuthorizationService.java | 3 ++- .../xpack/security/user/UserSerializationTests.java | 11 +++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUserSerializationHelper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUserSerializationHelper.java index fa41828a7bba8..0a2f953aa7d37 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUserSerializationHelper.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUserSerializationHelper.java @@ -21,6 +21,8 @@ public static User readFrom(StreamInput input) throws IOException { return XPackUser.INSTANCE; } else if (XPackSecurityUser.is(username)) { return XPackSecurityUser.INSTANCE; + } else if (AsyncSearchUser.is(username)) { + return AsyncSearchUser.INSTANCE; } throw new IllegalStateException("user [" + username + "] is not an internal user"); } @@ -36,6 +38,9 @@ public static void writeTo(User user, StreamOutput output) throws IOException { } else if (XPackSecurityUser.is(user)) { output.writeBoolean(true); output.writeString(XPackSecurityUser.NAME); + } else if (AsyncSearchUser.is(user)) { + output.writeBoolean(true); + output.writeString(AsyncSearchUser.NAME); } else { User.writeTo(user, output); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index ecef97bd375a8..42d123616f671 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -59,6 +59,7 @@ import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver; import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege; import org.elasticsearch.xpack.core.security.user.AnonymousUser; +import org.elasticsearch.xpack.core.security.user.AsyncSearchUser; import org.elasticsearch.xpack.core.security.user.SystemUser; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.security.user.XPackSecurityUser; @@ -417,7 +418,7 @@ private TransportRequest maybeUnwrapRequest(Authentication authentication, Trans } private boolean isInternalUser(User user) { - return SystemUser.is(user) || XPackUser.is(user) || XPackSecurityUser.is(user); + return SystemUser.is(user) || XPackUser.is(user) || XPackSecurityUser.is(user) || AsyncSearchUser.is(user); } private void authorizeRunAs(final RequestInfo requestInfo, final AuthorizationInfo authzInfo, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/user/UserSerializationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/user/UserSerializationTests.java index 68b54198980d6..fa7f2719a8543 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/user/UserSerializationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/user/UserSerializationTests.java @@ -7,6 +7,7 @@ import org.elasticsearch.common.io.stream.BytesStreamOutput; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.security.user.AsyncSearchUser; import org.elasticsearch.xpack.core.security.user.ElasticUser; import org.elasticsearch.xpack.core.security.user.InternalUserSerializationHelper; import org.elasticsearch.xpack.core.security.user.KibanaUser; @@ -87,6 +88,16 @@ public void testXPackUserReadAndWrite() throws Exception { assertThat(readFrom.authenticatedUser(), is(XPackUser.INSTANCE)); } + public void testAsyncSearchUserReadAndWrite() throws Exception { + BytesStreamOutput output = new BytesStreamOutput(); + + InternalUserSerializationHelper.writeTo(AsyncSearchUser.INSTANCE, output); + User readFrom = InternalUserSerializationHelper.readFrom(output.bytes().streamInput()); + + assertThat(readFrom, is(sameInstance(AsyncSearchUser.INSTANCE))); + assertThat(readFrom.authenticatedUser(), is(AsyncSearchUser.INSTANCE)); + } + public void testFakeInternalUserSerialization() throws Exception { BytesStreamOutput output = new BytesStreamOutput(); output.writeBoolean(true); From 82f9222ca553c1d60b6bb298accc630b538e0687 Mon Sep 17 00:00:00 2001 From: jimczi Date: Mon, 6 Apr 2020 17:57:13 +0200 Subject: [PATCH 2/2] run the security rest tests with 2 nodes --- x-pack/plugin/async-search/qa/security/build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugin/async-search/qa/security/build.gradle b/x-pack/plugin/async-search/qa/security/build.gradle index 0337749a9eebd..89ecc4617db18 100644 --- a/x-pack/plugin/async-search/qa/security/build.gradle +++ b/x-pack/plugin/async-search/qa/security/build.gradle @@ -10,6 +10,7 @@ dependencies { testClusters.integTest { testDistribution = 'DEFAULT' + numberOfNodes = 2 setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' extraConfigFile 'roles.yml', file('roles.yml')