Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better logging and internal user handling for operator privileges #79331

Merged
merged 9 commits into from
Oct 18, 2021

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Oct 18, 2021

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.
@ywangd ywangd requested a review from tvernum October 18, 2021 01:59
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Oct 18, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

if (operatorException != null) {
throw denialException(authentication, action, originalRequest, operatorException);
throw denialException(authentication, action, originalRequest, "and operator privileges", operatorException);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This "context" doesn't seem very clear to me.
What exactly is it trying to say?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It didn't do what I expected. Sorry for the confusion. I was meant to add it at the end of the error message. So eorror message says something like "... this action is granted by .. and operator privileges". It should work now after the latest push. Let me know if you are OK with the approach.

Btw, I added it because I'd like the error with operator privileges to present in the main error message which is more prominent in logging and response.

operatorUsersDescriptor.groups.size(),
operatorUsersDescriptor.groups.stream().mapToLong(g -> g.usernames.size()).sum(),
file.toAbsolutePath());
logger.trace("operator user descriptor: [{}]", operatorUsersDescriptor);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be debug?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I agree it is better to be debug. I was trying to avoid flooding logs on Cloud because it seems the file gets renewed on Cloud every few seconds (same for roles.yml etc. But now I think it is better and useful to log on the debug level.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to deal with the cloud file refresh problem separately. It's been an issue for years, and I think we need to put something into the resource watching infrastructure that can check if the file contents have really changed.

I'll work on something.

// Internal user are considered operator users
return true;
}

// Other than realm name, other criteria must always be an exact match for the user to be an operator.
// Realm name of a descriptor can be null. When it is null, it is ignored for comparison.
// If not null, it will be compared exactly as well.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the intent of this PR, I think we should have some trace logging when checking for a matching group below.
It looks like there's a possibility that a user isn't being matched as an operator when it should be, and we probably want to be able to trace that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I added a trace log for when the result is false.

@ywangd ywangd requested a review from tvernum October 18, 2021 03:19
if (operatorException != null) {
throw denialException(authentication, action, originalRequest, operatorException);
throw denialException(authentication, action, originalRequest, null, true, operatorException);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't hate what you've ended up with, but I think you could have achieved what you want by setting context to

"because it requires operator privileges"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. I reverted the change and took your suggested wording for context. So it now reads something like

... is unauthorized for user [...] with roles [..] because it requires operator privileges, this action is granted by ...

if (false == userIsOperator) {
logger.trace("User [{}] is not an operator", authentication.getUser());
}
return userIsOperator;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a trace, I was thinking in would be inside the anyMatchpredicate.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah OK. Tracing inside anyMatch is better. I removed mine.

@ywangd ywangd requested a review from tvernum October 18, 2021 03:49
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ywangd
Copy link
Member Author

ywangd commented Oct 18, 2021

@ywangd
Copy link
Member Author

ywangd commented Oct 18, 2021

@elasticmachine run elasticsearch-ci/part-1-fips

@ywangd ywangd merged commit 778c569 into elastic:master Oct 18, 2021
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts
7.15 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 79331

ywangd added a commit to ywangd/elasticsearch that referenced this pull request Oct 18, 2021
…astic#79331)

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Oct 18, 2021
…astic#79331)

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.
elasticsearchmachine pushed a commit that referenced this pull request Oct 18, 2021
…9331) (#79337)

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.
elasticsearchmachine pushed a commit that referenced this pull request Oct 18, 2021
…9331) (#79336)

This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.

The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.
weizijun added a commit to weizijun/elasticsearch that referenced this pull request Oct 18, 2021
* upstream/master:
  Changing test keytab to use aes256-cts-hmac-sha1-96 instead of des3-cbc-sha1-kd (elastic#78703)
  Add support for configuring HNSW parameters (elastic#79193)
  Deprecate resolution loss on date field (elastic#78921)
  Add Optional to Configure bind user (elastic#78303)
  Adapt BWC after backporting elastic#78765 (elastic#79350)
  [DOCS] Add deprecation notice for reset password tool (elastic#78793)
  added test for flattened type in top_metrics.yml (elastic#78960)
  [DOCS] Fixes indentation issue in GET trained models API docs. (elastic#79347)
  Fix parsing of PBES2 encrypted PKCS#8 keys (elastic#78904)
  Mute testReindex (elastic#79343)
  Node level can match action (elastic#78765)
  Fix duplicate license header in source files (elastic#79236)
  AllowAll for indicesAccessControl (elastic#78498)
  Better logging and internal user handling for operator privileges (elastic#79331)

# Conflicts:
#	server/src/main/java/org/elasticsearch/index/mapper/MappingParser.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.15.2 v7.16.0 v8.0.0-beta1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants