-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better logging and internal user handling for operator privileges #79331
Conversation
This PR improves logging situation for operator privilegs. The loggings are now more informational and also do not rely on the tracing level. Internal user handling is also improved by skipping them more consistently when marking and checking for operator users. The existing code performs unnecessary checks for internal actions such as leader/follower checks. It is technically a bug because threadContext is prepared differently for internal actions and does not have the operatorUser marking. However, the bug currently does not manifest itself since internal actions are not protected by operator privileges.
Pinging @elastic/es-security (Team:Security) |
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
Outdated
Show resolved
Hide resolved
if (operatorException != null) { | ||
throw denialException(authentication, action, originalRequest, operatorException); | ||
throw denialException(authentication, action, originalRequest, "and operator privileges", operatorException); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "context" doesn't seem very clear to me.
What exactly is it trying to say?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It didn't do what I expected. Sorry for the confusion. I was meant to add it at the end of the error message. So eorror message says something like "... this action is granted by .. and operator privileges". It should work now after the latest push. Let me know if you are OK with the approach.
Btw, I added it because I'd like the error with operator privileges to present in the main error message which is more prominent in logging and response.
operatorUsersDescriptor.groups.size(), | ||
operatorUsersDescriptor.groups.stream().mapToLong(g -> g.usernames.size()).sum(), | ||
file.toAbsolutePath()); | ||
logger.trace("operator user descriptor: [{}]", operatorUsersDescriptor); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be debug
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I agree it is better to be debug
. I was trying to avoid flooding logs on Cloud because it seems the file gets renewed on Cloud every few seconds (same for roles.yml
etc. But now I think it is better and useful to log on the debug level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to deal with the cloud file refresh problem separately. It's been an issue for years, and I think we need to put something into the resource watching infrastructure that can check if the file contents have really changed.
I'll work on something.
...gin/security/src/main/java/org/elasticsearch/xpack/security/operator/OperatorPrivileges.java
Outdated
Show resolved
Hide resolved
// Internal user are considered operator users | ||
return true; | ||
} | ||
|
||
// Other than realm name, other criteria must always be an exact match for the user to be an operator. | ||
// Realm name of a descriptor can be null. When it is null, it is ignored for comparison. | ||
// If not null, it will be compared exactly as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the intent of this PR, I think we should have some trace logging when checking for a matching group below.
It looks like there's a possibility that a user isn't being matched as an operator when it should be, and we probably want to be able to trace that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I added a trace log for when the result is false
.
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
Outdated
Show resolved
Hide resolved
if (operatorException != null) { | ||
throw denialException(authentication, action, originalRequest, operatorException); | ||
throw denialException(authentication, action, originalRequest, null, true, operatorException); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't hate what you've ended up with, but I think you could have achieved what you want by setting context to
"because it requires operator privileges"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem. I reverted the change and took your suggested wording for context
. So it now reads something like
... is unauthorized for user [...] with roles [..] because it requires operator privileges, this action is granted by ...
if (false == userIsOperator) { | ||
logger.trace("User [{}] is not an operator", authentication.getUser()); | ||
} | ||
return userIsOperator; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a trace
, I was thinking in would be inside the anyMatch
predicate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah OK. Tracing inside anyMatch
is better. I removed mine.
...security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java
Outdated
Show resolved
Hide resolved
...gin/security/src/main/java/org/elasticsearch/xpack/security/operator/OperatorPrivileges.java
Outdated
Show resolved
Hide resolved
…ecurity/operator/FileOperatorUsersStore.java Co-authored-by: Tim Vernum <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Test failures are not related. I raised 2 issues for them: |
@elasticmachine run elasticsearch-ci/part-1-fips |
💔 Backport failed
You can use sqren/backport to manually backport by running |
…astic#79331) This PR improves logging situation for operator privilegs. The loggings are now more informational and also do not rely on the tracing level. Internal user handling is also improved by skipping them more consistently when marking and checking for operator users. The existing code performs unnecessary checks for internal actions such as leader/follower checks. It is technically a bug because threadContext is prepared differently for internal actions and does not have the operatorUser marking. However, the bug currently does not manifest itself since internal actions are not protected by operator privileges.
…astic#79331) This PR improves logging situation for operator privilegs. The loggings are now more informational and also do not rely on the tracing level. Internal user handling is also improved by skipping them more consistently when marking and checking for operator users. The existing code performs unnecessary checks for internal actions such as leader/follower checks. It is technically a bug because threadContext is prepared differently for internal actions and does not have the operatorUser marking. However, the bug currently does not manifest itself since internal actions are not protected by operator privileges.
…9331) (#79337) This PR improves logging situation for operator privilegs. The loggings are now more informational and also do not rely on the tracing level. Internal user handling is also improved by skipping them more consistently when marking and checking for operator users. The existing code performs unnecessary checks for internal actions such as leader/follower checks. It is technically a bug because threadContext is prepared differently for internal actions and does not have the operatorUser marking. However, the bug currently does not manifest itself since internal actions are not protected by operator privileges.
…9331) (#79336) This PR improves logging situation for operator privilegs. The loggings are now more informational and also do not rely on the tracing level. Internal user handling is also improved by skipping them more consistently when marking and checking for operator users. The existing code performs unnecessary checks for internal actions such as leader/follower checks. It is technically a bug because threadContext is prepared differently for internal actions and does not have the operatorUser marking. However, the bug currently does not manifest itself since internal actions are not protected by operator privileges.
* upstream/master: Changing test keytab to use aes256-cts-hmac-sha1-96 instead of des3-cbc-sha1-kd (elastic#78703) Add support for configuring HNSW parameters (elastic#79193) Deprecate resolution loss on date field (elastic#78921) Add Optional to Configure bind user (elastic#78303) Adapt BWC after backporting elastic#78765 (elastic#79350) [DOCS] Add deprecation notice for reset password tool (elastic#78793) added test for flattened type in top_metrics.yml (elastic#78960) [DOCS] Fixes indentation issue in GET trained models API docs. (elastic#79347) Fix parsing of PBES2 encrypted PKCS#8 keys (elastic#78904) Mute testReindex (elastic#79343) Node level can match action (elastic#78765) Fix duplicate license header in source files (elastic#79236) AllowAll for indicesAccessControl (elastic#78498) Better logging and internal user handling for operator privileges (elastic#79331) # Conflicts: # server/src/main/java/org/elasticsearch/index/mapper/MappingParser.java
This PR improves logging situation for operator privilegs. The loggings
are now more informational and also do not rely on the tracing level.
Internal user handling is also improved by skipping them more
consistently when marking and checking for operator users.
The existing code performs unnecessary checks for internal actions such
as leader/follower checks. It is technically a bug because threadContext
is prepared differently for internal actions and does not have the
operatorUser marking. However, the bug currently does not manifest
itself since internal actions are not protected by operator privileges.