[NP] Platform exposes API to get authenticated user data #55327
Conversation
mshustov
added
Team:Core
|
Pinging @elastic/kibana-platform (Team:Platform) |
That works for the use case we're trying cover, thanks!
That sounds perfectly fine to me since we can register only one auth hook that's is supposed to fill the auth state, read and interpret it afterwards. Other plugins are supposed to use higher level API exposed by the plugin that owns auth hook handler. Having said that if we still think that it may become a source of confusion, |
mshustov
changed the title
That's another option. My initial implementation was inlined with the idea to make the platform the source of user auth status and user credentials. Security plugin provides API for user authentication to the platform. Plugins (even OSS) use platform API to authenticate user via Another option would be to keep the current implementation where the Security plugin is the source of auth status/credentials. X-pack plugins access the Security plugin directly as a required dependency to get user credentials. The platform uses injected Security plugin API to perform authentication when required, as discussed in #51438 (comment) With this option your proposal about |
mshustov
changed the title
|
(implementation looks fine to me, but more on the actual discussion):
I'm strongly in favor of this decision. We already discussed it, but imho
That's true. However in my experience, most pluggable-auth-providers system have the same issue. Usually the Would be great if export type GetAuthState = <T = unknown>(
) => { status: AuthStatus; state: T };could change to something like: export type GetAuthState = <T extends {id: string} = {id: string}>(
) => { status: AuthStatus; state?: T };or export type GetAuthState = <T extends {getId: () => string} = {getId: () => string}>(
) => { status: AuthStatus; state?: T };of course that mean changing the
I guess if we goes in this direction, we should have a client-side way to retrieve this same data from |
Out of curiosity, what benefits for plugins from having just opaque principal ID do you envision and what they can use it for (in our case it will be My only concern is that shaping auth state and introducing new client side API that you'll have to maintain BWC for at this stage just for the sake of consistency without clear value proposition may be a bit premature. |
There was a problem hiding this comment.
Core being source of truth makes sense 👍. Do we want to expose this on the RequestHandlerContext or would we rather make this harder to find so it's not overused?
could change to something like:
export type GetAuthState = <T extends {id: string} = {id: string}>(
) => { status: AuthStatus; state?: T };Out of curiosity, what benefits for plugins from having just opaque principal ID do you envision and what they can use it for (in our case it will be
usernamefield that only exists in x-pack world)?My only concern is that shaping auth state and introducing new client side API that you'll have to maintain BWC for at this stage just for the sake of consistency without clear value proposition may be a bit premature.
The only benefit I can think of is if we want to allow users to install custom security plugins and give those plugins the ability to be compatible with our other plugins that need to access this data. I'm not sure that's necessarily something we should do, or even if we should, that we should do it now.
Which parts of the auth data would other plugins besides security/spaces need to access? isAuthenticated is the only I know that would be useful in the try situation. Are there others?
|
|
||
| <b>Signature:</b> | ||
|
|
||
| ```typescript | ||
| export declare type GetAuthState = (request: KibanaRequest | LegacyRequest) => { | ||
| export declare type GetAuthState = <T = unknown>(request: KibanaRequest | LegacyRequest) => { |
There was a problem hiding this comment.
Should we just expose this on RequestHandlerContext?
There was a problem hiding this comment.
We can expose auth.isAuthenticated when optional authentication implemented. Not sure we need to provide auth.get until then or can be exposed later upon request.
May have spoke without thinking. Most common usage of retrieving a user infos from outside of the authent/authoriz plugins/code is to be able to persists data associated with the user, and therefor needing an id to use a technical/func ID. However as every ES call are user-scoped, I guess in our case, the need is not present? |
|
To recap:
It's used by X-pack plugins exclusively. What plugins usually access:
Some of them consume the whole user object, and it doesn't look right. I don't think we consider it as sensitive data, even it contains a full name and email. Since any 3rd party plugin can call security plugin API directly to retrieve the user data. @elastic/kibana-security is it correct?
Nothing I can think of. @elastic/kibana-platform are you okay with this proposal? |
We definitely want our users to fill the gaps between what we provide and what they may need. And currently the recommended approach to achieve that is to extend Security plugin using the APIs it exposes or may expose in the future. This way users may extend authentication and we'll guarantee that everything will work well with the authorization, feature controls, Spaces etc. Implementing authentication and authorization is expensive, notoriously hard, error prone and few do this in practice. Bugs in this area may have serious consequences. That's why we don't want to encourage our users to rebuild Security plugin completely and everything that explicitly on implicitly depends on it. On the other hand if users have enough reasons to do so and know what to expect they can do that leveraging the tools Core provides already: auth hook, request interceptors and soon I think having public Core's
LGMT
Yeah, I don't think there is any sensitive info here, we're exposing this information from Security plugin for a long time. |
|
I'm jumping into this conversation late, and don't have much to add outside of what is already discussed. I agree with everything Aleh's commented, particularly the following:
|
LGTM
I'm ok with that |
| | [SharedGlobalConfig](./kibana-plugin-server.sharedglobalconfig.md) | | | ||
| | [UiSettingsType](./kibana-plugin-server.uisettingstype.md) | UI element type to represent the settings. | | ||
|
|
||
| <!-- Do not edit this file. It is automatically generated by API Documenter. --> |
There was a problem hiding this comment.
Why does this keep happening?
There was a problem hiding this comment.
different EOL. fixed in #55689
There was a problem hiding this comment.
CRLF to LF conversion. github is very stupid in line terminator diffs
@joshdover done in |
* expose auth.get/isAuthenticated. move getAuthHeaders to internal type * update mocks * update docs * update docs * add integration test for auth
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
Summary
Closes #55011
required for Security plugin to ensure compatibility with the latest ES snapshot #54879
Exposes from the core
auth.get- returns auth status and associated user data. The platform doesn't enforce user data type at the moment as discussed with @azasypkin. We can re-consider it later.auth.isAuthenticated- returns true, ifauthinterceptor successfully authenticated a userThere are already integration tests for the auth in the place. Probably we should add some for e2e tests, but I want to discuss whether we want to provide this API as a part of the platform at all.
Pros:
authhook on the server. It means that only the platform knows who uses this hook to authenticate a user and result of this operation.Cons:
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorials[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
Dev docs
HttpService exposes:
auth.get()- returns auth status and associated user data. User data are opaque to the http service. Possible auth status values:authenticated-authinterceptor successfully authenticated a user.unauthenticated-authinterceptor failed user authentication.unknown-authinterceptor has not been registered.auth.isAuthenticated()- returns true, ifauthinterceptor successfully authenticated a user.