Skip to content

Phase 1 support for operator privileges #65256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Dec 3, 2020
Merged

Phase 1 support for operator privileges #65256

merged 25 commits into from
Dec 3, 2020

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Nov 19, 2020
edited
Loading

In some Elastic Stack environments, there is a distinction between the operator of the cluster infrastructure and the administrator of the cluster. This distinction cannot be supported currently because the "administrator" often has the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the "administrator" even when it is a highly privileged user such as superuser. It enhances the Elasticsearch security model to have an additional layer of restriction in addition to the RBAC.

@ywangd ywangd force-pushed the meta-101-operator-privileges-phase-one branch 2 times, most recently from 96ccc04 to ceef13c Compare November 23, 2020 23:55
@ywangd ywangd force-pushed the meta-101-operator-privileges-phase-one branch from ceef13c to 3d5f3b0 Compare November 24, 2020 01:31
@ywangd ywangd added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >feature v7.11.0 v8.0.0 labels Nov 24, 2020
@ywangd
Copy link
Member Author

ywangd commented Nov 24, 2020

@tvernum The PR is ready for an initial look. I added some essential tests which prove the feature is working. It is still intentional light on tests because I'd like to get confirmation on the general approach before spending too much time for the coverage.

I spent quite a bit time to ponder how to implement the test for ensuring every action is marked either "operator-only" or "non-operator" (It's an interesting exploration). I don't think there is an easy way of doing it, not possible with unit tests for sure. The main challenge is to ensure its current and future coverage for all possible actions. Most of the actions are from modules, including always on plugins (I collectively refer them as modules since that's how it's reported with GET _nodes). There is no way to cover all of them without actually running a cluster. Also this has to be an external cluster because an internal cluster does not run every module. But with an external cluster, we lose the ability to access node components at code level which means we have no way to query for all registered actions. So it seems to me that a possible approach is to create a test only plugin which registered an API that expose this information. The test will then query this new API and get a list of all actions. I didn't try it but it seems plausible in theory. If you could see another simpler solution, I would like to learn about it. I am also happy to have a synchronous discussion on this topic if you are interested (it's pretty intriguing). Btw, I thought about having a Gradle task to perform something like code scanning for all action names. But it's not feasible since some action names are not string literals and some action class are inner classes.

@ywangd ywangd requested a review from tvernum November 24, 2020 04:21
@ywangd
Copy link
Member Author

ywangd commented Nov 24, 2020

a possible approach is to create a test only plugin which registered an API that expose this information. I didn't try it but it seems plausible in theory.

This is now added. The complexity in fact is not high. Quite a bit boilerplate code to add an API but otherwise pretty minimal. This pattern could be quite useful for other things as well, such as what KnownActionsTests were trying to achieve, and ensure actions are categorised under the right named privileges, etc. So other than not being an unit test, this approach seems to be about right.

tvernum
tvernum reviewed Nov 25, 2020
View reviewed changes
ywangd
ywangd commented Nov 26, 2020
View reviewed changes
...ecurity/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
@@ -567,24 +582,23 @@ public void testTokenRestMissing() throws Exception {
});
}

public void authenticationInContextAndHeader() throws Exception {
public void testAuthenticationInContextAndHeader() throws Exception {
Copy link
Member Author

@ywangd ywangd Nov 26, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test was skipped for a long time because of the naming convention mismatch. I fixed it but it's not 100% the same as it was because things evolved.

ywangd
ywangd commented Nov 26, 2020
View reviewed changes
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -202,6 +205,16 @@ public void authorize(final Authentication authentication, final String action,
// sometimes a request might be wrapped within another, which is the case for proxied
// requests and concrete shard requests
final TransportRequest unwrappedRequest = maybeUnwrapRequest(authentication, originalRequest, action, auditId);

// Check operator privileges
// TODO: audit?
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think auditing can be a follow up PR.

@ywangd ywangd requested a review from tvernum November 30, 2020 12:25
tvernum
tvernum approved these changes Dec 2, 2020
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ywangd and others added 2 commits December 3, 2020 15:31
@ywangd ywangd merged commit def2f27 into elastic:master Dec 3, 2020
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Dec 3, 2020
@ywangd @tvernum
Phase 1 support for operator privileges (elastic#65256)
3e1bd0a 
In some Elastic Stack environments, there is a distinction between the operator
of the cluster infrastructure and the administrator of the cluster. This
distinction cannot be supported currently because the "administrator" often has
the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the
"administrator" even when it is a highly privileged user such as superuser. It
enhances the Elasticsearch security model to have an additional layer of
restriction in addition to the RBAC.

Co-authored-by: Tim Vernum <[email protected]>
@ywangd ywangd mentioned this pull request Dec 4, 2020
Merged
ywangd added a commit that referenced this pull request Dec 4, 2020
@ywangd @tvernum
Phase 1 support for operator privileges (#65256) (#65802)
d8cb1f2 
In some Elastic Stack environments, there is a distinction between the operator
of the cluster infrastructure and the administrator of the cluster. This
distinction cannot be supported currently because the "administrator" often has
the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the
"administrator" even when it is a highly privileged user such as superuser. It
enhances the Elasticsearch security model to have an additional layer of
restriction in addition to the RBAC.

Co-authored-by: Tim Vernum <[email protected]>
ywangd added a commit that referenced this pull request Dec 4, 2020
@ywangd
Fix xpack info and usage reports for operator privileges (#65867)
201b25e 
This is a follow-up PR for #65256 to fix the xpack info and usage reports for
operator privilegs. In summary, this PR ensures:

* _xpack does not report operator privileges because it is categorised under
security 
* _xpack/usage reports operator privileges status under the security
section 
* _license/feature_usage reports last used time of operator privileges.
It is up to the downstream to filter out this report if necessary.
@ywangd ywangd mentioned this pull request Dec 8, 2020
Merged
@ywangd ywangd mentioned this pull request Feb 15, 2021
Merged
ywangd added a commit that referenced this pull request Mar 10, 2021
@ywangd @tvernum @lcawl
Documentation for operator privileges (#68964)
8a9da1d 
Add documentation for operator privilegs. The docs cover features delivered by phase 1 (#65256) and 2 (#66684).

Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: lcawl <[email protected]>
Co-authored-by: Adam Locke <[email protected]>
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Mar 10, 2021
@ywangd @tvernum @lcawl
Documentation for operator privileges (elastic#68964)
b86ace3 
Add documentation for operator privilegs. The docs cover features delivered by phase 1 (elastic#65256) and 2 (elastic#66684).

Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: lcawl <[email protected]>
Co-authored-by: Adam Locke <[email protected]>
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Mar 10, 2021
@ywangd @tvernum @lcawl
Documentation for operator privileges (elastic#68964)
a906844 
Add documentation for operator privilegs. The docs cover features delivered by phase 1 (elastic#65256) and 2 (elastic#66684).

Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: lcawl <[email protected]>
Co-authored-by: Adam Locke <[email protected]>
This was referenced Mar 10, 2021
Merged
Merged
ywangd added a commit that referenced this pull request Mar 10, 2021
@ywangd @tvernum @lcawl
Documentation for operator privileges (#68964) (#70193)
62c9430 
Add documentation for operator privilegs. The docs cover features delivered by phase 1 (#65256) and 2 (#66684).

Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: lcawl <[email protected]>
Co-authored-by: Adam Locke <[email protected]>
ywangd added a commit that referenced this pull request Mar 10, 2021
@ywangd @tvernum @lcawl
Documentation for operator privileges (#68964) (#70194)
5c2dbdb 
Add documentation for operator privilegs. The docs cover features delivered by phase 1 (#65256) and 2 (#66684).

Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: lcawl <[email protected]>
Co-authored-by: Adam Locke <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
>feature :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.11.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ywangd @elasticmachine @tvernum @jakelandis