Authentication model changes for remote access (#93151)

This PR implements the necessary changes to the Authentication class,
to support remote access authentication under the new remote cluster
security model. Upon successful authentication, a new authentication
instance will be constructed by the fulfilling cluster which combines
information from the remote access API key used and the user
authentication and role info sent by the querying cluster with a cross
cluster request.

Remote access authentication is modeled in way that exposes (and
assumes) that the underlying authentication method is an API key; for
example, it includes the metadata associated with API keys in its
metadata directly, re-using existing metadata field keys. I chose this
approach instead of trying to generalize away from API keys because
there are no medium-term plans to support any other authentication
forms for remote access; generalizing would have made the change more
complex.

This change is stand-alone and not wired up to active code flows yet. A
proof of concept in #92089 highlights how the model change in this PR
fits into the broader context of the fulfilling cluster processing
cross cluster requests.

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -33,5 +33,10 @@ public final class AuthenticationField {
     public static final String ATTACH_REALM_NAME = "__attach";
     public static final String ATTACH_REALM_TYPE = "__attach";
 
+    public static final String REMOTE_ACCESS_REALM_NAME = "_es_remote_access";
+    public static final String REMOTE_ACCESS_REALM_TYPE = "_es_remote_access";
+    public static final String REMOTE_ACCESS_AUTHENTICATION_KEY = "_security_remote_access_authentication";
+    public static final String REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY = "_security_remote_access_role_descriptors";
+
     private AuthenticationField() {}
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java

@@ -28,7 +28,10 @@
 import java.io.UncheckedIOException;
 import java.util.ArrayList;
 import java.util.Base64;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
 
@@ -124,6 +127,26 @@ public static RemoteAccessAuthentication decode(final String header) throws IOEx
         return new RemoteAccessAuthentication(authentication, roleDescriptorsBytesList);
     }
 
+    /**
+     * Returns a copy of the passed-in metadata map, with the relevant remote access fields included. Does not modify the original map.
+     */
+    public Map<String, Object> copyWithRemoteAccessEntries(final Map<String, Object> authenticationMetadata) {
+        assert false == authenticationMetadata.containsKey(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY)
+            : "metadata already contains [" + AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY + "] entry";
+        assert false == authenticationMetadata.containsKey(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY)
+            : "metadata already contains [" + AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY + "] entry";
+        assert false == getAuthentication().isRemoteAccess()
+            : "authentication included in remote access header cannot itself be remote access";
+        final Map<String, Object> copy = new HashMap<>(authenticationMetadata);
+        try {
+            copy.put(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY, getAuthentication().encode());
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+        copy.put(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY, getRoleDescriptorsBytesList());
+        return Collections.unmodifiableMap(copy);
+    }
+
     public static final class RoleDescriptorsBytes extends AbstractBytesReference {
         private final BytesReference rawBytes;
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RemoteAccessAuthentication.java

@@ -26,10 +26,11 @@
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY;
 import static org.elasticsearch.xpack.core.security.authc.Subject.Type.API_KEY;
+import static org.elasticsearch.xpack.core.security.authc.Subject.Type.REMOTE_ACCESS;
 
 /**
  * A subject is a more generic concept similar to user and associated to the current authentication.
- * It is more generic than user because it can also represent API keys and service accounts.
+ * It is more generic than user because it can also represent API keys, service accounts, or remote access users.
  * It also contains authentication level information, e.g. realm and metadata so that it can answer
  * queries in a better encapsulated way.
  */
@@ -39,6 +40,7 @@ public enum Type {
         USER,
         API_KEY,
         SERVICE_ACCOUNT,
+        REMOTE_ACCESS,
     }
 
     private final TransportVersion version;
@@ -65,6 +67,9 @@ public Subject(User user, Authentication.RealmRef realm, TransportVersion versio
         } else if (ServiceAccountSettings.REALM_TYPE.equals(realm.getType())) {
             assert ServiceAccountSettings.REALM_NAME.equals(realm.getName()) : "service account realm name mismatch";
             this.type = Type.SERVICE_ACCOUNT;
+        } else if (AuthenticationField.REMOTE_ACCESS_REALM_TYPE.equals(realm.getType())) {
+            assert AuthenticationField.REMOTE_ACCESS_REALM_NAME.equals(realm.getName()) : "remote access realm name mismatch";
+            this.type = Type.REMOTE_ACCESS;
         } else {
             this.type = Type.USER;
         }
@@ -99,6 +104,9 @@ public RoleReferenceIntersection getRoleReferenceIntersection(@Nullable Anonymou
                 return buildRoleReferencesForApiKey();
             case SERVICE_ACCOUNT:
                 return new RoleReferenceIntersection(new RoleReference.ServiceAccountRoleReference(user.principal()));
+            case REMOTE_ACCESS:
+                assert false : "unsupported subject type: [" + type + "]";
+                throw new UnsupportedOperationException("unsupported subject type: [" + type + "]");
             default:
                 assert false : "unknown subject type: [" + type + "]";
                 throw new IllegalStateException("unknown subject type: [" + type + "]");
@@ -116,6 +124,9 @@ public boolean canAccessResourcesOf(Subject resourceCreatorSubject) {
             || (false == API_KEY.equals(getType()) && API_KEY.equals(resourceCreatorSubject.getType()))) {
                 // an API Key cannot access resources created by non-API Keys or vice-versa
                 return false;
+            } else if (REMOTE_ACCESS.equals(getType()) || REMOTE_ACCESS.equals(resourceCreatorSubject.getType())) {
+                // TODO implement this once remote authentication is fully supported
+                return false;
             } else {
                 if (false == getUser().principal().equals(resourceCreatorSubject.getUser().principal())) {
                     return false;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Subject.java

@@ -115,6 +115,12 @@ public static void addAuthorizationInfo(final XContentBuilder builder, final Map
                 builder.endObject();
             }
             case SERVICE_ACCOUNT -> builder.field("service_account", authenticationSubject.getUser().principal());
+            case REMOTE_ACCESS -> {
+                // TODO handle remote access authentication
+                final String message = "remote access authentication is not yet supported";
+                assert false : message;
+                throw new UnsupportedOperationException(message);
+            }
         }
         builder.endObject();
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtils.java

@@ -6,8 +6,11 @@
  */
 package org.elasticsearch.xpack.core.security.authc;
 
+import org.elasticsearch.TransportVersion;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
+import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.test.TransportVersionUtils;
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
 import org.elasticsearch.xpack.core.security.user.ElasticUser;
 import org.elasticsearch.xpack.core.security.user.KibanaSystemUser;
@@ -19,6 +22,7 @@
 import java.util.Arrays;
 
 import static org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationSerializationHelper;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
@@ -59,6 +63,52 @@ public void testWriteToAndReadFromWithRunAs() throws Exception {
         assertThat(readFromAuthenticatingUser, equalTo(authentication.getAuthenticatingSubject().getUser()));
     }
 
+    public void testWriteToAndReadFromWithRemoteAccess() throws Exception {
+        final Authentication authentication = AuthenticationTestHelper.builder().remoteAccess().build();
+        assertThat(authentication.isRemoteAccess(), is(true));
+
+        BytesStreamOutput output = new BytesStreamOutput();
+        authentication.writeTo(output);
+        final Authentication readFrom = new Authentication(output.bytes().streamInput());
+        assertThat(readFrom.isRemoteAccess(), is(true));
+
+        assertThat(readFrom, not(sameInstance(authentication)));
+        assertThat(readFrom, equalTo(authentication));
+    }
+
+    public void testWriteToWithRemoteAccessThrowsOnUnsupportedVersion() throws Exception {
+        final Authentication authentication = randomBoolean()
+            ? AuthenticationTestHelper.builder().remoteAccess().build()
+            : AuthenticationTestHelper.builder().build();
+
+        final BytesStreamOutput out = new BytesStreamOutput();
+        final TransportVersion version = TransportVersionUtils.randomPreviousCompatibleVersion(
+            random(),
+            Authentication.VERSION_REMOTE_ACCESS_REALM
+        );
+        out.setTransportVersion(version);
+
+        if (authentication.isRemoteAccess()) {
+            final var ex = expectThrows(IllegalArgumentException.class, () -> authentication.writeTo(out));
+            assertThat(
+                ex.getMessage(),
+                containsString(
+                    "versions of Elasticsearch before ["
+                        + Authentication.VERSION_REMOTE_ACCESS_REALM
+                        + "] can't handle remote access authentication and attempted to send to ["
+                        + out.getTransportVersion()
+                        + "]"
+                )
+            );
+        } else {
+            authentication.writeTo(out);
+            final StreamInput in = out.bytes().streamInput();
+            in.setTransportVersion(out.getTransportVersion());
+            final Authentication readFrom = new Authentication(in);
+            assertThat(readFrom, equalTo(authentication.maybeRewriteForOlderVersion(out.getTransportVersion())));
+        }
+    }
+
     public void testSystemUserReadAndWrite() throws Exception {
         BytesStreamOutput output = new BytesStreamOutput();
 

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java

@@ -26,6 +26,8 @@
 import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
 import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
@@ -36,6 +38,7 @@
 import org.elasticsearch.xpack.core.security.user.XPackUser;
 
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -68,7 +71,8 @@ public class AuthenticationTestHelper {
         AuthenticationField.ANONYMOUS_REALM_TYPE,
         AuthenticationField.ATTACH_REALM_TYPE,
         AuthenticationField.FALLBACK_REALM_TYPE,
-        ServiceAccountSettings.REALM_TYPE
+        ServiceAccountSettings.REALM_TYPE,
+        AuthenticationField.REMOTE_ACCESS_REALM_TYPE
     );
 
     private static final Set<User> INTERNAL_USERS = Set.of(
@@ -204,7 +208,7 @@ private static AnonymousUser randomAnonymousUser() {
         );
     }
 
-    private static User stripRoles(User user) {
+    static User stripRoles(User user) {
         if (user.roles() != null || user.roles().length == 0) {
             return new User(user.principal(), Strings.EMPTY_ARRAY, user.fullName(), user.email(), user.metadata(), user.enabled());
         } else {
@@ -233,6 +237,43 @@ public static String randomInternalRoleName() {
         );
     }
 
+    public static RemoteAccessAuthentication randomRemoteAccessAuthentication() {
+        try {
+            // TODO add apikey() once we have querying-cluster-side API key support
+            final Authentication authentication = ESTestCase.randomFrom(
+                AuthenticationTestHelper.builder().realm(),
+                AuthenticationTestHelper.builder().internal(SystemUser.INSTANCE)
+            ).build();
+            return new RemoteAccessAuthentication(
+                authentication,
+                new RoleDescriptorsIntersection(
+                    List.of(
+                        // TODO randomize to add a second set once we have querying-cluster-side API key support
+                        Set.of(
+                            new RoleDescriptor(
+                                "a",
+                                null,
+                                new RoleDescriptor.IndicesPrivileges[] {
+                                    RoleDescriptor.IndicesPrivileges.builder()
+                                        .indices("index1")
+                                        .privileges("read", "read_cross_cluster")
+                                        .build() },
+                                null,
+                                null,
+                                null,
+                                null,
+                                null,
+                                null
+                            )
+                        )
+                    )
+                )
+            );
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
     public static class AuthenticationTestBuilder {
         private TransportVersion transportVersion;
         private Authentication authenticatingAuthentication;
@@ -242,6 +283,7 @@ public static class AuthenticationTestBuilder {
         private final Map<String, Object> metadata = new HashMap<>();
         private Boolean isServiceAccount;
         private Boolean isRealmUnderDomain;
+        private RemoteAccessAuthentication remoteAccessAuthentication;
 
         private AuthenticationTestBuilder() {}
 
@@ -335,6 +377,22 @@ public AuthenticationTestBuilder user(User user) {
             }
         }
 
+        public AuthenticationTestBuilder remoteAccess() {
+            return remoteAccess(ESTestCase.randomAlphaOfLength(20), randomRemoteAccessAuthentication());
+        }
+
+        public AuthenticationTestBuilder remoteAccess(
+            final String remoteAccessApiKeyId,
+            final RemoteAccessAuthentication remoteAccessAuthentication
+        ) {
+            if (authenticatingAuthentication != null) {
+                throw new IllegalArgumentException("cannot use remote access authentication as run-as target");
+            }
+            apiKey(remoteAccessApiKeyId);
+            this.remoteAccessAuthentication = Objects.requireNonNull(remoteAccessAuthentication);
+            return this;
+        }
+
         public AuthenticationTestBuilder realmRef(Authentication.RealmRef realmRef) {
             assert false == SYNTHETIC_REALM_TYPES.contains(realmRef.getType()) : "use dedicate methods for synthetic realms";
             resetShortcutRelatedVariables();
@@ -363,6 +421,9 @@ public AuthenticationTestBuilder metadata(Map<String, Object> metadata) {
         }
 
         public AuthenticationTestBuilder runAs() {
+            if (remoteAccessAuthentication != null) {
+                throw new IllegalArgumentException("cannot convert to run-as for remote access authentication");
+            }
             if (authenticatingAuthentication != null) {
                 throw new IllegalArgumentException("cannot convert to run-as again for run-as authentication");
             }
@@ -421,10 +482,16 @@ public Authentication build(boolean maybeRunAsIfNotAlready) {
                         // User associated to API key authentication has empty roles
                         user = stripRoles(user);
                         prepareApiKeyMetadata();
-                        authentication = Authentication.newApiKeyAuthentication(
+                        final Authentication apiKeyAuthentication = Authentication.newApiKeyAuthentication(
                             AuthenticationResult.success(user, metadata),
                             ESTestCase.randomAlphaOfLengthBetween(3, 8)
                         );
+                        // Remote access is authenticated via API key, but the underlying authentication instance has a different structure,
+                        // and a different subject type. If remoteAccessAuthentication is set, we transform the API key authentication
+                        // instance into a remote access authentication instance.
+                        authentication = remoteAccessAuthentication != null
+                            ? apiKeyAuthentication.toRemoteAccess(remoteAccessAuthentication)
+                            : apiKeyAuthentication;
                     }
                     case TOKEN -> {
                         if (isServiceAccount != null && isServiceAccount) {