Skip to content

Commit 3e60a91

Browse files
jaymodejaymode
committed
add licensing for authorization engine
1 parent 1c9a8e1 commit 3e60a91

File tree

5 files changed

+63
-16
lines changed

5 files changed

+63
-16
lines changed

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,8 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod
103103
"The following X-Pack security functionality will be disabled: authentication, authorization, " +
104104
"ip filtering, and auditing. Please restart your node after applying the license.",
105105
"Field and document level access control will be disabled.",
106-
"Custom realms will be ignored."
106+
"Custom realms will be ignored.",
107+
"A custom authorization engine will be ignored."
107108
};
108109
}
109110
break;
@@ -116,7 +117,8 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod
116117
case PLATINUM:
117118
return new String[] {
118119
"Field and document level access control will be disabled.",
119-
"Custom realms will be ignored."
120+
"Custom realms will be ignored.",
121+
"A custom authorization engine will be ignored."
120122
};
121123
}
122124
break;
@@ -131,7 +133,8 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod
131133
"Authentication will be limited to the native realms.",
132134
"IP filtering and auditing will be disabled.",
133135
"Field and document level access control will be disabled.",
134-
"Custom realms will be ignored."
136+
"Custom realms will be ignored.",
137+
"A custom authorization engine will be ignored."
135138
};
136139
}
137140
}
@@ -433,6 +436,17 @@ public synchronized boolean isAuthorizationRealmAllowed() {
433436
&& status.active;
434437
}
435438

439+
/**
440+
* @return whether a custom authorization engine is allowed based on the license {@link OperationMode}
441+
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
442+
*/
443+
public synchronized boolean isAuthorizationEngineAllowed() {
444+
final boolean isSecurityCurrentlyEnabled =
445+
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
446+
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
447+
&& status.active;
448+
}
449+
436450
/**
437451
* Determine if Watcher is available based on the current license.
438452
* <p>

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -226,17 +226,17 @@ public void testSecurityAckAnyToTrialOrPlatinum() {
226226
}
227227

228228
public void testSecurityAckTrialStandardGoldOrPlatinumToBasic() {
229-
assertAckMesssages(XPackField.SECURITY, randomTrialStandardGoldOrPlatinumMode(), BASIC, 3);
229+
assertAckMesssages(XPackField.SECURITY, randomTrialStandardGoldOrPlatinumMode(), BASIC, 4);
230230
}
231231

232232
public void testSecurityAckAnyToStandard() {
233233
OperationMode from = randomFrom(BASIC, GOLD, PLATINUM, TRIAL);
234-
assertAckMesssages(XPackField.SECURITY, from, STANDARD, 4);
234+
assertAckMesssages(XPackField.SECURITY, from, STANDARD, 5);
235235
}
236236

237237
public void testSecurityAckBasicStandardTrialOrPlatinumToGold() {
238238
OperationMode from = randomFrom(BASIC, PLATINUM, TRIAL, STANDARD);
239-
assertAckMesssages(XPackField.SECURITY, from, GOLD, 2);
239+
assertAckMesssages(XPackField.SECURITY, from, GOLD, 3);
240240
}
241241

242242
public void testMonitoringAckBasicToAny() {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -451,7 +451,8 @@ Collection<Object> createComponents(Client client, ThreadPool threadPool, Cluste
451451
requestInterceptors = Collections.unmodifiableSet(requestInterceptors);
452452

453453
final AuthorizationService authzService = new AuthorizationService(settings, allRolesStore, clusterService,
454-
auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEngine(), requestInterceptors);
454+
auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEngine(), requestInterceptors,
455+
getLicenseState());
455456

456457
components.add(nativeRolesStore); // used by roles actions
457458
components.add(reservedRolesStore); // used by roles actions

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import org.elasticsearch.common.settings.Settings;
3333
import org.elasticsearch.common.util.concurrent.ThreadContext;
3434
import org.elasticsearch.index.IndexNotFoundException;
35+
import org.elasticsearch.license.XPackLicenseState;
3536
import org.elasticsearch.threadpool.ThreadPool;
3637
import org.elasticsearch.transport.TransportActionProxy;
3738
import org.elasticsearch.transport.TransportRequest;
@@ -103,13 +104,14 @@ public class AuthorizationService {
103104
private final AuthorizationEngine rbacEngine;
104105
private final AuthorizationEngine authorizationEngine;
105106
private final Set<RequestInterceptor> requestInterceptors;
107+
private final XPackLicenseState licenseState;
106108
private final boolean isAnonymousEnabled;
107109
private final boolean anonymousAuthzExceptionEnabled;
108110

109111
public AuthorizationService(Settings settings, CompositeRolesStore rolesStore, ClusterService clusterService,
110112
AuditTrailService auditTrail, AuthenticationFailureHandler authcFailureHandler,
111113
ThreadPool threadPool, AnonymousUser anonymousUser, @Nullable AuthorizationEngine authorizationEngine,
112-
Set<RequestInterceptor> requestInterceptors) {
114+
Set<RequestInterceptor> requestInterceptors, XPackLicenseState licenseState) {
113115
this.clusterService = clusterService;
114116
this.auditTrail = auditTrail;
115117
this.indicesAndAliasesResolver = new IndicesAndAliasesResolver(settings, clusterService);
@@ -122,6 +124,7 @@ public AuthorizationService(Settings settings, CompositeRolesStore rolesStore, C
122124
this.authorizationEngine = authorizationEngine == null ? this.rbacEngine : authorizationEngine;
123125
this.requestInterceptors = requestInterceptors;
124126
this.settings = settings;
127+
this.licenseState = licenseState;
125128
}
126129

127130
public void checkPrivileges(Authentication authentication, HasPrivilegesRequest request,
@@ -349,10 +352,14 @@ AuthorizationEngine getAuthorizationEngine(final Authentication authentication)
349352
}
350353

351354
private AuthorizationEngine getAuthorizationEngineForUser(final User user) {
352-
if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternalUser(user)) {
353-
return rbacEngine;
355+
if (rbacEngine != authorizationEngine && licenseState.isAuthorizationEngineAllowed()) {
356+
if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternalUser(user)) {
357+
return rbacEngine;
358+
} else {
359+
return authorizationEngine;
360+
}
354361
} else {
355-
return authorizationEngine;
362+
return rbacEngine;
356363
}
357364
}
358365

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@
8585
import org.elasticsearch.common.util.concurrent.ThreadContext;
8686
import org.elasticsearch.index.IndexNotFoundException;
8787
import org.elasticsearch.index.shard.ShardId;
88+
import org.elasticsearch.license.XPackLicenseState;
8889
import org.elasticsearch.test.ESTestCase;
8990
import org.elasticsearch.threadpool.ThreadPool;
9091
import org.elasticsearch.transport.TransportActionProxy;
@@ -144,7 +145,6 @@
144145
import java.util.Set;
145146
import java.util.UUID;
146147
import java.util.concurrent.CountDownLatch;
147-
import java.util.function.Function;
148148
import java.util.function.Predicate;
149149

150150
import static java.util.Arrays.asList;
@@ -233,7 +233,7 @@ public void setup() {
233233
roleMap.put(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR.getName(), ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR);
234234
authorizationService = new AuthorizationService(settings, rolesStore, clusterService,
235235
auditTrail, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, new AnonymousUser(settings), null,
236-
Collections.emptySet());
236+
Collections.emptySet(), new XPackLicenseState(settings));
237237
}
238238

239239
private void authorize(Authentication authentication, String action, TransportRequest request) {
@@ -659,7 +659,8 @@ public void testDenialForAnonymousUser() {
659659
Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "a_all").build();
660660
final AnonymousUser anonymousUser = new AnonymousUser(settings);
661661
authorizationService = new AuthorizationService(settings, rolesStore, clusterService, auditTrail,
662-
new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, anonymousUser, null, Collections.emptySet());
662+
new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, anonymousUser, null, Collections.emptySet(),
663+
new XPackLicenseState(settings));
663664

664665
RoleDescriptor role = new RoleDescriptor("a_all", null,
665666
new IndicesPrivileges[] { IndicesPrivileges.builder().indices("a").privileges("all").build() }, null);
@@ -687,7 +688,7 @@ public void testDenialForAnonymousUserAuthorizationExceptionDisabled() {
687688
final Authentication authentication = createAuthentication(new AnonymousUser(settings));
688689
authorizationService = new AuthorizationService(settings, rolesStore, clusterService, auditTrail,
689690
new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, new AnonymousUser(settings), null,
690-
Collections.emptySet());
691+
Collections.emptySet(), new XPackLicenseState(settings));
691692

692693
RoleDescriptor role = new RoleDescriptor("a_all", null,
693694
new IndicesPrivileges[]{IndicesPrivileges.builder().indices("a").privileges("all").build()}, null);
@@ -1391,36 +1392,60 @@ public void getUserPrivileges(Authentication authentication, AuthorizationInfo a
13911392
}
13921393
};
13931394

1395+
XPackLicenseState licenseState = mock(XPackLicenseState.class);
1396+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
13941397
authorizationService = new AuthorizationService(Settings.EMPTY, rolesStore, clusterService,
13951398
auditTrail, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, new AnonymousUser(Settings.EMPTY),
1396-
engine, Collections.emptySet());
1399+
engine, Collections.emptySet(), licenseState);
13971400
Authentication authentication = createAuthentication(new User("test user", "a_all"));
13981401
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
1402+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1403+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
13991404

1405+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
14001406
authentication = createAuthentication(new User("runas", new String[] { "runas_role" }, new User("runner", "runner_role")));
14011407
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
14021408
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
1409+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1410+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1411+
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14031412

1413+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
14041414
authentication = createAuthentication(new User("runas", new String[] { "runas_role" }, new ElasticUser(true)));
14051415
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
14061416
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
14071417
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1418+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1419+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1420+
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14081421

1422+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
14091423
authentication = createAuthentication(new User("elastic", new String[] { "superuser" }, new User("runner", "runner_role")));
14101424
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
14111425
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14121426
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
1427+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1428+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1429+
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14131430

1431+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
14141432
authentication = createAuthentication(new User("kibana", new String[] { "kibana_system" }, new ElasticUser(true)));
14151433
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
14161434
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14171435
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
14181436
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1437+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1438+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1439+
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14191440

1441+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
14201442
authentication = createAuthentication(randomFrom(XPackUser.INSTANCE, XPackSecurityUser.INSTANCE,
14211443
new ElasticUser(true), new KibanaUser(true)));
14221444
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
14231445
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1446+
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
1447+
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
1448+
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
14241449
}
14251450

14261451
static AuthorizationInfo authzInfoRoles(String[] expectedRoles) {

0 commit comments

Comments
 (0)