Add delegated authorization (lookup realms) to LDAP#32156
Merged
tvernum merged 5 commits intoelastic:security-lookup-realmsfrom Jul 19, 2018
Merged
Add delegated authorization (lookup realms) to LDAP#32156tvernum merged 5 commits intoelastic:security-lookup-realmsfrom
tvernum merged 5 commits intoelastic:security-lookup-realmsfrom
Conversation
This allows an LDAP realm (but not, in this commit, active directory) to delegate the User construction to one or more other realms. The LDAP realm caches the user in order to avoid hitting the directory for to authenticate every action, but this cache is only used for password checking. The delegated realms are consulted for each request and this relies on the cache for each of those realms.
Collaborator
|
Pinging @elastic/es-security |
jaymode
approved these changes
Jul 18, 2018
Member
jaymode
left a comment
There was a problem hiding this comment.
I left a naming comment but otherwise LGTM
| * The default implementation returns a {@link AuthenticationResult#success(User) success result} with the | ||
| * provided user, but sub-classes can return a different {@code User} object, or an unsuccessful result. | ||
| */ | ||
| protected void restoreCachedUser(User user, ActionListener<AuthenticationResult> listener) { |
Member
There was a problem hiding this comment.
maybe handleCachedUser ? I'm not sure what restore means in this case
Contributor
Author
There was a problem hiding this comment.
handle is good - I struggled with naming this method.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This allows an LDAP realm (but not, in this commit, active directory)
to delegate the User construction to one or more other realms.
The LDAP realm caches the user in order to avoid hitting the directory
for to authenticate every action, but this cache is only used for
password checking. The delegated realms are consulted for each request
and this relies on the cache for each of those realms.