[Kerberos] Add authorization realms support to Kerberos realm#32392
Conversation
This commit allows Kerberos realm to delegate `User` creation to configured authorization realms. If no authorization realms are configured, then Kerberos realm uses native role mapper to resolve User.
|
Pinging @elastic/es-security |
tvernum
left a comment
There was a problem hiding this comment.
You don't seem to add the new setting in KerberosRealmSettings
This commit adds missing authorization settings in Kerberos realm settings.
|
Thanks, @tvernum. I have addressed your review comment. Please review when you get some time. |
jaymode
left a comment
There was a problem hiding this comment.
I left a couple of comments. Otherwise LGTM
| if (delegatedRealms.hasDelegation()) { | ||
| delegatedRealms.resolve(username, ActionListener.wrap(result -> { | ||
| if (result.isAuthenticated() && userPrincipalNameToUserCache != null) { | ||
| userPrincipalNameToUserCache.put(username, result.getUser()); |
There was a problem hiding this comment.
I don't think we need to cache here. The delegated realm resolved the user and it should be caching it. The kerberos realm will never use the cache entry that we add
There was a problem hiding this comment.
Cool, I too did not want to add caching here but thought it would be consistent with others. I will remove it. Thank you.
| is(equalTo(KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX + outToken))); | ||
| } | ||
|
|
||
|
|
Removed the caching in case delegated realms are used for user resolution.
|
@elasticmachine, test this please. |
albertzaharovits
left a comment
There was a problem hiding this comment.
LGTM too Yogesh!
This commit allows Kerberos realm to delegate
Userresolutionto configured authorization realms. If Kerberos realm is not configured
with any authorization realms then it uses the native role mapper to
resolve User.