Skip to content

PKIRealm delegation unsupported without a truststore#45011

Merged
albertzaharovits merged 3 commits intoelastic:proxied-pkifrom
albertzaharovits:security-pki-delegation-forbid-delegation-without-trustore
Aug 1, 2019
Merged

PKIRealm delegation unsupported without a truststore#45011
albertzaharovits merged 3 commits intoelastic:proxied-pkifrom
albertzaharovits:security-pki-delegation-forbid-delegation-without-trustore

Conversation

@albertzaharovits
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits commented Jul 30, 2019
edited
Loading

In the usual scenario, where the PKIRealm works without delegation, a trust configuration is not required at the realm settings scope. In this case the client's certificate chain has been validated by the TLS channel (HTTP), and the realm does not enforce any other extra chain validations. In this case the client's certificate is considered authenticated by the realm.

This no-op validation, without a trust configuration at the realm level, is incompatible with the delegation use-case. This commit adds a constructor check to the PKIRealm that will forbid toggling delegation.enabled without also setting a truststore. Otherwise, the delegation feature would not work at run-time (all API calls will be un-authorized).

Thanks Tim for pointing out this problem to me!

Relates #34396

@albertzaharovits albertzaharovits added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Jul 30, 2019
@albertzaharovits albertzaharovits self-assigned this Jul 30, 2019
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Jul 30, 2019

Pinging @elastic/es-security

bizybot
bizybot approved these changes Jul 31, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thank you.

tvernum
tvernum approved these changes Jul 31, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@albertzaharovits @bizybot
Update x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/s…
6fe3589 
…ecurity/authc/pki/PkiRealm.java

Co-Authored-By: Yogesh Gaikwad <902768+bizybot@users.noreply.github.com>
@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Jul 31, 2019

@elasticmachine run elasticsearch-ci/default-distro

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Jul 31, 2019

@elasticmachine run elasticsearch-ci/bwc

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Jul 31, 2019

@elasticmachine run elasticsearch-ci/default-distro

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Jul 31, 2019

@elasticmachine run elasticsearch-ci/bwc

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Jul 31, 2019

@elasticmachine run elasticsearch-ci/default-distro

@albertzaharovits albertzaharovits merged commit 16496d6 into elastic:proxied-pki Aug 1, 2019
@albertzaharovits albertzaharovits deleted the security-pki-delegation-forbid-delegation-without-trustore branch August 1, 2019 05:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

+1 more reviewer

@bizybot bizybot bizybot approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@albertzaharovits albertzaharovits

Labels

:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@albertzaharovits @elasticmachine @bizybot @tvernum