Add tracing for authorization#80815
Conversation
* Can be turned off with xpack.security.authz.tracing: false * AuthZ is tied to relevant task by traceparent (it however does not cover the first authZ) * x-opaque-id is auto configured at rest layer if not already exists. This helps chain all relevant actions together. * ApmIT now has security enabled.
| // Populate x-opaque-id if not already exists to chain all related actions together | ||
| if (authentication != null && false == SystemUser.is(authentication.getUser())) { | ||
| if (threadContext.getHeader(Task.X_OPAQUE_ID) == null) { | ||
| threadContext.putHeader(Task.X_OPAQUE_ID, UUIDs.base64UUID()); | ||
| } | ||
| } |
There was a problem hiding this comment.
X-Opaque-Id automatically gets populate across related tasks and also cross nodes. This could be an alternative to chain all things together. It does not differentiate between parent and child. But it may not matter since the timestamp should tell most of the story?
There was a problem hiding this comment.
I like capturing this, if we have it we might as well use it - if nothing else, it provides an easy way to go find the trace for a request you just made if you're running this on a live system.
There was a problem hiding this comment.
Yes it is attached to every span in ApmTracer#onTraceStarted
| APMTracer.APM_TOKEN_SETTING.getKey(), | ||
| System.getProperty("tests.apm.token", "") | ||
| ); | ||
| builder.put("xpack.security.authz.tracing", true); |
There was a problem hiding this comment.
A new setting to enable/disable authZ tracing.
| client().prepareSearch() | ||
| .setQuery(new RangeQueryBuilder("@timestamp").gt("2021-11-01")) | ||
| .setSearchType(SearchType.QUERY_THEN_FETCH) | ||
| .setPreFilterShardSize(1) | ||
| .execute() | ||
| .actionGet(10, TimeUnit.SECONDS); | ||
| final Request searchRequest = new Request("GET", "_search"); | ||
| searchRequest.addParameter("search_type", "query_then_fetch"); | ||
| searchRequest.addParameter("pre_filter_shard_size", "1"); | ||
| searchRequest.setJsonEntity("{\"query\":{\"range\":{\"@timestamp\":{\"gt\":\"2021-11-01\"}}}}"); | ||
| searchRequest.setOptions( | ||
| searchRequest.getOptions() | ||
| .toBuilder() | ||
| .addHeader( | ||
| "Authorization", | ||
| UsernamePasswordToken.basicAuthHeaderValue( | ||
| SecuritySettingsSource.TEST_USER_NAME, | ||
| new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()) | ||
| ) | ||
| ) | ||
| ); | ||
|
|
||
| final Response searchResponse = getRestClient().performRequest(searchRequest); |
There was a problem hiding this comment.
Issue the request at REST layer so it goes through all authentication/authorization layer. Otherwise the first task is created without auth being triggered.
|
Pinging @elastic/es-distributed (Team:Distributed) |
|
@elasticmachine run elasticsearch-ci/part-2 |
AthenaEryma
left a comment
There was a problem hiding this comment.
LGTM! The concept of having separate flags for different parts of tracing is interesting, that might be a solution for something I've been trying to figure out.
| import java.util.List; | ||
| import java.util.concurrent.CopyOnWriteArrayList; | ||
|
|
||
| public class AuthorizationTracer { |
There was a problem hiding this comment.
We should consolidate and/or standardize these ThingTracer classes at some point. Not for this PR thought.
There was a problem hiding this comment.
I agree. We could provide a common (base) bridging class between xpack module and APMTracer.
| // Populate x-opaque-id if not already exists to chain all related actions together | ||
| if (authentication != null && false == SystemUser.is(authentication.getUser())) { | ||
| if (threadContext.getHeader(Task.X_OPAQUE_ID) == null) { | ||
| threadContext.putHeader(Task.X_OPAQUE_ID, UUIDs.base64UUID()); | ||
| } | ||
| } |
There was a problem hiding this comment.
I like capturing this, if we have it we might as well use it - if nothing else, it provides an easy way to go find the trace for a request you just made if you're running this on a live system.
|
Thanks for the review @gwbrown |
|
@elasticmachine run elasticsearch-ci/bwc |
|
@elasticmachine run elasticsearch-ci/part-2 |
This PR adds tracing report for any authorizations except those for the
_systemuser.cover the first authZ)
This helps chain all relevant actions together.