Skip to content

Fix can access resource checks for API Keys with run as#84431

Merged
elasticsearchmachine merged 5 commits intoelastic:8.1from
albertzaharovits:backport-81-can-access-resource-of
Feb 28, 2022
Merged

Fix can access resource checks for API Keys with run as#84431
elasticsearchmachine merged 5 commits intoelastic:8.1from
albertzaharovits:backport-81-can-access-resource-of

Conversation

@albertzaharovits
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits commented Feb 28, 2022
edited
Loading

This fixes two things for the "can access" authz check:

  • API Keys running as, have access to the resources created by the effective run as user
  • tokens created by API Keys (with the client credentials) have access to the API Key's resources

In addition, this PR moves some of the authz plumbing code from the
Async and Scroll services classes under the Security Context class (as a
minor refactoring).

albertzaharovits and others added 4 commits February 28, 2022 16:31
@albertzaharovits
Fix can access resource checks for API Keys with run as (elastic#84277)
b5f3044 
This fixes two things for the "can access" authz check: * API Keys
running as, have access to the resources created by the effective run as
user * tokens created by API Keys (with the client credentials) have
access to the API Key's resources

In addition, this PR moves some of the authz plumbing code from the
Async and Scroll services classes under the Security Context class (as a
minor refactoring).
@albertzaharovits
spotless
72ceee9
@albertzaharovits
Merge fallout
15e5f68
@albertzaharovits
AuthenticationTests
8fd1e99
@albertzaharovits albertzaharovits self-assigned this Feb 28, 2022
@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Feb 28, 2022

Backport of #84277

@albertzaharovits albertzaharovits added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Feb 28, 2022
@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Feb 28, 2022

@elasticmachine run elasticsearch-ci/part-2

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Feb 28, 2022

@elasticmachine update branch

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Feb 28, 2022

@elasticmachine test this please

@albertzaharovits albertzaharovits added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >non-issue labels Feb 28, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Feb 28, 2022
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Feb 28, 2022

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine merged commit 2c1b34b into elastic:8.1 Feb 28, 2022
@albertzaharovits albertzaharovits deleted the backport-81-can-access-resource-of branch February 28, 2022 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@albertzaharovits albertzaharovits

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@albertzaharovits @elasticmachine @elasticsearchmachine