Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR/API requests.#82817
Conversation
.github/CODEOWNERS
Outdated
There was a problem hiding this comment.
note: just continue moving the remaining tests whenever I have chance.
9430012 to
1291abb
Compare
There was a problem hiding this comment.
note: I'm not sure why we weren't checking the canStartNewSession here before, but I cannot find any reason why we shouldn't do it now. And we also should give a higher priority to the current session as well.
There was a problem hiding this comment.
note: I'll remove this stupid setup in the scope of #80952 soon.
There was a problem hiding this comment.
note: recently we started to treat all /internal/.... as API requests (canRedirectRequest === false).
|
Pinging @elastic/kibana-security (Team:Security) |
…unauthenticated XHR requests.
1291abb to
0b6369e
Compare
|
Took the liberty of force-pushing to this branch to resolve conflicts with the most recent |
|
ACK: will review on Monday or Tuesday next week |
| } | ||
|
|
||
| // If refresh token is no longer valid, then we should clear session and renegotiate using SPNEGO. | ||
| // If refresh token is no longer valid, let's check if the request is allowed to start a new session, and if so try |
There was a problem hiding this comment.
Is this comment still valid? It seems like we don't have to check if the request is allowed to start a new session anymore, since authentication via refresh token is extending an existing session.
There was a problem hiding this comment.
You're absolutely right! This looks like a leftover from one of my initial WIPs, will fix, thanks!
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…unauthenticated XHR/API requests. (elastic#82817) * Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR requests. * Review#1: fix comment. # Conflicts: # .github/CODEOWNERS # x-pack/scripts/functional_tests.js
|
7.x/7.11.0: 129f4df |
* master: (39 commits) Fix ilm navigation (elastic#81664) [Lens] Distinct icons for XY and pie chart value labels toolbar (elastic#82927) [data.search.aggs] Throw an error when trying to create an agg type that doesn't exist. (elastic#81509) Index patterns api - load field list on server (elastic#82629) New events resolver (elastic#82170) [App Search] Misc naming tech debt (elastic#82770) load empty_kibana in test to have clean starting point (elastic#82772) Remove data <--> expressions circular dependencies. (elastic#82685) Update 8.0 breaking change template to gather information on how to programmatically detect it. (elastic#82905) Add alerting as codeowners to related documentation folder (elastic#82777) Add captions to user and space grid pages (elastic#82713) add alternate path for x-pack/Cloud test for Lens (elastic#82634) Uses asCurrentUser in getClusterUuid (elastic#82908) [Alerting][Connectors] Add new executor subaction to get 3rd party case fields (elastic#82519) Fix test import objects (elastic#82767) [ML] Add option for anomaly charts for metric detector should plot min, mean or max as appropriate (elastic#81662) Update alert type selection layout to rows instead of grid (elastic#73665) Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR/API requests. (elastic#82817) Update grunt and related packages (elastic#79327) Allow the repository to search across all namespaces (elastic#82863) ...
See the detailed description of the problem in #78260. But in short the idea is following:
When we re-initiate session because of expired access/refresh token it doesn't matter if it's an API request or not since the user-facing session is still valid and the fact that we're internally using tokens is just an implementation detail. Same for requests that don't require authentication, if we have a valid Kibana session and we can re-acquire tokens without user involvement then we should do it.
Fixes: #78260
Release note: previously API request could create a new PKI or Kerberos session without user even realizing it. With this fix we use a bit more sophisticated heuristic to know when a new session is really desired.