Skip to content

Integrate api keys with the authentication service#35555

Merged
jaymode merged 3 commits intoelastic:security_api_keysfrom
jaymode:api_key_authc_authz
Nov 27, 2018
Merged

Integrate api keys with the authentication service#35555
jaymode merged 3 commits intoelastic:security_api_keysfrom
jaymode:api_key_authc_authz

Conversation

@jaymode
Copy link
Copy Markdown
Member

@jaymode jaymode commented Nov 14, 2018

This commit integrates usage of the api key service into the
authentication service for verification of api keys. A bug was fixed in
the validation of api keys where the structure of the document was not
being used properly. Additionally, unit tests have been added for
authentication with api keys.

@jaymode
Integrate api keys with the authentication service
31e8cd9 
This commit integrates usage of the api key service into the
authentication service for verification of api keys. A bug was fixed in
the validation of api keys where the structure of the document was not
being used properly. Additionally, unit tests have been added for
authentication with api keys.
@jaymode jaymode added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Nov 14, 2018
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Nov 14, 2018

Pinging @elastic/es-security

@tvernum tvernum self-requested a review November 14, 2018 20:31
bizybot
bizybot reviewed Nov 26, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overall changes LGTM, I have a comment regarding termination on the expired API key.

...ecurity/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java Outdated
threadContext.putHeader("Authorization", headerValue);
ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class,
() -> authenticateBlocking("_action", message, null));
assertThat(e.getMessage(), containsString("missing authentication token"));
Copy link
Copy Markdown
Contributor

@bizybot bizybot Nov 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be Authentication using apikey failed - api key is expired.
The reason this test passed is since we do not terminate authentication chain when encountered with expired API key.
I think we should terminate if expired API key is presented, no other realms should attempt to authenticate if we know that it has expired, wdyt?

Copy link
Copy Markdown
Contributor

@tvernum tvernum Nov 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @bizybot is correct - we probably need some of the failure cases in ApiKeyService.authenticateWithApiKeyIfPresent to have a terminate status instead of continue.

If I'm passing an API Key over TLS, then it would be very strange (and hard to debug) if the authentication use the API Key right up until it expired and then suddenly switched to PKI auth.

tvernum
tvernum reviewed Nov 26, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no concerns other than the one @bizybot raised.

albertzaharovits
albertzaharovits approved these changes Nov 26, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jaymode jaymode merged commit 22624cf into elastic:security_api_keys Nov 27, 2018
@jaymode jaymode deleted the api_key_authc_authz branch November 27, 2018 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum left review comments

@albertzaharovits albertzaharovits albertzaharovits approved these changes

+1 more reviewer

@bizybot bizybot bizybot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jaymode @elasticmachine @bizybot @tvernum @albertzaharovits