Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pluggable authorization engines #32435

Closed
joshbressers opened this issue Jul 27, 2018 · 3 comments
Closed

Pluggable authorization engines #32435

joshbressers opened this issue Jul 27, 2018 · 3 comments
Assignees
Labels
>feature :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@joshbressers
Copy link

The elasticsearch security codebase currently has a single authorization service that is backed by roles for role based access control. As we move forward and consider different methods of authorization we should consider having a different backing that could be supported by policies to accomplish ABAC. This also will provide a way for customers that want to implement their own authorization service a way to do so; many large organizations have a single place where authorization rules are kept and there is a desire to be able to reach out to these to make the authorization decisions.

@joshbressers joshbressers added the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Jul 27, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@joshbressers
Copy link
Author

Here is an idea @jaymode put together for this

  • The methods are asynchronous as blocking on a network call is not something that will work in elasticsearch
  • Caching is left to the implementer as authorization decisions are not cached in elasticsearch
  • Auditing is left to the implementer, which allows for auditing decisions to be made based on a policy
  • There is no enum of operations, but instead the action name is passed
public abstract class Authorizer {

    public abstract void authorizeRunAs(User authenticatedUser, User runAsUser, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeCluster(String action, Transport request, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeIndicesAction(String action, ActionListener<AuthorizationDecision> listener);

    public abstract void authorizeIndices(String action, TransportRequest request, ActionListener<IndicesAccessControl> listener);

    public static class AuthorizationDecision {
        private final boolean authorized;
        private final String details;

        public AuthorizationDecision(boolean authorized, @Nullable String details) {
            this.authorized = authorized;
            this.details = details;
        }

        public boolean isAuthorized() {
            return authorized;
        }

        @Nullable
        public String getDetails() {
            return details;
        }
    }
}

@elastic elastic deleted a comment from joshbressers Jul 27, 2018
@bizybot
Copy link
Contributor

bizybot commented Jul 29, 2018

I like this and can see from the referenced issues that customers do want it.
Just as we are thinking of ABAC as something that we can accomplish, I think we should also pass on the environment/context(naming!) in which the permissions are being evaluated. Just to elaborate on the environment it could be the time of action, the location of action, device from where action is requested etc. As this could be an API implemented by the third party, an explicit passing of environment might be expected.

jaymode added a commit that referenced this issue Jan 7, 2019
In order to support the concept of different authorization engines, this
change begins the refactoring of the AuthorizationService to support
this. Previously, the asynchronous work for authorization was performed
by the AsyncAuthorizer class, but this tied the authorization service
to a role based implementation. In this change, the authorize method
become asynchronous and delegates much of the actual permission checking
to an AuthorizationEngine. The pre-existing RBAC permission checking
has been abstracted into the RBACEngine. The majority of calls to
AuthorizationEngine instances are asynchronous as the underlying
implementation may need to make network calls that should not block
the current thread, which are often network threads.

This change is meant to be built upon. The basic concepts are introduced
without proper documentation, plumbing to enable other
AuthorizationEngine types, and some items we may want to refactor.
For example, the AuthorizedIndices class is lazily loaded but this might
actually be something we want to make asynchronous. We pass a lot of the
same arguments to the various methods and it would be prudent to wrap
these in a class; this class would provide a way for us to pass
additional items needed by future enhancements without breaking the
interface and requiring updates to all implementations.

See #32435
jaymode added a commit to jaymode/elasticsearch that referenced this issue Feb 1, 2019
commit 05b3a571658312fa4259b652d9b8478ecec278e7
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 31 15:48:48 2019 -0700

    Move request interceptors to AuthorizationService

    This change moves the RequestInterceptor iteration from the action
    filter to the AuthorizationService. This is done to remove the need
    for the use of a role within the request interceptors and replace it
    with the AuthorizationEngine. The AuthorizationEngine interface was
    also enhanced with a new method that is used to determine if a users
    permission on one index is a subset of their permissions on a list
    of indices or aliases.

    Additionally, this change addresses some leftover cleanups.

commit 0e1c191
Merge: 3280607 b7de8e1
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 31 08:56:45 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 3280607
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Tue Jan 29 14:17:37 2019 -0700

    Allow authorization engines as an extension (elastic#37785)

    Authorization engines can now be registered by implementing a plugin,
    which also has a service implementation of a security extension. Only
    one extension may register an authorization engine and this engine will
    be used for all users except reserved realm users and internal users.

commit d628008
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 29 10:06:09 2019 -0700

    fix RBACEngine after restricted indices changes

commit 5074683
Merge: 74f2e99 3c9f703
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 29 08:09:39 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 74f2e99
Merge: 7846ee8 899dfc3
Author: jaymode <jay@elastic.co>
Date:   Fri Jan 25 15:02:07 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 7846ee8
Merge: b9a2c81 a81931b
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 24 07:52:08 2019 -0700

    Merge branch 'master' into security_authz_engine

commit b9a2c81
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 22 09:48:11 2019 -0700

    Fix resolving restricted indices after merging

commit d98a77a
Merge: 83cde40 5c1a1f7
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 22 09:09:23 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 83cde40
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Tue Jan 22 08:03:19 2019 -0700

    Add javadoc to the AuthorizationEngine interface (elastic#37620)

    This commit adds javadocs to the AuthorizationEngine interface aimed at
    developers of an authorization engine. Additionally, some classes were
    also moved to the core project so that they are ready to be exposed
    once we allow authorization engines to be plugged in.

commit 9a240c6
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Thu Jan 17 19:33:35 2019 -0700

    Encapsulate request, auth, and action name (elastic#37495)

    This change introduces a new class called RequestInfo that encapsulates
    the common objects that are passed to the authorization engine methods.
    By doing so, we give ourselves a way of adding additional data without
    breaking the interface. Additionally, this also reduces the need to
    ensure we pass these three parameters in the same order everywhere for
    consistency.

commit 6278eab
Merge: c555a44 4351a5e
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 17 07:51:32 2019 -0700

    Merge branch 'master' into security_authz_engine

commit c555a44
Merge: 1362ab6 ecf0de3
Author: jaymode <jay@elastic.co>
Date:   Wed Jan 16 10:24:33 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 1362ab6
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Wed Jan 16 10:23:45 2019 -0700

    Replace AuthorizedIndices class with a List (elastic#37328)

    This change replaces the AuthorizedIndices class with a simple list.
    The change to a simple list does remove the lazy loading of the
    authorized indices in favor of simpler code as the loading of this
    list is now an asynchronous operation that is delegated to the
    authorization engine.

commit 0246442
Merge: 8ccdc19 a2a40c5
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 15 10:49:12 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 8ccdc19
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Mon Jan 7 13:43:22 2019 -0700

    Introduce asynchronous RBACEngine (elastic#36245)

    In order to support the concept of different authorization engines, this
    change begins the refactoring of the AuthorizationService to support
    this. Previously, the asynchronous work for authorization was performed
    by the AsyncAuthorizer class, but this tied the authorization service
    to a role based implementation. In this change, the authorize method
    become asynchronous and delegates much of the actual permission checking
    to an AuthorizationEngine. The pre-existing RBAC permission checking
    has been abstracted into the RBACEngine. The majority of calls to
    AuthorizationEngine instances are asynchronous as the underlying
    implementation may need to make network calls that should not block
    the current thread, which are often network threads.

    This change is meant to be built upon. The basic concepts are introduced
    without proper documentation, plumbing to enable other
    AuthorizationEngine types, and some items we may want to refactor.
    For example, the AuthorizedIndices class is lazily loaded but this might
    actually be something we want to make asynchronous. We pass a lot of the
    same arguments to the various methods and it would be prudent to wrap
    these in a class; this class would provide a way for us to pass
    additional items needed by future enhancements without breaking the
    interface and requiring updates to all implementations.

    See elastic#32435
jaymode added a commit to jaymode/elasticsearch that referenced this issue Feb 4, 2019
commit 3e60a91
Author: jaymode <jay@elastic.co>
Date:   Mon Feb 4 12:34:23 2019 -0700

    add licensing for authorization engine

commit 1c9a8e1
Author: jaymode <jay@elastic.co>
Date:   Mon Feb 4 12:17:54 2019 -0700

    fix inconsistency in parameter name/type

commit 34aa55a
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Mon Feb 4 11:45:01 2019 -0700

    Authorization engines evaluate privileges for APIs (elastic#38219)

    This commit moves the evaluation of privileges from a few transport
    actions into the authorization engine. The APIs are used by other
    applications for making decisions and if a different authorization
    engine is used that is not role based, we should still allow these APIs
    to work. By moving this evaluation out of the transport action, the
    transport actions no longer have a dependency on roles.

commit 54d7b4c
Merge: e5615d2 715e581
Author: jaymode <jay@elastic.co>
Date:   Mon Feb 4 08:06:14 2019 -0700

    Merge branch 'master' into security_authz_engine

commit e5615d2
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Mon Feb 4 07:53:37 2019 -0700

    Move request interceptors to AuthorizationService (elastic#38137)

    This change moves the RequestInterceptor iteration from the action
    filter to the AuthorizationService. This is done to remove the need
    for the use of a role within the request interceptors and replace it
    with the AuthorizationEngine. The AuthorizationEngine interface was
    also enhanced with a new method that is used to determine if a users
    permission on one index is a subset of their permissions on a list
    of indices or aliases.

    Additionally, this change addresses some leftover cleanups.

commit 0e1c191
Merge: 3280607 b7de8e1
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 31 08:56:45 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 3280607
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Tue Jan 29 14:17:37 2019 -0700

    Allow authorization engines as an extension (elastic#37785)

    Authorization engines can now be registered by implementing a plugin,
    which also has a service implementation of a security extension. Only
    one extension may register an authorization engine and this engine will
    be used for all users except reserved realm users and internal users.

commit d628008
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 29 10:06:09 2019 -0700

    fix RBACEngine after restricted indices changes

commit 5074683
Merge: 74f2e99 3c9f703
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 29 08:09:39 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 74f2e99
Merge: 7846ee8 899dfc3
Author: jaymode <jay@elastic.co>
Date:   Fri Jan 25 15:02:07 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 7846ee8
Merge: b9a2c81 a81931b
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 24 07:52:08 2019 -0700

    Merge branch 'master' into security_authz_engine

commit b9a2c81
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 22 09:48:11 2019 -0700

    Fix resolving restricted indices after merging

commit d98a77a
Merge: 83cde40 5c1a1f7
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 22 09:09:23 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 83cde40
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Tue Jan 22 08:03:19 2019 -0700

    Add javadoc to the AuthorizationEngine interface (elastic#37620)

    This commit adds javadocs to the AuthorizationEngine interface aimed at
    developers of an authorization engine. Additionally, some classes were
    also moved to the core project so that they are ready to be exposed
    once we allow authorization engines to be plugged in.

commit 9a240c6
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Thu Jan 17 19:33:35 2019 -0700

    Encapsulate request, auth, and action name (elastic#37495)

    This change introduces a new class called RequestInfo that encapsulates
    the common objects that are passed to the authorization engine methods.
    By doing so, we give ourselves a way of adding additional data without
    breaking the interface. Additionally, this also reduces the need to
    ensure we pass these three parameters in the same order everywhere for
    consistency.

commit 6278eab
Merge: c555a44 4351a5e
Author: jaymode <jay@elastic.co>
Date:   Thu Jan 17 07:51:32 2019 -0700

    Merge branch 'master' into security_authz_engine

commit c555a44
Merge: 1362ab6 ecf0de3
Author: jaymode <jay@elastic.co>
Date:   Wed Jan 16 10:24:33 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 1362ab6
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Wed Jan 16 10:23:45 2019 -0700

    Replace AuthorizedIndices class with a List (elastic#37328)

    This change replaces the AuthorizedIndices class with a simple list.
    The change to a simple list does remove the lazy loading of the
    authorized indices in favor of simpler code as the loading of this
    list is now an asynchronous operation that is delegated to the
    authorization engine.

commit 0246442
Merge: 8ccdc19 a2a40c5
Author: jaymode <jay@elastic.co>
Date:   Tue Jan 15 10:49:12 2019 -0700

    Merge branch 'master' into security_authz_engine

commit 8ccdc19
Author: Jay Modi <jaymode@users.noreply.github.com>
Date:   Mon Jan 7 13:43:22 2019 -0700

    Introduce asynchronous RBACEngine (elastic#36245)

    In order to support the concept of different authorization engines, this
    change begins the refactoring of the AuthorizationService to support
    this. Previously, the asynchronous work for authorization was performed
    by the AsyncAuthorizer class, but this tied the authorization service
    to a role based implementation. In this change, the authorize method
    become asynchronous and delegates much of the actual permission checking
    to an AuthorizationEngine. The pre-existing RBAC permission checking
    has been abstracted into the RBACEngine. The majority of calls to
    AuthorizationEngine instances are asynchronous as the underlying
    implementation may need to make network calls that should not block
    the current thread, which are often network threads.

    This change is meant to be built upon. The basic concepts are introduced
    without proper documentation, plumbing to enable other
    AuthorizationEngine types, and some items we may want to refactor.
    For example, the AuthorizedIndices class is lazily loaded but this might
    actually be something we want to make asynchronous. We pass a lot of the
    same arguments to the various methods and it would be prudent to wrap
    these in a class; this class would provide a way for us to pass
    additional items needed by future enhancements without breaking the
    interface and requiring updates to all implementations.

    See elastic#32435
jaymode added a commit that referenced this issue Feb 5, 2019
For some users, the built in authorization mechanism does not fit their
needs and no feature that we offer would allow them to control the
authorization process to meet their needs. In order to support this,
a concept of an AuthorizationEngine is being introduced, which can be
provided using the security extension mechanism.

An AuthorizationEngine is responsible for making the authorization
decisions about a request. The engine is responsible for knowing how to
authorize and can be backed by whatever mechanism a user wants. The
default mechanism is one backed by roles to provide the authorization
decisions. The AuthorizationEngine will be called by the
AuthorizationService, which handles more of the internal workings that
apply in general to authorization within Elasticsearch.

In order to support external authorization services that would back an
authorization engine, the entire authorization process has become
asynchronous, which also includes all calls to the AuthorizationEngine.

The use of roles also leaked out of the AuthorizationService in our
existing code that is not specifically related to roles so this also
needed to be addressed. RequestInterceptor instances sometimes used a
role to ensure a user was not attempting to escalate their privileges.
Addressing this leakage of roles meant that the RequestInterceptor
execution needed to move within the AuthorizationService and that
AuthorizationEngines needed to support detection of whether a user has
more privileges on a name than another. The second area where roles
leaked to the user is in the handling of a few privilege APIs that
could be used to retrieve the user's privileges or ask if a user has
privileges to perform an action. To remove the leakage of roles from
these actions, the AuthorizationService and AuthorizationEngine gained
methods that enabled an AuthorizationEngine to return the response for
these APIs.

Ultimately this feature is the work included in:
#37785
#37495
#37328
#36245
#38137
#38219

Closes #32435
jaymode added a commit to jaymode/elasticsearch that referenced this issue Feb 6, 2019
For some users, the built in authorization mechanism does not fit their
needs and no feature that we offer would allow them to control the
authorization process to meet their needs. In order to support this,
a concept of an AuthorizationEngine is being introduced, which can be
provided using the security extension mechanism.

An AuthorizationEngine is responsible for making the authorization
decisions about a request. The engine is responsible for knowing how to
authorize and can be backed by whatever mechanism a user wants. The
default mechanism is one backed by roles to provide the authorization
decisions. The AuthorizationEngine will be called by the
AuthorizationService, which handles more of the internal workings that
apply in general to authorization within Elasticsearch.

In order to support external authorization services that would back an
authorization engine, the entire authorization process has become
asynchronous, which also includes all calls to the AuthorizationEngine.

The use of roles also leaked out of the AuthorizationService in our
existing code that is not specifically related to roles so this also
needed to be addressed. RequestInterceptor instances sometimes used a
role to ensure a user was not attempting to escalate their privileges.
Addressing this leakage of roles meant that the RequestInterceptor
execution needed to move within the AuthorizationService and that
AuthorizationEngines needed to support detection of whether a user has
more privileges on a name than another. The second area where roles
leaked to the user is in the handling of a few privilege APIs that
could be used to retrieve the user's privileges or ask if a user has
privileges to perform an action. To remove the leakage of roles from
these actions, the AuthorizationService and AuthorizationEngine gained
methods that enabled an AuthorizationEngine to return the response for
these APIs.

Ultimately this feature is the work included in: elastic#37785, elastic#37495, elastic#37328, elastic#36245, elastic#38137, elastic#38219

Closes elastic#32435
jaymode added a commit that referenced this issue Feb 6, 2019
For some users, the built in authorization mechanism does not fit their
needs and no feature that we offer would allow them to control the
authorization process to meet their needs. In order to support this,
a concept of an AuthorizationEngine is being introduced, which can be
provided using the security extension mechanism.

An AuthorizationEngine is responsible for making the authorization
decisions about a request. The engine is responsible for knowing how to
authorize and can be backed by whatever mechanism a user wants. The
default mechanism is one backed by roles to provide the authorization
decisions. The AuthorizationEngine will be called by the
AuthorizationService, which handles more of the internal workings that
apply in general to authorization within Elasticsearch.

In order to support external authorization services that would back an
authorization engine, the entire authorization process has become
asynchronous, which also includes all calls to the AuthorizationEngine.

The use of roles also leaked out of the AuthorizationService in our
existing code that is not specifically related to roles so this also
needed to be addressed. RequestInterceptor instances sometimes used a
role to ensure a user was not attempting to escalate their privileges.
Addressing this leakage of roles meant that the RequestInterceptor
execution needed to move within the AuthorizationService and that
AuthorizationEngines needed to support detection of whether a user has
more privileges on a name than another. The second area where roles
leaked to the user is in the handling of a few privilege APIs that
could be used to retrieve the user's privileges or ask if a user has
privileges to perform an action. To remove the leakage of roles from
these actions, the AuthorizationService and AuthorizationEngine gained
methods that enabled an AuthorizationEngine to return the response for
these APIs.

Ultimately this feature is the work included in: #37785, #37495, #37328, #36245, #38137, #38219

Closes #32435
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>feature :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Development

No branches or pull requests

4 participants