diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
index 85ce83baa373b..d643ea99ab638 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
@@ -70,6 +70,22 @@
* Authentication is serialized and travels across the cluster nodes as the sub-requests are handled,
* and can also be cached by long-running jobs that continue to act on behalf of the user, beyond
* the lifetime of the original request.
+ *
+ * The authentication consists of two {@link Subject}s
+ *
+ * - {@link #authenticatingSubject} performs the authentication, i.e. it provides a credential.
+ * - {@link #effectiveSubject} The subject that {@link #authenticatingSubject} impersonates ({@link #isRunAs()})
+ *
+ * If {@link #isRunAs()} is {@code false}, the two {@link Subject}s will be the same object.
+ *
+ * Authentication also has a {@link #type} that indicates which mechanism the {@link #authenticatingSubject}
+ * uses to perform the authentication.
+ *
+ * The Authentication's version is its {@link Subject}'s version, i.e. {@code getEffectiveSubject().getVersion()}.
+ * It is guaranteed that the versions are identical for the two Subjects. Hence {@code getAuthenticatingSubject().getVersion()}
+ * will give out the same result. But using {@code getEffectiveSubject()} is more idiomatic since most callers
+ * of this class should just need to know about the {@link #effectiveSubject}. That is, often times, the caller
+ * begins with {@code authentication.getEffectiveSubject()} for interrogating an Authentication object.
*/
public final class Authentication implements ToXContentObject {
@@ -167,22 +183,8 @@ public boolean isRunAs() {
return authenticatingSubject != effectiveSubject;
}
- /**
- * Get the realm where the effective user comes from.
- * The effective user is the es-security-runas-user if present or the authenticated user.
- *
- * Use {@code getEffectiveSubject().getRealm()} instead.
- */
- @Deprecated
- public RealmRef getSourceRealm() {
- // TODO: This code retains the existing behaviour which is slightly wrong because
- // when run-as lookup fails, the effectiveSubject will have a null realm. In this
- // case, the code returns the authenticatingSubject's realm. This is wrong in theory
- // because it is not the intention of this method. In practice, it does not matter
- // because failed lookup will be rejected at authZ time. But fixing it causes test
- // failures. So leave it for now.
- final RealmRef sourceRealm = effectiveSubject.getRealm();
- return sourceRealm == null ? authenticatingSubject.getRealm() : sourceRealm;
+ public boolean isFailedRunAs() {
+ return isRunAs() && effectiveSubject.getRealm() == null;
}
/**
@@ -228,9 +230,6 @@ public Authentication maybeRewriteForOlderVersion(Version olderVersion) {
);
}
- if (isAssignedToDomain() && false == newAuthentication.isAssignedToDomain()) {
- logger.info("Rewriting authentication [" + this + "] without domain");
- }
return newAuthentication;
}
@@ -262,7 +261,6 @@ public Authentication runAs(User runAs, @Nullable RealmRef lookupRealmRef) {
public Authentication token() {
assert false == isServiceAccount();
final Authentication newTokenAuthentication = new Authentication(effectiveSubject, authenticatingSubject, AuthenticationType.TOKEN);
- assert Objects.equals(getDomain(), newTokenAuthentication.getDomain());
return newTokenAuthentication;
}
@@ -325,14 +323,15 @@ public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUs
}
}
+ // Package private for tests
/**
* Returns {@code true} if the effective user belongs to a realm under a domain.
- * See also {@link #getDomain()} and {@link #getSourceRealm()}.
*/
- public boolean isAssignedToDomain() {
+ boolean isAssignedToDomain() {
return getDomain() != null;
}
+ // Package private for tests
/**
* Returns the {@link RealmDomain} that the effective user belongs to.
* A user belongs to a realm which in turn belongs to a domain.
@@ -340,8 +339,12 @@ public boolean isAssignedToDomain() {
* The same username can be authenticated by different realms (e.g. with different credential types),
* but resources created across realms cannot be accessed unless the realms are also part of the same domain.
*/
- public @Nullable RealmDomain getDomain() {
- return getSourceRealm().getDomain();
+ @Nullable
+ RealmDomain getDomain() {
+ if (isFailedRunAs()) {
+ return null;
+ }
+ return getEffectiveSubject().getRealm().getDomain();
}
public boolean isAuthenticatedWithServiceAccount() {
@@ -861,6 +864,7 @@ public static Authentication newApiKeyAuthentication(AuthenticationResult
private static RealmRef maybeRewriteRealmRef(Version streamVersion, RealmRef realmRef) {
if (realmRef != null && realmRef.getDomain() != null && streamVersion.before(VERSION_REALM_DOMAINS)) {
+ logger.info("Rewriting realm [" + realmRef + "] without domain");
// security domain erasure
new RealmRef(realmRef.getName(), realmRef.getType(), realmRef.getNodeName(), null);
}
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java
index 9368666019d7d..14b563fcc4780 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java
@@ -145,11 +145,11 @@ private static boolean checkIfUserIsOwnerOfApiKeys(
if (false == username.equals(authentication.getEffectiveSubject().getUser().principal())) {
return false;
}
- RealmDomain domain = authentication.getSourceRealm().getDomain();
+ RealmDomain domain = authentication.getEffectiveSubject().getRealm().getDomain();
if (domain != null) {
return domain.realms().stream().anyMatch(realmIdentifier -> realmName.equals(realmIdentifier.getName()));
} else {
- return realmName.equals(authentication.getSourceRealm().getName());
+ return realmName.equals(authentication.getEffectiveSubject().getRealm().getName());
}
}
}
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
index abfb0e5e61903..7971b7cd30de8 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
@@ -377,7 +377,12 @@ public Authentication build() {
return build(ESTestCase.randomBoolean());
}
- public Authentication build(boolean runAsIfNotAlready) {
+ /**
+ * @param maybeRunAsIfNotAlready If the authentication is *not* run-as and the subject is a realm user, it will be transformed
+ * into a run-as authentication by moving the realm user to be the run-as user. The authenticating
+ * subject can be either a realm user or an API key (in general any subject type that can run-as).
+ */
+ public Authentication build(boolean maybeRunAsIfNotAlready) {
if (authenticatingAuthentication != null) {
if (user == null) {
user = randomUser();
@@ -402,7 +407,7 @@ public Authentication build(boolean runAsIfNotAlready) {
realmRef = randomRealmRef(isRealmUnderDomain == null ? ESTestCase.randomBoolean() : isRealmUnderDomain);
}
assert false == SYNTHETIC_REALM_TYPES.contains(realmRef.getType()) : "use dedicate methods for synthetic realms";
- if (runAsIfNotAlready) {
+ if (maybeRunAsIfNotAlready) {
authentication = builder().runAs().user(user).realmRef(realmRef).build();
} else {
authentication = Authentication.newRealmAuthentication(user, realmRef);
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
index 8f8f82fc84d03..7ddc0f91c8b8f 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
@@ -40,28 +40,14 @@
public class AuthenticationTests extends ESTestCase {
- public void testWillGetLookedUpByWhenItExists() {
- final RealmRef authenticatedBy = new RealmRef("auth_by", "auth_by_type", "node");
- final RealmRef lookedUpBy = new RealmRef("lookup_by", "lookup_by_type", "node");
- final Authentication authentication = AuthenticationTestHelper.builder()
- .user(new User("not-user"))
- .realmRef(authenticatedBy)
- .runAs()
- .user(new User("user"))
- .realmRef(lookedUpBy)
- .build();
-
- assertEquals(lookedUpBy, authentication.getSourceRealm());
- }
-
- public void testWillGetAuthenticateByWhenLookupIsNull() {
- final RealmRef authenticatedBy = new RealmRef("auth_by", "auth_by_type", "node");
- final Authentication authentication = AuthenticationTestHelper.builder()
- .user(new User("user"))
- .realmRef(authenticatedBy)
- .build(false);
-
- assertEquals(authenticatedBy, authentication.getSourceRealm());
+ public void testIsFailedRunAs() {
+ final Authentication failedAuthentication = randomRealmAuthentication(randomBoolean()).runAs(randomUser(), null);
+ assertTrue(failedAuthentication.isRunAs());
+ assertTrue(failedAuthentication.isFailedRunAs());
+
+ final Authentication authentication = AuthenticationTestHelper.builder().realm().runAs().build();
+ assertTrue(authentication.isRunAs());
+ assertFalse(authentication.isFailedRunAs());
}
public void testCanAccessResourcesOf() {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
index e18a8a6ea011c..4fda6d853229f 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -1748,7 +1748,11 @@ public static String getCreatorRealmName(final Authentication authentication) {
} else {
// TODO we should use the effective subject realm here but need to handle the failed lookup scenario, in which the realm may be
// `null`. Since this method is used in audit logging, this requires some care.
- return authentication.getSourceRealm().getName();
+ if (authentication.isFailedRunAs()) {
+ return authentication.getAuthenticatingSubject().getRealm().getName();
+ } else {
+ return authentication.getEffectiveSubject().getRealm().getName();
+ }
}
}
@@ -1791,7 +1795,11 @@ public static String getCreatorRealmType(final Authentication authentication) {
} else {
// TODO we should use the effective subject realm here but need to handle the failed lookup scenario, in which the realm may be
// `null`. Since this method is used in audit logging, this requires some care.
- return authentication.getSourceRealm().getType();
+ if (authentication.isFailedRunAs()) {
+ return authentication.getAuthenticatingSubject().getRealm().getType();
+ } else {
+ return authentication.getEffectiveSubject().getRealm().getType();
+ }
}
}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
index 993dd666702bf..2488c9b120344 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -1805,12 +1805,13 @@ static BytesReference createTokenDocument(
}
builder.endObject().endObject();
}
+ final Authentication.RealmRef userTokenEffectiveRealm = userToken.getAuthentication().getEffectiveSubject().getRealm();
builder.startObject("access_token")
.field("invalidated", false)
.field("user_token", userToken)
- .field("realm", userToken.getAuthentication().getSourceRealm().getName());
- if (userToken.getAuthentication().getSourceRealm().getDomain() != null) {
- builder.field("realm_domain", userToken.getAuthentication().getSourceRealm().getDomain());
+ .field("realm", userTokenEffectiveRealm.getName());
+ if (userTokenEffectiveRealm.getDomain() != null) {
+ builder.field("realm_domain", userTokenEffectiveRealm.getDomain());
}
builder.endObject().endObject();
return BytesReference.bytes(builder);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java
index 134931160c2f8..36a0b7667a7a5 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java
@@ -47,6 +47,7 @@
import org.elasticsearch.xpack.core.security.action.service.TokenInfo;
import org.elasticsearch.xpack.core.security.action.service.TokenInfo.TokenSource;
import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount.ServiceAccountId;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken.ServiceAccountTokenId;
@@ -269,15 +270,16 @@ private XContentBuilder newDocument(Authentication authentication, ServiceAccoun
.field("creation_time", clock.instant().toEpochMilli())
.field("enabled", true);
{
+ final Subject effectiveSubject = authentication.getEffectiveSubject();
builder.startObject("creator")
- .field("principal", authentication.getEffectiveSubject().getUser().principal())
- .field("full_name", authentication.getEffectiveSubject().getUser().fullName())
- .field("email", authentication.getEffectiveSubject().getUser().email())
- .field("metadata", authentication.getEffectiveSubject().getUser().metadata())
- .field("realm", authentication.getSourceRealm().getName())
- .field("realm_type", authentication.getSourceRealm().getType());
- if (authentication.getSourceRealm().getDomain() != null) {
- builder.field("realm_domain", authentication.getSourceRealm().getDomain());
+ .field("principal", effectiveSubject.getUser().principal())
+ .field("full_name", effectiveSubject.getUser().fullName())
+ .field("email", effectiveSubject.getUser().email())
+ .field("metadata", effectiveSubject.getUser().metadata())
+ .field("realm", effectiveSubject.getRealm().getName())
+ .field("realm_type", effectiveSubject.getRealm().getType());
+ if (effectiveSubject.getRealm().getDomain() != null) {
+ builder.field("realm_domain", effectiveSubject.getRealm().getDomain());
}
builder.endObject();
}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java
index c65f75b1deb80..ee3496b91aff5 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java
@@ -68,8 +68,11 @@ public boolean isOperatorUser(Authentication authentication) {
// If not null, it will be compared exactly as well.
// The special handling for realm name is because there can only be one file or native realm and it does
// not matter what the name is.
+ final Authentication.RealmRef realm = authentication.getEffectiveSubject().getRealm();
+ if (realm == null) {
+ return false;
+ }
return operatorUsersDescriptor.groups.stream().anyMatch(group -> {
- final Authentication.RealmRef realm = authentication.getSourceRealm();
final boolean match = group.usernames.contains(authentication.getEffectiveSubject().getUser().principal())
&& group.authenticationType == authentication.getAuthenticationType()
&& realm.getType().equals(group.realmType)
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
index e458d4ef7666e..fcd6601360a96 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -2019,7 +2019,7 @@ public void testAccessGrantedInternalSystemAction() throws Exception {
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "access_granted")
.put(LoggingAuditTrail.AUTHENTICATION_TYPE_FIELD_NAME, authentication.getAuthenticationType().toString())
.put(LoggingAuditTrail.PRINCIPAL_FIELD_NAME, systemUser.principal())
- .put(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getSourceRealm().getName())
+ .put(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getEffectiveSubject().getRealm().getName())
.put(LoggingAuditTrail.ACTION_FIELD_NAME, "internal:_action")
.put(LoggingAuditTrail.REQUEST_NAME_FIELD_NAME, request.getClass().getSimpleName())
.put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
index a9c7b14afa6e1..b7a1cfd05d5ae 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
@@ -1512,8 +1512,8 @@ public void testGetCreatorRealm() {
// Realm
final Authentication authentication3 = AuthenticationTests.randomRealmAuthentication(randomBoolean());
- assertThat(ApiKeyService.getCreatorRealmName(authentication3), equalTo(authentication3.getSourceRealm().getName()));
- assertThat(ApiKeyService.getCreatorRealmType(authentication3), equalTo(authentication3.getSourceRealm().getType()));
+ assertThat(ApiKeyService.getCreatorRealmName(authentication3), equalTo(authentication3.getEffectiveSubject().getRealm().getName()));
+ assertThat(ApiKeyService.getCreatorRealmType(authentication3), equalTo(authentication3.getEffectiveSubject().getRealm().getType()));
// Realm run-as
final Authentication authentication4 = authentication3.runAs(AuthenticationTests.randomUser(), lookupRealmRef);
@@ -1526,8 +1526,19 @@ public void testGetCreatorRealm() {
AuthenticationTests.randomAnonymousAuthentication(),
AuthenticationTests.randomInternalAuthentication()
);
- assertThat(ApiKeyService.getCreatorRealmName(authentication5), equalTo(authentication5.getSourceRealm().getName()));
- assertThat(ApiKeyService.getCreatorRealmType(authentication5), equalTo(authentication5.getSourceRealm().getType()));
+ assertThat(ApiKeyService.getCreatorRealmName(authentication5), equalTo(authentication5.getEffectiveSubject().getRealm().getName()));
+ assertThat(ApiKeyService.getCreatorRealmType(authentication5), equalTo(authentication5.getEffectiveSubject().getRealm().getType()));
+
+ // Failed run-as returns authenticating subject's realm
+ final Authentication authentication6 = authentication3.runAs(AuthenticationTests.randomUser(), null);
+ assertThat(
+ ApiKeyService.getCreatorRealmName(authentication6),
+ equalTo(authentication6.getAuthenticatingSubject().getRealm().getName())
+ );
+ assertThat(
+ ApiKeyService.getCreatorRealmType(authentication6),
+ equalTo(authentication6.getAuthenticatingSubject().getRealm().getType())
+ );
}
public void testGetOwnersRealmNames() {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
index fdc2a613c8ad9..ac604fb7a5ead 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
@@ -388,7 +388,7 @@ public void testTokenFirstMissingSecondFound() throws Exception {
service.authenticate("action", transportRequest, true, ActionListener.wrap(authentication -> {
assertThat(threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY), is(authenticationResult));
assertThat(threadContext.getTransient(AuthenticationField.AUTHENTICATION_KEY), is(authentication));
- assertThat(authentication.getDomain(), is(secondDomain));
+ assertThat(authentication.getEffectiveSubject().getRealm().getDomain(), is(secondDomain));
verify(auditTrail).authenticationSuccess(anyString(), eq(authentication), eq("action"), eq(transportRequest));
setCompletedToTrue(completed);
}, this::logAndFail));
@@ -992,7 +992,7 @@ public void testAuthenticateTransportContextAndHeader() throws Exception {
assertThat(authentication, notNullValue());
assertThat(authentication.getEffectiveSubject().getUser(), sameInstance(user1));
assertThat(authentication.getAuthenticationType(), is(AuthenticationType.REALM));
- assertThat(authentication.getDomain(), is(firstDomain));
+ assertThat(authentication.getEffectiveSubject().getRealm().getDomain(), is(firstDomain));
assertThreadContextContainsAuthentication(authentication);
authRef.set(authentication);
authHeaderRef.set(threadContext.getHeader(AuthenticationField.AUTHENTICATION_KEY));
@@ -1270,7 +1270,7 @@ public void testAnonymousUserRest() throws Exception {
assertThat(result, notNullValue());
assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance((Object) anonymousUser));
assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.ANONYMOUS));
- assertThat(result.v1().getDomain(), nullValue());
+ assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue());
assertThreadContextContainsAuthentication(result.v1());
assertThat(expectAuditRequestId(threadContext), is(result.v2()));
verify(auditTrail).authenticationSuccess(result.v2(), result.v1(), request);
@@ -1345,7 +1345,7 @@ public void testAnonymousUserTransportNoDefaultUser() throws Exception {
assertThat(expectAuditRequestId(threadContext), is(result.v2()));
assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance(anonymousUser));
assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.ANONYMOUS));
- assertThat(result.v1().getDomain(), nullValue());
+ assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue());
assertThreadContextContainsAuthentication(result.v1());
verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext));
});
@@ -1382,7 +1382,7 @@ public void testAnonymousUserTransportWithDefaultUser() throws Exception {
assertThat(expectAuditRequestId(threadContext), is(result.v2()));
assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance(SystemUser.INSTANCE));
assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.INTERNAL));
- assertThat(result.v1().getDomain(), nullValue());
+ assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue());
assertThreadContextContainsAuthentication(result.v1());
verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext));
});
@@ -2133,7 +2133,7 @@ public void testApiKeyAuth() {
assertThat(result.v1().getEffectiveSubject().getUser().fullName(), is("john doe"));
assertThat(result.v1().getEffectiveSubject().getUser().email(), is("john@doe.com"));
assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.API_KEY));
- assertThat(result.v1().getDomain(), nullValue());
+ assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue());
verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext));
});
}
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java
index cb4279f15316d..f536a696a8e23 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java
@@ -218,8 +218,8 @@ public void testCreateToken() throws ExecutionException, InterruptedException {
assertThat(creatorMap.get("full_name"), equalTo(authentication.getEffectiveSubject().getUser().fullName()));
assertThat(creatorMap.get("email"), equalTo(authentication.getEffectiveSubject().getUser().email()));
assertThat(creatorMap.get("metadata"), equalTo(authentication.getEffectiveSubject().getUser().metadata()));
- assertThat(creatorMap.get("realm"), equalTo(authentication.getSourceRealm().getName()));
- assertThat(creatorMap.get("realm_type"), equalTo(authentication.getSourceRealm().getType()));
+ assertThat(creatorMap.get("realm"), equalTo(authentication.getEffectiveSubject().getRealm().getName()));
+ assertThat(creatorMap.get("realm_type"), equalTo(authentication.getEffectiveSubject().getRealm().getType()));
final CreateServiceAccountTokenResponse createServiceAccountTokenResponse1 = future1.get();
assertNotNull(createServiceAccountTokenResponse1);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java
index 73393beaae50b..d7f994d7499fe 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java
@@ -73,10 +73,15 @@ public void testQueryForDomainAuthentication() {
apiKeysQuery.filter().get(1),
is(QueryBuilders.termQuery("creator.principal", authentication.getEffectiveSubject().getUser().principal()))
);
- if (authentication.getDomain().realms().size() == 1) {
+ if (authentication.getEffectiveSubject().getRealm().getDomain().realms().size() == 1) {
assertThat(
apiKeysQuery.filter().get(2),
- is(QueryBuilders.termQuery("creator.realm", authentication.getDomain().realms().stream().findFirst().get().getName()))
+ is(
+ QueryBuilders.termQuery(
+ "creator.realm",
+ authentication.getEffectiveSubject().getRealm().getDomain().realms().stream().findFirst().get().getName()
+ )
+ )
);
} else {
assertThat(apiKeysQuery.filter().get(2), instanceOf(BoolQueryBuilder.class));
@@ -84,7 +89,7 @@ public void testQueryForDomainAuthentication() {
assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).mustNot().size(), is(0));
assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).filter().size(), is(0));
assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).minimumShouldMatch(), is("1"));
- for (RealmConfig.RealmIdentifier realmIdentifier : authentication.getDomain().realms()) {
+ for (RealmConfig.RealmIdentifier realmIdentifier : authentication.getEffectiveSubject().getRealm().getDomain().realms()) {
assertThat(
((BoolQueryBuilder) apiKeysQuery.filter().get(2)).should(),
hasItem(QueryBuilders.termQuery("creator.realm", realmIdentifier.getName()))