Do not fetch reserved roles from native store when Get Role API is called #121971
Conversation
…lled The reserved roles are already returned from the `ReservedRolesStore` in `TransportGetRolesAction`. There is no need to query and deserialize reserved roles from the `.security` index when Get Roles API is called.
slobodanadamovic
added
>enhancement
:Security/Authorization
|
Hi @slobodanadamovic, I've created a changelog YAML for you. |
elasticsearchmachine
added
the
serverless-linked
| Files.delete(rolesFile); | ||
| Files.copy(distributionDir.resolve("config").resolve("roles.yml"), rolesFile); | ||
| writeRolesFile(); | ||
| updateRolesFileAtomically(); |
There was a problem hiding this comment.
This is a fix for Serverless tests.
|
Pinging @elastic/es-security (Team:Security) |
| return; | ||
| } | ||
|
|
||
| final Set<String> rolesToGet = filterReservedRoleNames(names); |
There was a problem hiding this comment.
Filtering all roles here to avoid that reserved roles get resolved by NativeRolesStore. The getRoleDescriptors is called from accept method to resolve roles which are later used during authorization.
There was a problem hiding this comment.
Hmm I'm not sure that's necessary:
We remove already resolved roles out before handing off to the next resolver in the chain.
So if we are resolving e.g. viewer in stateful, it'll get returned by the reserved role store, and won't get checked by the native role store. Similarly, the file store will come first so any role that gets resolved there won't get resolved by the native role store.
We could make this an assertion here (i.e., no reserved roles ever make it to this point).
There was a problem hiding this comment.
Nice catch! I've missed the fact that resolved roles are removed. It makes sense to change it to an assertion.
There was a problem hiding this comment.
The filtering is still needed for Serverless, which was the main reason I've added it.
I've introduced it back in the TransportGetRolesAction. I think this is okay given that we already do filtering of reserved roles there. The main change is using the ReservedRoleNameChecker instead of ReservedRolesStore.
There was a problem hiding this comment.
Would you mind taking another look?
There was a problem hiding this comment.
Yikes, sorry about that. You're totally right -- we hit a different path when fetching by name. Adding the check sounds good to me. Taking a quick look now 👀
| import static org.elasticsearch.xcontent.XContentFactory.jsonBuilder; | ||
| import static org.hamcrest.Matchers.equalTo; | ||
|
|
||
| public class GetRolesIT extends SecurityInBasicRestTestCase { |
There was a problem hiding this comment.
I've added this integration test mostly for sanity check that GET _security/roles works as expected in Stateful and returns reserved roles as well.
n1v0lg
left a comment
n1v0lg
left a comment
There was a problem hiding this comment.
LGTM -- one suggestion around redundant code.
| return; | ||
| } | ||
|
|
||
| final Set<String> rolesToGet = filterReservedRoleNames(names); |
There was a problem hiding this comment.
Hmm I'm not sure that's necessary:
We remove already resolved roles out before handing off to the next resolver in the chain.
So if we are resolving e.g. viewer in stateful, it'll get returned by the reserved role store, and won't get checked by the native role store. Similarly, the file store will come first so any role that gets resolved there won't get resolved by the native role store.
We could make this an assertion here (i.e., no reserved roles ever make it to this point).
the native roles store should never be called to resolve reserved built-in roles
…r-reserved-roles-from-get-roles-api
| if (rd != null) { | ||
| reservedRoles.add(rd); | ||
| } else { | ||
| listener.onFailure(new IllegalStateException("unable to obtain reserved role [" + role + "]")); |
There was a problem hiding this comment.
We're getting rid of this branch because now reservedRoleNameChecker.isReserved(...) can also match on file-based roles in Serverless, right?
There was a problem hiding this comment.
That's correct. The failure makes sense as a sanity check when the ReservedRolesStore is the only source of reserved roles. This just is not the case in Serverless.
…lled (elastic#121971) The reserved roles are already returned from the `ReservedRolesStore` in `TransportGetRolesAction`. There is no need to query and deserialize reserved roles from the `.security` index just to be merged with "static" definitions.
…lled (elastic#121971) The reserved roles are already returned from the `ReservedRolesStore` in `TransportGetRolesAction`. There is no need to query and deserialize reserved roles from the `.security` index just to be merged with "static" definitions.
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
…lled (elastic#121971) The reserved roles are already returned from the `ReservedRolesStore` in `TransportGetRolesAction`. There is no need to query and deserialize reserved roles from the `.security` index just to be merged with "static" definitions. (cherry picked from commit 5c54c5f)
3 participants
The reserved roles are already returned directly from the
ReservedRolesStoreinTransportGetRolesAction.There is no need to query and deserialize reserved roles from the
.securityindex just to be merged with static definitions.