Make reserved built-in roles queryable #117581
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| this.reservedRolesSupplier = CachedSupplier.wrap(() -> { | ||
| final Collection<RoleDescriptor> roleDescriptors = ReservedRolesStore.roleDescriptors(); | ||
| return new QueryableBuiltInRoles( | ||
| roleDescriptors.stream().collect(Collectors.toMap(RoleDescriptor::getName, QueryableBuiltInRolesUtils::calculateHash)), |
There was a problem hiding this comment.
Calculating hash per role, so we can optimize the update and only update the roles whose definition have actually changed.
| final String roleDigest = roles.rolesDigest().get(role.getName()); | ||
| if (indexedRolesDigests == null || indexedRolesDigests.containsKey(role.getName()) == false) { | ||
| rolesToUpsert.add(role); | ||
| } else if (indexedRolesDigests.get(role.getName()).equals(roleDigest) == false) { |
There was a problem hiding this comment.
We want to update only the roles whose definition (digest) changed. On average this will be one or two roles per release.
…able-built-in-roles
…able-built-in-roles
…able-built-in-roles
slobodanadamovic
commented
Dec 3, 2024
|
|
||
| @Override | ||
| public void addListener(QueryableBuiltInRoles.Listener listener) { | ||
| // no-op: reserved roles are static and do not change |
There was a problem hiding this comment.
The reserved roles do not change dynamically.
slobodanadamovic
commented
Dec 3, 2024
| @@ -189,9 +190,9 @@ public RoleDescriptor( | |||
| this.indicesPrivileges = indicesPrivileges != null ? indicesPrivileges : IndicesPrivileges.NONE; | |||
| this.applicationPrivileges = applicationPrivileges != null ? applicationPrivileges : ApplicationResourcePrivileges.NONE; | |||
| this.runAs = runAs != null ? runAs : Strings.EMPTY_ARRAY; | |||
| this.metadata = metadata != null ? Collections.unmodifiableMap(metadata) : Collections.emptyMap(); | |||
| this.metadata = metadata != null ? Collections.unmodifiableMap(new TreeMap<>(metadata)) : Collections.emptyMap(); | |||
There was a problem hiding this comment.
Using ordered TreeMap here to produce consistent hash.
There was a problem hiding this comment.
Good catch! Just in case you've considered the same thing: instead of imposing this constraint here, I wonder if it makes sense to confine it to QueryableBuiltInRolesUtils by copying the role descriptor. That would avoid data copying on each role descriptor creation. Just a thought though, good to leave as is.
There was a problem hiding this comment.
I was thinking of a similar(ish) approach: serialize to JSON, flatten all properties, sort them and then hash strings. This way I would avoid imposing any order in the constructor or during parsing of roles, but rather during hashing. Also, we would avoid copying role descriptors (not really true as we would copy a json map) and sorting would be confined in QueryableBuiltInRolesUtils. LMWYT
There was a problem hiding this comment.
This could look something like this:
public static String calculateHash(final RoleDescriptor roleDescriptor) {
final MessageDigest hash = MessageDigests.sha256();
try (XContentBuilder jsonBuilder = XContentFactory.jsonBuilder()) {
roleDescriptor.toXContent(jsonBuilder, EMPTY_PARAMS);
final Map<String, Object> flattenMap = Maps.flatten(
XContentHelper.convertToMap(BytesReference.bytes(jsonBuilder), /*ordered*/ true, XContentType.JSON).v2(),
true, // flattenArrays
true // ordered
);
hash.update(flattenMap.toString().getBytes(StandardCharsets.UTF_8));
} catch (IOException e) {
throw new IllegalStateException("failed to compute role digest of [" + roleDescriptor.getName() +"] role", e);
}
// HEX vs Base64 encoding is a trade-off between readability and space efficiency
// opting for Base64 here to reduce the size of the cluster state
return Base64.getEncoder().encodeToString(hash.digest());
}Edit: I pushed the change 70181d6. I think this is a better approach as it should be future proof in case we add new map properties.
slobodanadamovic
commented
Dec 3, 2024
...y/src/main/java/org/elasticsearch/xpack/security/authz/store/QueryableBuiltInRolesStore.java
Outdated
Show resolved
Hide resolved
slobodanadamovic
commented
Dec 3, 2024
...urity/src/main/java/org/elasticsearch/xpack/security/support/FeatureNotEnabledException.java
Show resolved
Hide resolved
slobodanadamovic
commented
Dec 3, 2024
| import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore; | ||
| import org.elasticsearch.xpack.security.authz.store.FileRolesStore; | ||
|
|
||
| public interface QueryableBuiltInRolesProviderFactory { |
There was a problem hiding this comment.
Need to go with the factory approach in order to be able to inject different QueryableBuiltInRoles.Provider implementations.
…able-built-in-roles-tracked
n1v0lg
approved these changes
Dec 16, 2024
...in/security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer.java
Outdated
Show resolved
Hide resolved
...urity/src/main/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesUtils.java
Show resolved
Hide resolved
...y-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/QueryableReservedRolesIT.java
Show resolved
Hide resolved
.../src/test/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesUtilsTests.java
Show resolved
Hide resolved
💔 Backport failed
You can use sqren/backport to manually backport by running |
slobodanadamovic
added a commit
that referenced
this pull request
Jan 27, 2025
Making the `es.queryable_built_in_roles_enabled` feature flag enabled by default. This feature makes the built-in roles automatically indexed in `.security` index and available for querying via Query Role API. The consequence of this is that `.security` index is now created eagerly (if it's not existing) on cluster formation. In order to keep the scope of this PR small, the feature is disabled for some of the tests, because they are either non-trivial to adjust or the gain is not worthy the effort to do it now. The tests will be adjusted in a follow-up PR and later the flag will be removed completely. Relates to #117581
slobodanadamovic
added a commit
to slobodanadamovic/elasticsearch
that referenced
this pull request
Jan 27, 2025
Making the `es.queryable_built_in_roles_enabled` feature flag enabled by default. This feature makes the built-in roles automatically indexed in `.security` index and available for querying via Query Role API. The consequence of this is that `.security` index is now created eagerly (if it's not existing) on cluster formation. In order to keep the scope of this PR small, the feature is disabled for some of the tests, because they are either non-trivial to adjust or the gain is not worthy the effort to do it now. The tests will be adjusted in a follow-up PR and later the flag will be removed completely. Relates to elastic#117581 (cherry picked from commit 52e0f21) # Conflicts: # modules/dot-prefix-validation/build.gradle # test/framework/src/main/java/org/elasticsearch/test/InternalTestCluster.java # x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmElasticAutoconfigIntegTests.java
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jan 27, 2025
…120886) * Enable queryable built-in roles feature by default (#120323) Making the `es.queryable_built_in_roles_enabled` feature flag enabled by default. This feature makes the built-in roles automatically indexed in `.security` index and available for querying via Query Role API. The consequence of this is that `.security` index is now created eagerly (if it's not existing) on cluster formation. In order to keep the scope of this PR small, the feature is disabled for some of the tests, because they are either non-trivial to adjust or the gain is not worthy the effort to do it now. The tests will be adjusted in a follow-up PR and later the flag will be removed completely. Relates to #117581 (cherry picked from commit 52e0f21) # Conflicts: # modules/dot-prefix-validation/build.gradle # test/framework/src/main/java/org/elasticsearch/test/InternalTestCluster.java # x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmElasticAutoconfigIntegTests.java * Update InternalTestCluster.java remove line snuck after resolving merge confilcs * Update build.gradle fix build.gradle * Update build.gradle fix build.gradle by removing invalid task * remove non-existing timeout parameter on 8.x branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes reserved built-in roles queryable via Query Role API by indexing them into the
.securityindex.Currently, the built-in roles were only available via Get Role API.
The built-in roles are synced into the
.securityindex on cluster recovery. The.securityindex will be created (if it's not existing) before built-in roles are synced. In order to avoid concurrent updates, the built-in roles will only be synced by a master node.Once the built-in roles are synced, the information about indexed roles is kept in the cluster state as part of the
.securityindex's metadata. The map containing role names and their digests is persisted as part ofqueryable_built_in_roles_digestproperty:Important: The reserved roles stored in the
.securityindex are only intended to be used for querying and retrieving. The role resolution and mapping during authentication will remain the same and give a priority to static/file role definitions. This is ensured by the order in which role providers (built-in, file and native) are invoked. It’s important to note this because there can be a short period of time where we have a temporary inconsistency between actual built-in role definitions and what is stored in the.securityindex.Note: The functionality is temporarily hidden behind the
es.queryable_built_in_roles_enabledsystem property. By default, the flag is disabled and will become enabled in a followup PR. The reason for this is to keep this PR as small as possible and to avoid the need to adjust a large number of tests that don't expect.securityindex to exist.Testing:
To run and test locally execute
./gradlew run -Dtests.jvm.argline="-Des.queryable_built_in_roles_enabled=true".To query all reserved built-in roles execute: