[WIP] OIDC Realm JWT+JWS related functionality #37272
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added Realm settings - Added RP/OP configuration classes - Added realm configuration tests - Completed the Prepare Auethentication API
Being an RP, we won't need to create JWTs but this will be useful for testing
- Reworked builder - Added parser that deserializes and parses a JWT TODO: Signature validation
- Added support to PemUtils for reading public keys from files - Added support for converting signatures from DER to JWS and vice versa - Added tests
jkakavas
added
>feature
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-security |
|
Why aren't we using https://connect2id.com/products/nimbus-jose-jwt I noticed it is already pulled in as a transitive dependency prob for kerberos |
To be honest, I don't have a perfectly valid excuse. I didn't come across it in the beginning when looking through candidate libraries and as such evaluated only jjwt which lacks support for JDK9+ and java-jwt whis is only tested with java 8. Also, we have been traditionally reluctant to bringing in dependencies and the scope of this work seemed to be just not large enough to justify the effort. Finally, there will not be any need to implement cryptographic primitives here, so I evaluated the risk of a significant implementation error to be low enough. Still, I will not object too much if we feel like
We use it as a test dependency only, for Kerberos tests, we don't ship it with Elasticsearch. |
…ic#37523) Adding the migration guide and removing the deprecated in 6.x constructor relates elastic#35560 relates elastic#34488
* SQL: Rename SQL data type DATE to DATETIME SQL data type DATE has only the date part (e.g.: 2019-01-14) without any time information. Previously the SQL type DATE was referring to the ES DATE which contains also the time part along with TZ information. To conform with SQL data types the data type `DATE` is renamed to `DATETIME`, since it includes also the time, as a new runtime SQL `DATE` data type will be introduced down the road, which only contains the date part and meets the SQL standard. Closes: elastic#36440 * Address comments
Some tests (e.g. testRestoreIndexWithShardsMissingInLocalGateway) were split-braining since being switched to Zen2 because the bootstrap setting was left around when nodes got restarted with data folders wiped. The test in question here was starting one node (which autobootstrapped to that single node), then another node. The first node was then shut down (after excluding it from the voting configuration), its data folder wiped, and restarted. After restart, the node had an empty data folder yet initial_master_nodes set to itself (i.e. same name). This made the node sometimes form a cluster of its own, and not rejoin the existing cluster with the other node.
* Add ccr follow info api This api returns all follower indices and per follower index the provided parameters at put follow / resume follow time and whether index following is paused or active. Closes elastic#37127 * iter * [DOCS] Edits the get follower info API * [DOCS] Fixes link to remote cluster * [DOCS] Clarifies descriptions for configured parameters
This adds deprecation to _type in the script contexts for ingest and update. This adds a DeprecationMap that wraps the ctx Map containing _type for these specific contexts.
Fixes ``./gradlew eclipse` failure introduced in 6d99e79
Throws an exception if hit extractor tries to retrieve unsupported
object. For example, selecting "a" from `{"a": {"b": "c"}}` now throws
an exception instead of returning null.
Relates to elastic#37364
This commit updates the contribution docs to include java11 as a requirement for building and testing Elasticsearch.
This change fixes the setup of the SSL configuration for the test openldap realm. The configuration was missing the realm identifier so the SSL settings being used were just the default JDK ones that do not trust the certificate of the idp fixture. See elastic#37591
This commit updates the file docker's entrypoint script looks for when deciding to process the ELASTIC_PASSWORD env var. The x-pack subdir of bin no longer exists in 7.0, where the backcompat layer for x-pack script locations was removed. closes elastic#37240
This change adds the unfollow action for CCR follower indices. This is needed for the shrink action in case an index is a follower index. This will give the follower index the opportunity to fully catch up with the leader index, pause index following and unfollow the leader index. After this the shrink action can safely perform the ilm shrink. The unfollow action needs to be added to the hot phase and acts as barrier for going to the next phase (warm or delete phases), so that follower indices are being unfollowed properly before indices are expected to go in read-only mode. This allows the force merge action to execute its steps safely. The unfollow action has three steps: * `wait-for-indexing-complete` step: waits for the index in question to get the `index.lifecycle.indexing_complete` setting be set to `true` * `wait-for-follow-shard-tasks` step: waits for all the shard follow tasks for the index being handled to report that the leader shard global checkpoint is equal to the follower shard global checkpoint. * `pause-follower-index` step: Pauses index following, necessary to unfollow * `close-follower-index` step: Closes the index, necessary to unfollow * `unfollow-follower-index` step: Actually unfollows the index using the CCR Unfollow API * `open-follower-index` step: Reopens the index now that it is a normal index * `wait-for-yellow` step: Waits for primary shards to be allocated after reopening the index to ensure the index is ready for the next step In the case of the last two steps, if the index in being handled is a regular index then the steps acts as a no-op. Relates to elastic#34648 Co-authored-by: Martijn van Groningen <martijn.v.groningen@gmail.com> Co-authored-by: Gordon Brown <gordon.brown@elastic.co>
From elastic#29453 and elastic#37285, the `include_type_name` parameter was already present and defaulted to false. This PR makes the following updates: - Add deprecation warnings to `RestPutMappingAction`, plus tests in `RestPutMappingActionTests`. - Add a typeless 'put mappings' method to the Java HLRC, and deprecate the old typed version. To do this cleanly, I opted to create a new `PutMappingRequest` object that differs from the existing server one.
…37483) * ML: creating ML State write alias and pointing writes there * Moving alias check to openJob method * adjusting concrete index lookup for ml-state
Single bucket aggs are now supported in datafeed aggregation configurations.
* Remove obsolete deprecation checks This also updates the old-indices check to be appropriate for the 7.x series of releases, and leaves it as the only deprecation check in place. * Add toString to DeprecationIssue * Bring filterChecks across from 6.x * License headers
To make further refactoring of GeoGrid aggregations easier (related: elastic#30320), splitting out these inner class dependencies into their own files makes it easier to map the relationship between classes
This commit optimizes some of the performance issues from using deprecation logging: - we optimize encoding the deprecation value - we optimize formatting the deprecation string - we optimize away getting the current time (by using cached startup time)
This is related to elastic#35975. This commit adds timeout functionality to the local session on a leader node. When a session is started, a timeout is scheduled using a repeatable runnable. If the session is not accessed in between two runs the session is closed. When the sssion is closed, the repeating task is cancelled. Additionally, this commit moves session uuid generation to the leader cluster. And renames the PutCcrRestoreSessionRequest to StartCcrRestoreSessionRequest to reflect that change.
Currently we add the CcrRestoreSourceService as a index event listener. However, if ccr is disabled, this service is null and we attempt to add a null listener throwing an exception. This commit only adds the listener if ccr is enabled.
The subparser in get users allows for unknown fields. This commit sets the value to true for the parser and modifies the test such that it accurately tests it. Relates elastic#36938
With the release of 11.0.2, the old URLs no longer work. This exposed a few small bugs in the gradle config. One was that --no-cache was not present in the docker build command, so it was not failing at first. Then once only the ext.expansions was changed and the docker build task was not, it was not executing it.
The ML subproject of xpack has a cache for the cpp artifact snapshots which is checked on each build. The cache is outside of the build dir so that it is not wiped on a typical clean, as the artifacts can be large and do not change often. This commit adds a cleanCache task which will wipe the cache dir, as over time the size of the directory can become bloated.
Removes all sensitive settings (passwords, auth tokens, urls, etc...) for watcher notifications accounts. These settings were deprecated (and herein removed) in favor of their secure sibling that is set inside the elasticsearch keystore. For example: `xpack.notification.email.account.<id>.smtp.password` is no longer a valid setting, and it is replaced by `xpack.notification.email.account.<id>.smtp.secure_password`
jkakavas
changed the title
This commit adds
* An OpenID Connect Realm definition
* Necessary OpenID Connect Realm settings to support Authorization code
grant and Implicit grant flows
* Rest and Transport Action and Request/Response objects for initiating and
completing the authentication flow
* Functionality for generating OIDC Authentication Request URIs Unit tests
Notably missing (to be handled in subsequent PRs):
* The actual implementation of the authentication flows
* Necessary JW{T,S,E} functionality
Relates: elastic#35339
|
Closing in favor of #37787 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is smaller than it looks as it contains the changes from #37009 , it will be easier to review this one once 37009 is merged.
Introduces necessary functionality for parsing JSON Web Tokens and validating their signatures. This is heavily geared towards parsing OpenID Connect ID Tokens
Depends on: #37009
Relates: #35339