org.elasticsearch.xpack.security.authc.Realms Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of x-pack-security Show documentation
Show all versions of x-pack-security Show documentation
Elasticsearch Expanded Pack Plugin - Security
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
package org.elasticsearch.xpack.security.authc;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.RefCountingRunnable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.LicensedFeature;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.node.Node;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.DomainConfig;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmDomain;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent;
import java.io.Closeable;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
/**
* Serves as a realms registry (also responsible for ordering the realms appropriately)
*/
public class Realms extends AbstractLifecycleComponent implements Iterable, ReloadableSecurityComponent {
private static final Logger logger = LogManager.getLogger(Realms.class);
private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(logger.getName());
private final Settings settings;
private final Environment env;
private final Map factories;
private final XPackLicenseState licenseState;
private final ThreadContext threadContext;
private final ReservedRealm reservedRealm;
// All realms that were configured from the node settings, some of these may not be enabled due to licensing
private final List allConfiguredRealms;
private final Map domainNameToConfig;
// The realmRefs include all realms explicitly or implicitly configured regardless whether they are disabled or not
private final Map realmRefs;
// the realms in current use. This list will change dynamically as the license changes
private volatile List activeRealms;
@SuppressWarnings("this-escape")
public Realms(
Settings settings,
Environment env,
Map factories,
XPackLicenseState licenseState,
ThreadContext threadContext,
ReservedRealm reservedRealm
) throws Exception {
this.settings = settings;
this.env = env;
this.factories = factories;
this.licenseState = licenseState;
this.threadContext = threadContext;
this.reservedRealm = reservedRealm;
assert XPackSettings.SECURITY_ENABLED.get(settings) : "security must be enabled";
assert factories.get(ReservedRealm.TYPE) == null;
final Map realmToDomainConfig = RealmSettings.computeRealmNameToDomainConfigAssociation(settings);
domainNameToConfig = realmToDomainConfig.values()
.stream()
.distinct()
.collect(Collectors.toMap(DomainConfig::name, Function.identity()));
final List realmConfigs = buildRealmConfigs();
// initRealms will add default file and native realm config if they are not explicitly configured
final List initialRealms = initRealms(realmConfigs);
realmRefs = calculateRealmRefs(realmConfigs, realmToDomainConfig);
for (Realm realm : initialRealms) {
Authentication.RealmRef realmRef = Objects.requireNonNull(
realmRefs.get(new RealmConfig.RealmIdentifier(realm.type(), realm.name())),
"realmRef can not be null"
);
realm.setRealmRef(realmRef);
}
this.allConfiguredRealms = initialRealms;
this.allConfiguredRealms.forEach(r -> r.initialize(this.allConfiguredRealms, licenseState));
assert this.allConfiguredRealms.get(0) == reservedRealm : "the first realm must be reserved realm";
this.activeRealms = calculateLicensedRealms(licenseState.copyCurrentLicenseState());
licenseState.addListener(this::recomputeActiveRealms);
}
private Map calculateRealmRefs(
Collection realmConfigs,
Map domainForRealm
) {
final String nodeName = Node.NODE_NAME_SETTING.get(settings);
final Map realmRefs = new HashMap<>();
assert realmConfigs.stream().noneMatch(rc -> rc.name().equals(reservedRealm.name()) && rc.type().equals(reservedRealm.type()))
: "reserved realm cannot be configured";
realmRefs.put(
new RealmConfig.RealmIdentifier(reservedRealm.type(), reservedRealm.name()),
new Authentication.RealmRef(reservedRealm.name(), reservedRealm.type(), nodeName, null)
);
for (RealmConfig realmConfig : realmConfigs) {
final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(realmConfig.type(), realmConfig.name());
final DomainConfig domainConfig = domainForRealm.get(realmConfig.name());
final RealmDomain realmDomain;
if (domainConfig != null) {
final String domainName = domainConfig.name();
Set domainIdentifiers = new HashSet<>();
for (RealmConfig otherRealmConfig : realmConfigs) {
final DomainConfig otherDomainConfig = domainForRealm.get(otherRealmConfig.name());
if (otherDomainConfig != null && domainName.equals(otherDomainConfig.name())) {
domainIdentifiers.add(otherRealmConfig.identifier());
}
}
realmDomain = new RealmDomain(domainName, domainIdentifiers);
} else {
realmDomain = null;
}
realmRefs.put(
realmIdentifier,
new Authentication.RealmRef(realmIdentifier.getName(), realmIdentifier.getType(), nodeName, realmDomain)
);
}
assert realmRefs.values().stream().filter(realmRef -> ReservedRealm.TYPE.equals(realmRef.getType())).toList().size() == 1
: "there must be exactly one reserved realm configured";
assert realmRefs.values().stream().filter(realmRef -> NativeRealmSettings.TYPE.equals(realmRef.getType())).toList().size() == 1
: "there must be exactly one native realm configured";
assert realmRefs.values().stream().filter(realmRef -> FileRealmSettings.TYPE.equals(realmRef.getType())).toList().size() == 1
: "there must be exactly one file realm configured";
return Map.copyOf(realmRefs);
}
protected void recomputeActiveRealms() {
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
final List licensedRealms = calculateLicensedRealms(licenseStateSnapshot);
logger.info(
"license mode is [{}], currently licensed security realms are [{}]",
licenseStateSnapshot.getOperationMode().description(),
Strings.collectionToCommaDelimitedString(licensedRealms)
);
// Stop license-tracking for any previously-active realms that are no longer allowed
if (activeRealms != null) {
activeRealms.stream().filter(r -> licensedRealms.contains(r) == false).forEach(realm -> {
handleDisabledRealmDueToLicenseChange(realm, licenseStateSnapshot);
});
}
activeRealms = licensedRealms;
}
// Can be overridden in testing
protected void handleDisabledRealmDueToLicenseChange(Realm realm, XPackLicenseState licenseStateSnapshot) {
final LicensedFeature.Persistent feature = getLicensedFeatureForRealm(realm.type());
assert feature != null
: "Realm ["
+ realm
+ "] with no licensed feature became inactive due to change to license mode ["
+ licenseStateSnapshot.getOperationMode()
+ "]";
feature.stopTracking(licenseStateSnapshot, realm.name());
logger.warn(
"The [{}.{}] realm has been automatically disabled due to a change in license [{}]",
realm.type(),
realm.name(),
licenseStateSnapshot.statusDescription()
);
}
@Override
public Iterator iterator() {
return getActiveRealms().iterator();
}
/**
* Returns a list of realms that are configured, but are not permitted under the current license.
*/
public List getUnlicensedRealms() {
final List activeSnapshot = activeRealms;
if (activeSnapshot.equals(allConfiguredRealms)) {
return Collections.emptyList();
}
// Otherwise, we return anything in "all realms" that is not in the allowed realm list
return allConfiguredRealms.stream().filter(r -> activeSnapshot.contains(r) == false).toList();
}
public Stream stream() {
return StreamSupport.stream(this.spliterator(), false);
}
public List getActiveRealms() {
assert activeRealms != null : "Active realms not configured";
return activeRealms;
}
public DomainConfig getDomainConfig(String domainName) {
return domainNameToConfig.get(domainName);
}
// Protected for testing
protected List calculateLicensedRealms(XPackLicenseState licenseStateSnapshot) {
return allConfiguredRealms.stream().filter(r -> checkLicense(r, licenseStateSnapshot)).toList();
}
private static boolean checkLicense(Realm realm, XPackLicenseState licenseState) {
final LicensedFeature.Persistent feature = getLicensedFeatureForRealm(realm.type());
if (feature == null) {
return true;
}
return feature.checkAndStartTracking(licenseState, realm.name());
}
public static boolean isRealmTypeAvailable(XPackLicenseState licenseState, String type) {
final LicensedFeature.Persistent feature = getLicensedFeatureForRealm(type);
if (feature == null) {
return true;
}
return feature.checkWithoutTracking(licenseState);
}
@Nullable
private static LicensedFeature.Persistent getLicensedFeatureForRealm(String realmType) {
assert Strings.hasText(realmType) : "Realm type must be provided (received [" + realmType + "])";
if (InternalRealms.isInternalRealm(realmType)) {
return InternalRealms.getLicensedFeature(realmType);
} else {
return Security.CUSTOM_REALMS_FEATURE;
}
}
public Realm realm(String name) {
for (Realm realm : activeRealms) {
if (name.equals(realm.name())) {
return realm;
}
}
return null;
}
public Realm.Factory realmFactory(String type) {
return factories.get(type);
}
protected List initRealms(List realmConfigs) throws Exception {
List realms = new ArrayList<>();
Map> nameToRealmIdentifier = new HashMap<>();
Map> orderToRealmName = new HashMap<>();
List reservedPrefixedRealmIdentifiers = new ArrayList<>();
for (RealmConfig config : realmConfigs) {
Realm.Factory factory = factories.get(config.identifier().getType());
assert factory != null : "unknown realm type [" + config.identifier().getType() + "]";
if (config.identifier().getName().startsWith(RealmSettings.RESERVED_REALM_AND_DOMAIN_NAME_PREFIX)) {
reservedPrefixedRealmIdentifiers.add(config.identifier());
}
if (config.enabled() == false) {
if (logger.isDebugEnabled()) {
logger.debug("realm [{}] is disabled", config.identifier());
}
continue;
}
Realm realm = factory.create(config);
nameToRealmIdentifier.computeIfAbsent(realm.name(), k -> new HashSet<>())
.add(RealmSettings.realmSettingPrefix(realm.type()) + realm.name());
orderToRealmName.computeIfAbsent(realm.order(), k -> new HashSet<>()).add(realm.name());
realms.add(realm);
}
checkUniqueOrders(orderToRealmName);
Collections.sort(realms);
ensureUniqueExplicitlyConfiguredRealmNames(nameToRealmIdentifier);
maybeAddBasicRealms(realms, realmConfigs);
// always add built in first!
addReservedRealm(realms);
logDeprecationForReservedPrefixedRealmNames(reservedPrefixedRealmIdentifiers);
return Collections.unmodifiableList(realms);
}
@SuppressWarnings("unchecked")
public void usageStats(ActionListener> listener) {
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
Map realmMap = new HashMap<>();
final AtomicBoolean failed = new AtomicBoolean(false);
final List realmList = getActiveRealms().stream().filter(r -> ReservedRealm.TYPE.equals(r.type()) == false).toList();
try (var refs = new RefCountingRunnable(() -> {
if (failed.get() == false) {
// iterate over the factories so we can add enabled & available info
for (String type : factories.keySet()) {
assert ReservedRealm.TYPE.equals(type) == false;
realmMap.compute(type, (key, value) -> {
if (value == null) {
return Map.of("enabled", false, "available", isRealmTypeAvailable(licenseStateSnapshot, type));
}
assert value instanceof Map;
@SuppressWarnings("unchecked")
Map realmTypeUsage = (Map) value;
realmTypeUsage.put("enabled", true);
realmTypeUsage.put("available", true);
return value;
});
}
listener.onResponse(realmMap);
}
})) {
for (Realm realm : realmList) {
final var ref = refs.acquire();
realm.usageStats(ActionListener.wrap(stats -> {
if (failed.get() == false) {
synchronized (realmMap) {
realmMap.compute(realm.type(), (key, value) -> {
if (value == null) {
Object realmTypeUsage = convertToMapOfLists(stats);
return realmTypeUsage;
}
assert value instanceof Map;
combineMaps((Map) value, stats);
return value;
});
}
ref.close();
}
}, e -> {
if (failed.compareAndSet(false, true)) {
listener.onFailure(e);
}
}));
}
}
}
public Map domainUsageStats() {
if (domainNameToConfig.isEmpty()) {
return Map.of();
} else {
return domainNameToConfig.entrySet()
.stream()
.collect(Collectors.toMap(Entry::getKey, entry -> Map.of("realms", entry.getValue().memberRealmNames())));
}
}
/**
* Retrieves the {@link Authentication.RealmRef}, which contains the {@link DomainConfig}, if configured,
* for the passed in {@link RealmConfig.RealmIdentifier}.
* If the realm is not currently configured, {@code null} is returned.
*/
public @Nullable Authentication.RealmRef getRealmRef(RealmConfig.RealmIdentifier realmIdentifier) {
// "file", "native", and "reserved" realms may be renamed, but they refer to the same corpus of users
if (FileRealmSettings.TYPE.equals(realmIdentifier.getType())) {
return getFileRealmRef();
} else if (NativeRealmSettings.TYPE.equals(realmIdentifier.getType())) {
return getNativeRealmRef();
} else if (ReservedRealm.TYPE.equals(realmIdentifier.getType())) {
return getReservedRealmRef();
} else {
// but for other realms, it is assumed that a different realm name or realm type signifies a different corpus of users
return realmRefs.get(realmIdentifier);
}
}
public Authentication.RealmRef getNativeRealmRef() {
return realmRefs.values()
.stream()
.filter(realmRef -> NativeRealmSettings.TYPE.equals(realmRef.getType()))
.findFirst()
.orElseThrow(() -> new IllegalStateException("native realm realm ref not found"));
}
public Authentication.RealmRef getFileRealmRef() {
return realmRefs.values()
.stream()
.filter(realmRef -> FileRealmSettings.TYPE.equals(realmRef.getType()))
.findFirst()
.orElseThrow(() -> new IllegalStateException("file realm realm ref not found"));
}
public Authentication.RealmRef getReservedRealmRef() {
return realmRefs.values()
.stream()
.filter(realmRef -> ReservedRealm.TYPE.equals(realmRef.getType()))
.findFirst()
.orElseThrow(() -> new IllegalStateException("reserved realm realm ref not found"));
}
// should only be useful for testing
int getRealmRefsCount() {
return realmRefs.size();
}
@Override
protected void doStart() {}
@Override
protected void doStop() {}
@Override
protected void doClose() throws IOException {
IOUtils.close(allConfiguredRealms.stream().filter(r -> r instanceof Closeable).map(r -> (Closeable) r).toList());
}
private void maybeAddBasicRealms(List realms, List realmConfigs) throws Exception {
final Set disabledBasicRealmTypes = findDisabledBasicRealmTypes(realmConfigs);
final Set realmTypes = realms.stream().map(Realm::type).collect(Collectors.toUnmodifiableSet());
// Add native realm first so that file realm will be added before it
if (false == disabledBasicRealmTypes.contains(NativeRealmSettings.TYPE) && false == realmTypes.contains(NativeRealmSettings.TYPE)) {
boolean enabled = settings.getAsBoolean(NativeRealmSettings.NATIVE_USERS_ENABLED, true);
ensureRealmNameIsAvailable(realms, NativeRealmSettings.DEFAULT_NAME);
var nativeRealmId = new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, NativeRealmSettings.DEFAULT_NAME);
var realmConfig = new RealmConfig(
nativeRealmId,
buildSettingsforDefaultRealm(settings, nativeRealmId, Integer.MIN_VALUE, enabled),
env,
threadContext
);
realmConfigs.add(realmConfig);
if (enabled) {
realms.add(0, factories.get(NativeRealmSettings.TYPE).create(realmConfig));
}
}
if (false == disabledBasicRealmTypes.contains(FileRealmSettings.TYPE) && false == realmTypes.contains(FileRealmSettings.TYPE)) {
ensureRealmNameIsAvailable(realms, FileRealmSettings.DEFAULT_NAME);
var fileRealmId = new RealmConfig.RealmIdentifier(FileRealmSettings.TYPE, FileRealmSettings.DEFAULT_NAME);
var realmConfig = new RealmConfig(
fileRealmId,
buildSettingsforDefaultRealm(settings, fileRealmId, Integer.MIN_VALUE, true),
env,
threadContext
);
realmConfigs.add(realmConfig);
realms.add(0, factories.get(FileRealmSettings.TYPE).create(realmConfig));
}
}
private void addReservedRealm(List realms) {
ensureRealmNameIsAvailable(realms, ReservedRealm.NAME);
realms.add(0, reservedRealm);
}
/**
* Check that the given realmName is not yet used by the given list of realms.
*/
private static void ensureRealmNameIsAvailable(List realms, String realmName) {
assert realms.size() == realms.stream().map(Realm::name).collect(Collectors.toUnmodifiableSet()).size()
: "existing realm names must be unique";
final Realm misNamedRealm = realms.stream().filter(realm -> realmName.equals(realm.name())).findFirst().orElse(null);
if (misNamedRealm != null) {
throw new IllegalArgumentException(
"Found realm configured with name clashing with the ["
+ realmName
+ "] realm: ["
+ (RealmSettings.realmSettingPrefix(misNamedRealm.type()) + misNamedRealm.name())
+ "]"
);
}
}
private static Settings buildSettingsforDefaultRealm(
Settings settings,
RealmConfig.RealmIdentifier realmIdentifier,
int order,
boolean enabled
) {
final String prefix = RealmSettings.realmSettingPrefix(realmIdentifier);
final Settings.Builder builder = Settings.builder().put(settings).put(prefix + "order", order);
if (enabled == false) {
builder.put(prefix + "enabled", false);
}
return builder.build();
}
private static void checkUniqueOrders(Map> orderToRealmName) {
String duplicateOrders = orderToRealmName.entrySet()
.stream()
.filter(entry -> entry.getValue().size() > 1)
.map(entry -> entry.getKey() + ": " + entry.getValue())
.collect(Collectors.joining("; "));
if (Strings.hasText(duplicateOrders)) {
throw new IllegalArgumentException("Found multiple realms configured with the same order: " + duplicateOrders);
}
}
private static void ensureUniqueExplicitlyConfiguredRealmNames(Map> nameToRealmIdentifier) {
String duplicateRealms = nameToRealmIdentifier.entrySet()
.stream()
.filter(entry -> entry.getValue().size() > 1)
.map(entry -> entry.getKey() + ": " + entry.getValue())
.collect(Collectors.joining("; "));
if (Strings.hasText(duplicateRealms)) {
throw new IllegalArgumentException("Found multiple realms configured with the same name: " + duplicateRealms + "");
}
}
private List buildRealmConfigs() {
final Map realmsSettings = RealmSettings.getRealmSettings(settings);
final Set internalTypes = new HashSet<>();
final List kerberosRealmNames = new ArrayList<>();
final List realmConfigs = new ArrayList<>();
for (RealmConfig.RealmIdentifier identifier : realmsSettings.keySet()) {
Realm.Factory factory = factories.get(identifier.getType());
if (factory == null) {
throw new IllegalArgumentException("unknown realm type [" + identifier.getType() + "] for realm [" + identifier + "]");
}
RealmConfig config = new RealmConfig(identifier, settings, env, threadContext);
if (InternalRealms.isBuiltinRealm(identifier.getType())) {
// this is an internal realm factory, let's make sure we didn't already registered one
// (there can only be one instance of an internal realm)
if (internalTypes.contains(identifier.getType())) {
throw new IllegalArgumentException(
"multiple ["
+ identifier.getType()
+ "] realms are configured. ["
+ identifier.getType()
+ "] is an internal realm and therefore there can only be one such realm configured"
);
}
internalTypes.add(identifier.getType());
}
if (KerberosRealmSettings.TYPE.equals(identifier.getType())) {
kerberosRealmNames.add(identifier.getName());
if (kerberosRealmNames.size() > 1) {
throw new IllegalArgumentException(
"multiple realms "
+ kerberosRealmNames.toString()
+ " configured of type ["
+ identifier.getType()
+ "], ["
+ identifier.getType()
+ "] can only have one such realm "
+ "configured"
);
}
}
realmConfigs.add(config);
}
return realmConfigs;
}
private static Set findDisabledBasicRealmTypes(List realmConfigs) {
return realmConfigs.stream()
.filter(rc -> InternalRealms.isBuiltinRealm(rc.type()))
.filter(rc -> false == rc.enabled())
.map(RealmConfig::type)
.collect(Collectors.toUnmodifiableSet());
}
private static void logDeprecationForReservedPrefixedRealmNames(List realmIdentifiers) {
if (false == realmIdentifiers.isEmpty()) {
deprecationLogger.warn(
DeprecationCategory.SECURITY,
"realm_name_with_reserved_prefix",
"Found realm "
+ (realmIdentifiers.size() == 1 ? "name" : "names")
+ " with reserved prefix [{}]: [{}]. "
+ "In a future major release, node will fail to start if any realm names start with reserved prefix.",
RealmSettings.RESERVED_REALM_AND_DOMAIN_NAME_PREFIX,
realmIdentifiers.stream()
.map(rid -> RealmSettings.PREFIX + rid.getType() + "." + rid.getName())
.sorted()
.collect(Collectors.joining("; "))
);
}
}
@SuppressWarnings({ "unchecked", "rawtypes" })
private static void combineMaps(Map mapA, Map mapB) {
for (Entry entry : mapB.entrySet()) {
mapA.compute(entry.getKey(), (key, value) -> {
if (value == null) {
return new ArrayList<>(Collections.singletonList(entry.getValue()));
}
assert value instanceof List;
((List) value).add(entry.getValue());
return value;
});
}
}
private static Map convertToMapOfLists(Map map) {
Map converted = Maps.newMapWithExpectedSize(map.size());
for (Entry entry : map.entrySet()) {
converted.put(entry.getKey(), new ArrayList<>(Collections.singletonList(entry.getValue())));
}
return converted;
}
@Override
public void reload(Settings settings) {
final List reloadExceptions = new ArrayList<>();
for (Realm realm : this.allConfiguredRealms) {
if (realm instanceof ReloadableSecurityComponent reloadableRealm) {
try {
reloadableRealm.reload(settings);
} catch (Exception e) {
reloadExceptions.add(e);
}
}
}
if (false == reloadExceptions.isEmpty()) {
final var combinedException = new ElasticsearchException("secure settings reload failed for one or more realms");
reloadExceptions.forEach(combinedException::addSuppressed);
throw combinedException;
}
}
}