Module org.elasticsearch.xcore
Class Authentication
java.lang.Object
org.elasticsearch.xpack.core.security.authc.Authentication
- All Implemented Interfaces:
org.elasticsearch.xcontent.ToXContent,org.elasticsearch.xcontent.ToXContentObject
public final class Authentication
extends Object
implements org.elasticsearch.xcontent.ToXContentObject
The Authentication class encapsulates identity information created after successful authentication
and is the starting point of subsequent authorization.
Authentication is serialized and travels across the cluster nodes as the sub-requests are handled,
and can also be cached by long-running jobs that continue to act on behalf of the user, beyond
the lifetime of the original request.
The authentication consists of two
Subjects
authenticatingSubjectperforms the authentication, i.e. it provides a credential.effectiveSubjectThe subject thatauthenticatingSubjectimpersonates (isRunAs())
isRunAs() is false, the two Subjects will be the same object.
Authentication also has a type that indicates which mechanism the authenticatingSubject
uses to perform the authentication.
The Authentication's version is its Subject's version, i.e. getEffectiveSubject().getTransportVersion().
It is guaranteed that the versions are identical for the two Subjects. Hence getAuthenticatingSubject().getTransportVersion()
will give out the same result. But using getEffectiveSubject() is more idiomatic since most callers
of this class should just need to know about the effectiveSubject. That is, often times, the caller
begins with authentication.getEffectiveSubject() for interrogating an Authentication object.-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classstatic enumstatic classAuthentication.RealmRefexpresses the grouping of realms, identified withRealmConfig.RealmIdentifiers, underRealmDomains.Nested classes/interfaces inherited from interface org.elasticsearch.xcontent.ToXContent
org.elasticsearch.xcontent.ToXContent.DelegatingMapParams, org.elasticsearch.xcontent.ToXContent.MapParams, org.elasticsearch.xcontent.ToXContent.Params -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic org.elasticsearch.xcontent.ConstructingObjectParser<Authentication.RealmRef, Void> static final TransportVersionstatic final TransportVersionstatic final TransportVersionFields inherited from interface org.elasticsearch.xcontent.ToXContent
EMPTY, EMPTY_PARAMS -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleancanAccessResourcesOf(Authentication resourceCreatorAuthentication) Checks whether the current authentication, which can be for a user or for an API Key, can access the resources (e.g.voidAn Authentication object has internal constraint between its fields, e.g.copyWithFilteredMetadataFields(Set<String> fieldsToKeep) Creates a copy of this Authentication instance, but only with metadata entries specified by `fieldsToKeep`.encode()booleanGet theSubjectthat performs the actual authentication.static AuthenticationgetAuthenticationFromCrossClusterAccessMetadata(Authentication authentication) Get theSubjectthat the authentication effectively represents.inthashCode()booleanisApiKey()Whether the effective user is an API key, this including a simple API key authentication or a token created by the API key.booleanWhether the authenticating user is an API key, including a simple API key or a token created by an API key.booleanbooleanstatic booleanisFileOrNativeRealm(String realmType) booleanisRunAs()Whether the authentication contains a subject run-as another subject.booleanAuthenticate with a service account and no run-asmaybeAddAnonymousRoles(AnonymousUser anonymousUser) The final list of roles a user has should include all roles granted to the anonymous user when 1.maybeRewriteForOlderVersion(TransportVersion olderVersion) Returns a newAuthentication, like this one, but which is compatible with older version nodes.static AuthenticationnewAnonymousAuthentication(AnonymousUser anonymousUser, String nodeName) static AuthenticationnewApiKeyAuthentication(AuthenticationResult<User> authResult, String nodeName) static AuthenticationnewInternalAuthentication(InternalUser internalUser, TransportVersion version, String nodeName) static AuthenticationnewInternalFallbackAuthentication(User fallbackUser, String nodeName) static AuthenticationnewRealmAuthentication(User user, Authentication.RealmRef realmRef) static AuthenticationnewServiceAccountAuthentication(User serviceAccountUser, String nodeName, Map<String, Object> metadata) runAs(User runAs, Authentication.RealmRef lookupRealmRef) Returns a newAuthenticationthat reflects a "run as another user" action under the currentAuthentication.booleansupportsRunAs(AnonymousUser anonymousUser) Whether the authentication can run-as another usertoCrossClusterAccess(CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo) token()Returns a newAuthenticationfor tokens created by the currentAuthentication, which is used when authenticating using the token credential.toString()org.elasticsearch.xcontent.XContentBuildertoXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) voidtoXContentFragment(org.elasticsearch.xcontent.XContentBuilder builder) Generates XContent without the start/end object.voidwriteTo(StreamOutput out) voidWrites the authentication to the context.Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, waitMethods inherited from interface org.elasticsearch.xcontent.ToXContentObject
isFragment
-
Field Details
-
VERSION_API_KEY_ROLES_AS_BYTES
-
VERSION_REALM_DOMAINS
-
VERSION_METADATA_BEYOND_GENERIC_MAP
-
REALM_REF_PARSER
public static org.elasticsearch.xcontent.ConstructingObjectParser<Authentication.RealmRef,Void> REALM_REF_PARSER
-
-
Constructor Details
-
Authentication
- Throws:
IOException
-
-
Method Details
-
getAuthenticatingSubject
Get theSubjectthat performs the actual authentication. This normally means it provides a credentials. -
getEffectiveSubject
Get theSubjectthat the authentication effectively represents. It may not be the authenticating subject because the authentication subject can run-as another subject. -
getAuthenticationType
-
isRunAs
public boolean isRunAs()Whether the authentication contains a subject run-as another subject. That is, the authentication subject is different from the effective subject. -
isFailedRunAs
public boolean isFailedRunAs() -
maybeRewriteForOlderVersion
Returns a newAuthentication, like this one, but which is compatible with older version nodes. This is commonly employed when theAuthenticationis serialized across cluster nodes with mixed versions. -
copyWithFilteredMetadataFields
Creates a copy of this Authentication instance, but only with metadata entries specified by `fieldsToKeep`. All other entries are removed from the copy's metadata. -
copyWithEmptyMetadata
-
runAs
Returns a newAuthenticationthat reflects a "run as another user" action under the currentAuthentication. The securityRealmRef#Domainof the resultingAuthenticationis that of the run-as user's realm.- Parameters:
runAs- The user to be impersonatedlookupRealmRef- The realm where the impersonated user is looked up from. It can be null if the user does not exist. The null lookup realm is used to indicate the lookup failure which will be rejected at authorization time.
-
token
Returns a newAuthenticationfor tokens created by the currentAuthentication, which is used when authenticating using the token credential. -
maybeAddAnonymousRoles
The final list of roles a user has should include all roles granted to the anonymous user when 1. Anonymous access is enable 2. The user itself is not the anonymous user 3. The authentication is not an API key or service account Depending on whether the above criteria is satisfied, the method may either return a new authentication object incorporating anonymous roles or the same authentication object (if anonymous roles are not applicable) NOTE this method is an artifact of how anonymous roles are resolved today on each node as opposed to just on the coordinating node. Whether this behaviour should be changed is an ongoing discussion. Therefore, using this method in more places other than its current usage requires careful consideration. -
isAuthenticatedAsApiKey
public boolean isAuthenticatedAsApiKey()Whether the authenticating user is an API key, including a simple API key or a token created by an API key. -
isServiceAccount
public boolean isServiceAccount()Authenticate with a service account and no run-as -
isApiKey
public boolean isApiKey()Whether the effective user is an API key, this including a simple API key authentication or a token created by the API key. -
isCrossClusterAccess
public boolean isCrossClusterAccess() -
supportsRunAs
Whether the authentication can run-as another user -
writeToContext
Writes the authentication to the context. There must not be an existing authentication in the context and if there is anIllegalStateExceptionwill be thrown- Throws:
IOExceptionIllegalArgumentException
-
encode
- Throws:
IOException
-
writeTo
- Throws:
IOException
-
canAccessResourcesOf
Checks whether the current authentication, which can be for a user or for an API Key, can access the resources (e.g. search scrolls and async search results) created (owned) by the passed in authentication. The rules are as follows: * a resource created by an API Key can only be accessed by the exact same key; the creator user, its tokens, or any of its other keys cannot access it. * a resource created by a user authenticated by a realm, or any of its tokens, can be accessed by the same username authenticated by the same realm or by other realms from the same security domain (at the time of the access), or any of its tokens; realms are considered the same if they have the same type and name (except for file and native realms, for which only the type is considered, the name is irrelevant), see also security limitations -
equals
-
hashCode
public int hashCode() -
toXContent
public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) throws IOException - Specified by:
toXContentin interfaceorg.elasticsearch.xcontent.ToXContent- Throws:
IOException
-
toXContentFragment
public void toXContentFragment(org.elasticsearch.xcontent.XContentBuilder builder) throws IOException Generates XContent without the start/end object.- Throws:
IOException
-
getAuthenticationFromCrossClusterAccessMetadata
public static Authentication getAuthenticationFromCrossClusterAccessMetadata(Authentication authentication) -
checkConsistency
public void checkConsistency()An Authentication object has internal constraint between its fields, e.g. if it is internal authentication, it must have an internal user. These logics are upheld when authentication is built as a result of successful authentication. Hence, this method mostly runs in test (where assertion is enabled). However, for RCS cross cluster access, FC receives an authentication object as part of the request. There is no guarantee that this authentication object also maintains the internal logics. Therefore, this method is called explicitly in production when handling cross cluster access requests. -
toString
-
isFileOrNativeRealm
-
newInternalAuthentication
public static Authentication newInternalAuthentication(InternalUser internalUser, TransportVersion version, String nodeName) -
newInternalFallbackAuthentication
-
newAnonymousAuthentication
public static Authentication newAnonymousAuthentication(AnonymousUser anonymousUser, String nodeName) -
newServiceAccountAuthentication
-
newRealmAuthentication
-
newApiKeyAuthentication
public static Authentication newApiKeyAuthentication(AuthenticationResult<User> authResult, String nodeName) -
toCrossClusterAccess
public Authentication toCrossClusterAccess(CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo)
-