java.lang.Object
org.elasticsearch.xpack.core.security.authc.Authentication
All Implemented Interfaces:
org.elasticsearch.xcontent.ToXContent, org.elasticsearch.xcontent.ToXContentObject

public final class Authentication extends Object implements org.elasticsearch.xcontent.ToXContentObject
The Authentication class encapsulates identity information created after successful authentication and is the starting point of subsequent authorization. Authentication is serialized and travels across the cluster nodes as the sub-requests are handled, and can also be cached by long-running jobs that continue to act on behalf of the user, beyond the lifetime of the original request. The authentication consists of two Subjects
  • authenticatingSubject performs the authentication, i.e. it provides a credential.
  • effectiveSubject The subject that authenticatingSubject impersonates (isRunAs())
If isRunAs() is false, the two Subjects will be the same object. Authentication also has a type that indicates which mechanism the authenticatingSubject uses to perform the authentication. The Authentication's version is its Subject's version, i.e. getEffectiveSubject().getTransportVersion(). It is guaranteed that the versions are identical for the two Subjects. Hence getAuthenticatingSubject().getTransportVersion() will give out the same result. But using getEffectiveSubject() is more idiomatic since most callers of this class should just need to know about the effectiveSubject. That is, often times, the caller begins with authentication.getEffectiveSubject() for interrogating an Authentication object.
  • Field Details

    • VERSION_API_KEY_ROLES_AS_BYTES

      public static final TransportVersion VERSION_API_KEY_ROLES_AS_BYTES
    • VERSION_REALM_DOMAINS

      public static final TransportVersion VERSION_REALM_DOMAINS
    • VERSION_METADATA_BEYOND_GENERIC_MAP

      public static final TransportVersion VERSION_METADATA_BEYOND_GENERIC_MAP
    • REALM_REF_PARSER

      public static final org.elasticsearch.xcontent.ConstructingObjectParser<Authentication.RealmRef,Void> REALM_REF_PARSER
  • Constructor Details

  • Method Details

    • getAuthenticatingSubject

      public Subject getAuthenticatingSubject()
      Get the Subject that performs the actual authentication. This normally means it provides a credentials.
    • getEffectiveSubject

      public Subject getEffectiveSubject()
      Get the Subject that the authentication effectively represents. It may not be the authenticating subject because the authentication subject can run-as another subject.
    • getAuthenticationType

      public Authentication.AuthenticationType getAuthenticationType()
    • isRunAs

      public boolean isRunAs()
      Whether the authentication contains a subject run-as another subject. That is, the authentication subject is different from the effective subject.
    • isFailedRunAs

      public boolean isFailedRunAs()
    • maybeRewriteForOlderVersion

      public Authentication maybeRewriteForOlderVersion(TransportVersion olderVersion)
      Returns a new Authentication, like this one, but which is compatible with older version nodes. This is commonly employed when the Authentication is serialized across cluster nodes with mixed versions.
    • copyWithFilteredMetadataFields

      public Authentication copyWithFilteredMetadataFields(Set<String> fieldsToKeep)
      Creates a copy of this Authentication instance, but only with metadata entries specified by `fieldsToKeep`. All other entries are removed from the copy's metadata.
    • copyWithEmptyMetadata

      public Authentication copyWithEmptyMetadata()
    • runAs

      public Authentication runAs(User runAs, @Nullable Authentication.RealmRef lookupRealmRef)
      Returns a new Authentication that reflects a "run as another user" action under the current Authentication. The security RealmRef#Domain of the resulting Authentication is that of the run-as user's realm.
      Parameters:
      runAs - The user to be impersonated
      lookupRealmRef - The realm where the impersonated user is looked up from. It can be null if the user does not exist. The null lookup realm is used to indicate the lookup failure which will be rejected at authorization time.
    • token

      public Authentication token()
      Returns a new Authentication for tokens created by the current Authentication, which is used when authenticating using the token credential.
    • maybeAddAnonymousRoles

      public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser)
      The final list of roles a user has should include all roles granted to the anonymous user when 1. Anonymous access is enable 2. The user itself is not the anonymous user 3. The authentication is not an API key or service account Depending on whether the above criteria is satisfied, the method may either return a new authentication object incorporating anonymous roles or the same authentication object (if anonymous roles are not applicable) NOTE this method is an artifact of how anonymous roles are resolved today on each node as opposed to just on the coordinating node. Whether this behaviour should be changed is an ongoing discussion. Therefore, using this method in more places other than its current usage requires careful consideration.
    • isAuthenticatedAsApiKey

      public boolean isAuthenticatedAsApiKey()
      Whether the authenticating user is an API key, including a simple API key or a token created by an API key.
    • isServiceAccount

      public boolean isServiceAccount()
      Authenticate with a service account and no run-as
    • isApiKey

      public boolean isApiKey()
      Whether the effective user is an API key, this including a simple API key authentication or a token created by the API key.
    • isCrossClusterAccess

      public boolean isCrossClusterAccess()
    • supportsRunAs

      public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser)
      Whether the authentication can run-as another user
    • writeToContext

      public void writeToContext(ThreadContext ctx) throws IOException, IllegalArgumentException
      Writes the authentication to the context. There must not be an existing authentication in the context and if there is an IllegalStateException will be thrown
      Throws:
      IOException
      IllegalArgumentException
    • encode

      public String encode() throws IOException
      Throws:
      IOException
    • writeTo

      public void writeTo(StreamOutput out) throws IOException
      Throws:
      IOException
    • canAccessResourcesOf

      public boolean canAccessResourcesOf(Authentication resourceCreatorAuthentication)
      Checks whether the current authentication, which can be for a user or for an API Key, can access the resources (e.g. search scrolls and async search results) created (owned) by the passed in authentication. The rules are as follows: * a resource created by an API Key can only be accessed by the exact same key; the creator user, its tokens, or any of its other keys cannot access it. * a resource created by a user authenticated by a realm, or any of its tokens, can be accessed by the same username authenticated by the same realm or by other realms from the same security domain (at the time of the access), or any of its tokens; realms are considered the same if they have the same type and name (except for file and native realms, for which only the type is considered, the name is irrelevant), see also security limitations
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • toXContent

      public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) throws IOException
      Specified by:
      toXContent in interface org.elasticsearch.xcontent.ToXContent
      Throws:
      IOException
    • toXContentFragment

      public void toXContentFragment(org.elasticsearch.xcontent.XContentBuilder builder) throws IOException
      Generates XContent without the start/end object.
      Throws:
      IOException
    • getAuthenticationFromCrossClusterAccessMetadata

      public static Authentication getAuthenticationFromCrossClusterAccessMetadata(Authentication authentication)
    • checkConsistency

      public void checkConsistency()
      An Authentication object has internal constraint between its fields, e.g. if it is internal authentication, it must have an internal user. These logics are upheld when authentication is built as a result of successful authentication. Hence, this method mostly runs in test (where assertion is enabled). However, for RCS cross cluster access, FC receives an authentication object as part of the request. There is no guarantee that this authentication object also maintains the internal logics. Therefore, this method is called explicitly in production when handling cross cluster access requests.
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • isFileOrNativeRealm

      public static boolean isFileOrNativeRealm(String realmType)
    • newInternalAuthentication

      public static Authentication newInternalAuthentication(InternalUser internalUser, TransportVersion version, String nodeName)
    • newInternalFallbackAuthentication

      public static Authentication newInternalFallbackAuthentication(User fallbackUser, String nodeName)
    • newAnonymousAuthentication

      public static Authentication newAnonymousAuthentication(AnonymousUser anonymousUser, String nodeName)
    • newServiceAccountAuthentication

      public static Authentication newServiceAccountAuthentication(User serviceAccountUser, String nodeName, Map<String,Object> metadata)
    • newRealmAuthentication

      public static Authentication newRealmAuthentication(User user, Authentication.RealmRef realmRef)
    • newApiKeyAuthentication

      public static Authentication newApiKeyAuthentication(AuthenticationResult<User> authResult, String nodeName)
    • toCrossClusterAccess

      public Authentication toCrossClusterAccess(CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo)