elastic
diff --git a/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java‎
Lines changed: 8 additions & 2 deletions b/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java‎
Lines changed: 4 additions & 0 deletions b/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java‎
Lines changed: 79 additions & 0 deletions b/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccount.java‎
Lines changed: 92 additions & 0 deletions b/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccount.java‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java‎
Lines changed: 159 additions & 0 deletions b/‎x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountService.java‎
Lines changed: 159 additions & 0 deletions
@@ -200,6 +200,8 @@
 import org.elasticsearch.xpack.security.authc.TokenService;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
 import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
+import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
+import org.elasticsearch.xpack.security.authc.service.ServiceAccountsCredentialStore.CompositeServiceAccountsCredentialStore;
 import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
 import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
@@ -488,9 +490,13 @@ Collection<Object> createComponents(Client client, ThreadPool threadPool, Cluste
         final ApiKeyService apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, getLicenseState(), securityIndex.get(),
             clusterService, cacheInvalidatorRegistry, threadPool);
         components.add(apiKeyService);
+
+        final ServiceAccountService serviceAccountService =
+            new ServiceAccountService(new CompositeServiceAccountsCredentialStore(List.of()));
+
         final CompositeRolesStore allRolesStore = new CompositeRolesStore(settings, fileRolesStore, nativeRolesStore, reservedRolesStore,
             privilegeStore, rolesProviders, threadPool.getThreadContext(), getLicenseState(), fieldPermissionsCache, apiKeyService,
-            dlsBitsetCache.get(), new DeprecationRoleDescriptorConsumer(clusterService, threadPool));
+            serviceAccountService, dlsBitsetCache.get(), new DeprecationRoleDescriptorConsumer(clusterService, threadPool));
         securityIndex.get().addIndexStateListener(allRolesStore::onSecurityIndexStateChange);
 
         // to keep things simple, just invalidate all cached entries on license change. this happens so rarely that the impact should be
@@ -509,7 +515,7 @@ Collection<Object> createComponents(Client client, ThreadPool threadPool, Cluste
             operatorPrivilegesService = OperatorPrivileges.NOOP_OPERATOR_PRIVILEGES_SERVICE;
         }
         authcService.set(new AuthenticationService(settings, realms, auditTrailService, failureHandler, threadPool,
-                anonymousUser, tokenService, apiKeyService, operatorPrivilegesService));
+                anonymousUser, tokenService, apiKeyService, serviceAccountService, operatorPrivilegesService));
         components.add(authcService.get());
         securityIndex.get().addIndexStateListener(authcService.get()::onSecurityIndexStateChange);
 
 
@@ -46,6 +46,7 @@
 import org.elasticsearch.xpack.security.audit.AuditTrail;
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.elasticsearch.xpack.security.audit.AuditUtil;
+import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
 import org.elasticsearch.xpack.security.authc.support.RealmUserLookup;
 import org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
@@ -88,6 +89,7 @@ public class AuthenticationService {
     private final Cache<String, Realm> lastSuccessfulAuthCache;
     private final AtomicLong numInvalidation = new AtomicLong();
     private final ApiKeyService apiKeyService;
+    private final ServiceAccountService serviceAccountService;
     private final OperatorPrivilegesService operatorPrivilegesService;
     private final boolean runAsEnabled;
     private final boolean isAnonymousUserEnabled;
@@ -96,6 +98,7 @@ public class AuthenticationService {
     public AuthenticationService(Settings settings, Realms realms, AuditTrailService auditTrailService,
                                  AuthenticationFailureHandler failureHandler, ThreadPool threadPool,
                                  AnonymousUser anonymousUser, TokenService tokenService, ApiKeyService apiKeyService,
+                                 ServiceAccountService serviceAccountService,
                                  OperatorPrivilegesService operatorPrivilegesService) {
         this.nodeName = Node.NODE_NAME_SETTING.get(settings);
         this.realms = realms;
@@ -115,6 +118,7 @@ public AuthenticationService(Settings settings, Realms realms, AuditTrailService
             this.lastSuccessfulAuthCache = null;
         }
         this.apiKeyService = apiKeyService;
+        this.serviceAccountService = serviceAccountService;
         this.operatorPrivilegesService = operatorPrivilegesService;
         this.authenticationSerializer = new AuthenticationContextSerializer();
     }
 
@@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc.service;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.user.User;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+final class ElasticServiceAccounts {
+
+    static final String NAMESPACE = "elastic";
+
+    private static final ServiceAccount FLEET_ACCOUNT = new ElasticServiceAccount("fleet",
+        new RoleDescriptor(
+            NAMESPACE + "/fleet",
+            new String[]{"monitor", "manage_own_api_key"},
+            new RoleDescriptor.IndicesPrivileges[]{
+                RoleDescriptor.IndicesPrivileges
+                    .builder()
+                    .indices("logs-*", "metrics-*", "traces-*")
+                    .privileges("write", "create_index", "auto_configure")
+                    .build()
+            },
+            null,
+            null,
+            null,
+            null,
+            null
+        ));
+
+    static Map<String, ServiceAccount> ACCOUNTS = List.of(FLEET_ACCOUNT).stream()
+        .collect(Collectors.toMap(a -> a.id().serviceName(), Function.identity()));;
+
+    private ElasticServiceAccounts() {}
+
+    static class ElasticServiceAccount implements ServiceAccount {
+        private final ServiceAccountId id;
+        private final RoleDescriptor roleDescriptor;
+        private final User user;
+
+        ElasticServiceAccount(String serviceName, RoleDescriptor roleDescriptor) {
+            this.id = new ServiceAccountId(NAMESPACE, serviceName);
+            this.roleDescriptor = Objects.requireNonNull(roleDescriptor, "Role descriptor cannot be null");
+            if (roleDescriptor.getName().equals(id.asPrincipal()) == false) {
+                throw new IllegalArgumentException("the provided role descriptor [" + roleDescriptor.getName()
+                    + "] must have the same name as the service account [" + id.asPrincipal() + "]");
+            }
+            this.user = new User(id.asPrincipal(), Strings.EMPTY_ARRAY, "Service account - " + id, null,
+                Map.of("_elastic_service_account", true),
+                true);
+        }
+
+        @Override
+        public ServiceAccountId id() {
+            return id;
+        }
+
+        @Override
+        public RoleDescriptor roleDescriptor() {
+            return roleDescriptor;
+        }
+
+        @Override
+        public User asUser() {
+            return user;
+        }
+    }
+}
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc.service;
+
+import org.apache.logging.log4j.util.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.user.User;
+
+import java.io.IOException;
+import java.util.Objects;
+
+public interface ServiceAccount {
+
+    ServiceAccountId id();
+
+    RoleDescriptor roleDescriptor();
+
+    User asUser();
+
+    final class ServiceAccountId {
+
+        private final String namespace;
+        private final String serviceName;
+
+        public static ServiceAccountId fromPrincipal(String principal) {
+            final int split = principal.indexOf('/');
+            if (split == -1) {
+                throw new IllegalArgumentException(
+                    "a service account ID must be in the form {namespace}/{service-name}, but was [" + principal + "]");
+            }
+            return new ServiceAccountId(principal.substring(0, split), principal.substring(split + 1));
+        }
+
+        public ServiceAccountId(String namespace, String serviceName) {
+            this.namespace = namespace;
+            this.serviceName = serviceName;
+            if (Strings.isBlank(this.namespace)) {
+                throw new IllegalArgumentException("the namespace of a service account ID must not be empty");
+            }
+            if (Strings.isBlank(this.serviceName)) {
+                throw new IllegalArgumentException("the service-name of a service account ID must not be empty");
+            }
+        }
+
+        public ServiceAccountId(StreamInput in) throws IOException {
+            this.namespace = in.readString();
+            this.serviceName = in.readString();
+        }
+
+        public void write(StreamOutput out) throws IOException {
+            out.writeString(namespace);
+            out.writeString(serviceName);
+        }
+
+        public String namespace() {
+            return namespace;
+        }
+
+        public String serviceName() {
+            return serviceName;
+        }
+
+        public String asPrincipal() {
+            return namespace + "/" + serviceName;
+        }
+
+        @Override
+        public String toString() {
+            return asPrincipal();
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            ServiceAccountId that = (ServiceAccountId) o;
+            return namespace.equals(that.namespace) && serviceName.equals(that.serviceName);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(namespace, serviceName);
+        }
+    }
+}
@@ -0,0 +1,159 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc.service;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.message.ParameterizedMessage;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.Version;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.CharArrays;
+import org.elasticsearch.common.hash.MessageDigests;
+import org.elasticsearch.common.io.stream.InputStreamStreamInput;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.service.ServiceAccount.ServiceAccountId;
+import org.elasticsearch.xpack.security.authc.support.SecurityTokenType;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.Base64;
+import java.util.Map;
+
+import static org.elasticsearch.xpack.security.authc.service.ElasticServiceAccounts.ACCOUNTS;
+
+public class ServiceAccountService {
+
+    public static final String REALM_TYPE = "service_account";
+    public static final String REALM_NAME = "service_account";
+    public static final Version VERSION_MINIMUM = Version.V_8_0_0;
+
+    private static final Logger logger = LogManager.getLogger(ServiceAccountService.class);
+
+    private final ServiceAccountsCredentialStore serviceAccountsCredentialStore;
+
+    public ServiceAccountService(ServiceAccountsCredentialStore serviceAccountsCredentialStore) {
+        this.serviceAccountsCredentialStore = serviceAccountsCredentialStore;
+    }
+
+    public static boolean isServiceAccount(Authentication authentication) {
+        return REALM_TYPE.equals(authentication.getAuthenticatedBy().getType()) && null == authentication.getLookedUpBy();
+    }
+
+    // {@link org.elasticsearch.xpack.security.authc.TokenService#extractBearerTokenFromHeader extracted} from an HTTP authorization header.
+    /**
+     * Parses a token object from the content of a {@link ServiceAccountToken#asBearerString()} bearer string}.
+     * This bearer string would typically be
+     *
+     * <p>
+     * <strong>This method does not validate the credential, it simply parses it.</strong>
+     * There is no guarantee that the {@link ServiceAccountToken#getSecret() secret} is valid,
+     * or even that the {@link ServiceAccountToken#getAccountId() account} exists.
+     * </p>
+     * @param token A raw token string (if this is from an HTTP header, then the <code>"Bearer "</code> prefix must be removed before
+     *              calling this method.
+     * @return An unvalidated token object.
+     */
+    public static ServiceAccountToken tryParseToken(SecureString token) {
+        try {
+            if (token == null) {
+                return null;
+            }
+            return doParseToken(token);
+        } catch (IOException e) {
+            logger.debug("Cannot parse possible service account token", e);
+            return null;
+        }
+    }
+
+    public void authenticateWithToken(ServiceAccountToken token, ThreadContext threadContext, String nodeName,
+                                      ActionListener<Authentication> listener) {
+
+        if (ElasticServiceAccounts.NAMESPACE.equals(token.getAccountId().namespace()) == false) {
+            final ParameterizedMessage message = new ParameterizedMessage(
+                "only [{}] service accounts are supported, but received [{}]",
+                ElasticServiceAccounts.NAMESPACE, token.getAccountId().asPrincipal());
+            logger.debug(message);
+            listener.onFailure(new ElasticsearchSecurityException(message.getFormattedMessage()));
+            return;
+        }
+
+        final ServiceAccount account = ACCOUNTS.get(token.getAccountId().serviceName());
+        if (account == null) {
+            final ParameterizedMessage message = new ParameterizedMessage(
+                "the [{}] service account does not exist", token.getAccountId().asPrincipal());
+            logger.debug(message);
+            listener.onFailure(new ElasticsearchSecurityException(message.getFormattedMessage()));
+            return;
+        }
+
+        if (serviceAccountsCredentialStore.authenticate(token)) {
+            listener.onResponse(success(account, token, nodeName));
+        } else {
+            final ParameterizedMessage message = new ParameterizedMessage(
+                "failed to authenticate service account [{}] with token name [{}]",
+                token.getAccountId().asPrincipal(),
+                token.getTokenName());
+            logger.debug(message);
+            listener.onFailure(new ElasticsearchSecurityException(message.getFormattedMessage()));
+        }
+    }
+
+    public void getRoleDescriptor(Authentication authentication, ActionListener<RoleDescriptor> listener) {
+        assert isServiceAccount(authentication) : "authentication is not for service account: " + authentication;
+
+        final ServiceAccountId accountId = ServiceAccountId.fromPrincipal(authentication.getUser().principal());
+        final ServiceAccount account = ACCOUNTS.get(accountId.serviceName());
+        if (account == null) {
+            listener.onFailure(new ElasticsearchSecurityException(
+                "cannot load role for service account [" + accountId.asPrincipal() + "] - no such service account"
+            ));
+            return;
+        }
+        listener.onResponse(account.roleDescriptor());
+    }
+
+    private Authentication success(ServiceAccount account, ServiceAccountToken token, String nodeName) {
+        final User user = account.asUser();
+        final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef(REALM_NAME, REALM_TYPE, nodeName);
+        return new Authentication(user, authenticatedBy, null, Version.CURRENT, Authentication.AuthenticationType.TOKEN,
+            Map.of("_token_name", token.getTokenName()));
+    }
+
+
+
+    private static ServiceAccountToken doParseToken(SecureString token) throws IOException {
+        final byte[] bytes = CharArrays.toUtf8Bytes(token.getChars());
+        logger.trace("parsing token bytes {}", MessageDigests.toHexString(bytes));
+        try (StreamInput in = new InputStreamStreamInput(Base64.getDecoder().wrap(new ByteArrayInputStream(bytes)), bytes.length)) {
+            final Version version = Version.readVersion(in);
+            in.setVersion(version);
+            if (version.before(VERSION_MINIMUM)) {
+                logger.trace("token has version {}, but we need at least {}", version, VERSION_MINIMUM);
+                return null;
+            }
+            final SecurityTokenType tokenType = SecurityTokenType.read(in);
+            if (tokenType != SecurityTokenType.SERVICE_ACCOUNT) {
+                logger.trace("token is of type {}, but we only handle {}", tokenType, SecurityTokenType.SERVICE_ACCOUNT);
+                return null;
+            }
+
+            final ServiceAccountId account = new ServiceAccountId(in);
+            final String tokenName = in.readString();
+            final SecureString secret = in.readSecureString();
+
+            return new ServiceAccountToken(account, tokenName, secret);
+        }
+    }
+
+}