[Kerberos] Remove realm from principal name (#31928)

This commit adds support for removing realm name
from the Kerberos principal name. The principal names in
Kerberos are in the form primary/instance@realm.
Since we will be supporting user lookups and depending on the
scenario we may want to remove the REALM part and use the username
for lookup or role mapping.
This change adds a new setting with the default value false to
control removing of realm name.
Modified tests to randomly use this setting during testing.

Author: bizybot

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/kerberos/KerberosRealmSettings.java

@@ -27,6 +27,8 @@ public final class KerberosRealmSettings {
             Setting.simpleString("keytab.path", Property.NodeScope);
     public static final Setting<Boolean> SETTING_KRB_DEBUG_ENABLE =
             Setting.boolSetting("krb.debug", Boolean.FALSE, Property.NodeScope);
+    public static final Setting<Boolean> SETTING_REMOVE_REALM_NAME =
+            Setting.boolSetting("remove_realm_name", Boolean.FALSE, Property.NodeScope);
 
     // Cache
     private static final TimeValue DEFAULT_TTL = TimeValue.timeValueMinutes(20);
@@ -42,6 +44,7 @@ private KerberosRealmSettings() {
      * @return the valid set of {@link Setting}s for a {@value #TYPE} realm
      */
     public static Set<Setting<?>> getSettings() {
-        return Sets.newHashSet(HTTP_SERVICE_KEYTAB_PATH, CACHE_TTL_SETTING, CACHE_MAX_USERS_SETTING, SETTING_KRB_DEBUG_ENABLE);
+        return Sets.newHashSet(HTTP_SERVICE_KEYTAB_PATH, CACHE_TTL_SETTING, CACHE_MAX_USERS_SETTING, SETTING_KRB_DEBUG_ENABLE,
+                SETTING_REMOVE_REALM_NAME);
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java

@@ -62,6 +62,7 @@ public final class KerberosRealm extends Realm implements CachingRealm {
     private final ThreadPool threadPool;
     private final Path keytabPath;
     private final boolean enableKerberosDebug;
+    private final boolean removeRealmName;
 
     public KerberosRealm(final RealmConfig config, final NativeRoleMappingStore nativeRoleMappingStore, final ThreadPool threadPool) {
         this(config, nativeRoleMappingStore, new KerberosTicketValidator(), threadPool, null);
@@ -88,6 +89,7 @@ public KerberosRealm(final RealmConfig config, final NativeRoleMappingStore nati
         this.threadPool = threadPool;
         this.keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         this.enableKerberosDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());
+        this.removeRealmName = KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.get(config.settings());
     }
 
     @Override
@@ -126,7 +128,8 @@ public void authenticate(final AuthenticationToken token, final ActionListener<A
         kerberosTicketValidator.validateTicket((byte[]) kerbAuthnToken.credentials(), keytabPath, enableKerberosDebug,
                 ActionListener.wrap(userPrincipalNameOutToken -> {
                     if (userPrincipalNameOutToken.v1() != null) {
-                        buildUser(userPrincipalNameOutToken.v1(), userPrincipalNameOutToken.v2(), listener);
+                        final String username = maybeRemoveRealmName(userPrincipalNameOutToken.v1());
+                        buildUser(username, userPrincipalNameOutToken.v2(), listener);
                     } else {
                         /**
                          * This is when security context could not be established may be due to ongoing
@@ -145,6 +148,25 @@ public void authenticate(final AuthenticationToken token, final ActionListener<A
                 }, e -> handleException(e, listener)));
     }
 
+    /**
+     * Usually principal names are in the form 'user/instance@REALM'. This method
+     * removes '@REALM' part from the principal name if
+     * {@link KerberosRealmSettings#SETTING_REMOVE_REALM_NAME} is {@code true} else
+     * will return the input string.
+     *
+     * @param principalName user principal name
+     * @return username after removal of realm
+     */
+    protected String maybeRemoveRealmName(final String principalName) {
+        if (this.removeRealmName) {
+            int foundAtIndex = principalName.indexOf('@');
+            if (foundAtIndex > 0) {
+                return principalName.substring(0, foundAtIndex);
+            }
+        }
+        return principalName;
+    }
+
     private void handleException(Exception e, final ActionListener<AuthenticationResult> listener) {
         if (e instanceof LoginException) {
             listener.onResponse(AuthenticationResult.terminate("failed to authenticate user, service login failure",

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java

@@ -42,7 +42,7 @@ public void testAuthenticateWithNonKerberosAuthenticationToken() {
     }
 
     public void testAuthenticateDifferentFailureScenarios() throws LoginException, GSSException {
-        final String username = randomAlphaOfLength(5);
+        final String username = randomPrincipalName();
         final String outToken = randomAlphaOfLength(10);
         final KerberosRealm kerberosRealm = createKerberosRealm(username);
         final boolean validTicket = rarely();
@@ -76,7 +76,9 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G
             assertThat(result.getStatus(), is(equalTo(AuthenticationResult.Status.CONTINUE)));
         } else {
             if (validTicket) {
-                final User expectedUser = new User(username, roles.toArray(new String[roles.size()]), null, null, null, true);
+                final String expectedUsername = maybeRemoveRealmName(username);
+                final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null,
+                        true);
                 assertSuccessAuthenticationResult(expectedUser, outToken, result);
             } else {
                 assertThat(result.getStatus(), is(equalTo(AuthenticationResult.Status.TERMINATE)));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java

@@ -36,11 +36,12 @@
 public class KerberosRealmCacheTests extends KerberosRealmTestCase {
 
     public void testAuthenticateWithCache() throws LoginException, GSSException {
-        final String username = randomAlphaOfLength(5);
+        final String username = randomPrincipalName();
         final String outToken = randomAlphaOfLength(10);
         final KerberosRealm kerberosRealm = createKerberosRealm(username);
 
-        final User expectedUser = new User(username, roles.toArray(new String[roles.size()]), null, null, null, true);
+        final String expectedUsername = maybeRemoveRealmName(username);
+        final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
         final byte[] decodedTicket = randomByteArrayOfLength(10);
         final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());
@@ -62,7 +63,7 @@ public void testAuthenticateWithCache() throws LoginException, GSSException {
 
     public void testCacheInvalidationScenarios() throws LoginException, GSSException {
         final String outToken = randomAlphaOfLength(10);
-        final List<String> userNames = Arrays.asList(randomAlphaOfLength(5) + "@REALM", randomAlphaOfLength(5) + "@REALM");
+        final List<String> userNames = Arrays.asList(randomPrincipalName(), randomPrincipalName());
         final KerberosRealm kerberosRealm = createKerberosRealm(userNames.toArray(new String[0]));
         verify(mockNativeRoleMappingStore).refreshRealmOnChange(kerberosRealm);
 
@@ -71,7 +72,8 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException
         final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());
         mockKerberosTicketValidator(decodedTicket, keytabPath, krbDebug, new Tuple<>(authNUsername, outToken), null);
-        final User expectedUser = new User(authNUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
+        final String expectedUsername = maybeRemoveRealmName(authNUsername);
+        final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
 
         final KerberosAuthenticationToken kerberosAuthenticationToken = new KerberosAuthenticationToken(decodedTicket);
         final User user1 = authenticateAndAssertResult(kerberosRealm, expectedUser, kerberosAuthenticationToken, outToken);
@@ -81,7 +83,7 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException
         if (expireAll) {
             kerberosRealm.expireAll();
         } else {
-            kerberosRealm.expire(expireThisUser);
+            kerberosRealm.expire(maybeRemoveRealmName(expireThisUser));
         }
 
         final User user2 = authenticateAndAssertResult(kerberosRealm, expectedUser, kerberosAuthenticationToken, outToken);
@@ -100,14 +102,16 @@ public void testCacheInvalidationScenarios() throws LoginException, GSSException
 
     public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDisabled()
             throws LoginException, GSSException, IOException {
-        final String username = randomAlphaOfLength(5);
-        final String outToken = randomAlphaOfLength(10);
         // if cache.ttl <= 0 then the cache is disabled
         settings = KerberosTestCase.buildKerberosRealmSettings(
-                KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true);
+                KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
+                randomBoolean());
+        final String username = randomPrincipalName();
+        final String outToken = randomAlphaOfLength(10);
         final KerberosRealm kerberosRealm = createKerberosRealm(username);
 
-        final User expectedUser = new User(username, roles.toArray(new String[roles.size()]), null, null, null, true);
+        final String expectedUsername = maybeRemoveRealmName(username);
+        final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
         final byte[] decodedTicket = randomByteArrayOfLength(10);
         final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java

@@ -31,13 +31,17 @@ public void testKerberosRealmSettings() throws IOException {
         KerberosTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
         final Integer maxUsers = randomInt();
         final String cacheTTL = randomLongBetween(10L, 100L) + "m";
-        final Settings settings = KerberosTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, true);
+        final boolean enableDebugLogs = randomBoolean();
+        final boolean removeRealmName = randomBoolean();
+        final Settings settings = KerberosTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
+                removeRealmName);
 
         assertThat(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings), equalTo(keytabPathConfig));
         assertThat(KerberosRealmSettings.CACHE_TTL_SETTING.get(settings),
                 equalTo(TimeValue.parseTimeValue(cacheTTL, KerberosRealmSettings.CACHE_TTL_SETTING.getKey())));
         assertThat(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.get(settings), equalTo(maxUsers));
-        assertThat(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(settings), is(true));
+        assertThat(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(settings), is(enableDebugLogs));
+        assertThat(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.get(settings), is(removeRealmName));
     }
 
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java

@@ -20,6 +20,7 @@
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
+import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.elasticsearch.xpack.core.security.support.Exceptions;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTestCase;
@@ -33,8 +34,10 @@
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -67,7 +70,8 @@ public void setup() throws Exception {
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         dir = createTempDir();
         globalSettings = Settings.builder().put("path.home", dir).build();
-        settings = KerberosTestCase.buildKerberosRealmSettings(KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), "asa").toString());
+        settings = KerberosTestCase.buildKerberosRealmSettings(KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
+                100, "10m", true, randomBoolean());
     }
 
     @After
@@ -111,7 +115,8 @@ protected KerberosRealm createKerberosRealm(final String... userForRoleMapping)
     }
 
     @SuppressWarnings("unchecked")
-    protected NativeRoleMappingStore roleMappingStore(final List<String> expectedUserNames) {
+    protected NativeRoleMappingStore roleMappingStore(final List<String> userNames) {
+        final List<String> expectedUserNames = userNames.stream().map(this::maybeRemoveRealmName).collect(Collectors.toList());
         final Client mockClient = mock(Client.class);
         when(mockClient.threadPool()).thenReturn(threadPool);
         when(mockClient.settings()).thenReturn(settings);
@@ -133,4 +138,34 @@ protected NativeRoleMappingStore roleMappingStore(final List<String> expectedUse
 
         return roleMapper;
     }
+
+    protected String randomPrincipalName() {
+        final StringBuilder principalName = new StringBuilder();
+        principalName.append(randomAlphaOfLength(5));
+        final boolean withInstance = randomBoolean();
+        if (withInstance) {
+            principalName.append("/").append(randomAlphaOfLength(5));
+        }
+        principalName.append(randomAlphaOfLength(5).toUpperCase(Locale.ROOT));
+        return principalName.toString();
+    }
+
+    /**
+     * Usually principal names are in the form 'user/instance@REALM'. This method
+     * removes '@REALM' part from the principal name if
+     * {@link KerberosRealmSettings#SETTING_REMOVE_REALM_NAME} is {@code true} else
+     * will return the input string.
+     *
+     * @param principalName user principal name
+     * @return username after removal of realm
+     */
+    protected String maybeRemoveRealmName(final String principalName) {
+        if (KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.get(settings)) {
+            int foundAtIndex = principalName.indexOf('@');
+            if (foundAtIndex > 0) {
+                return principalName.substring(0, foundAtIndex);
+            }
+        }
+        return principalName;
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java

@@ -48,13 +48,14 @@ public void testSupports() {
     }
 
     public void testAuthenticateWithValidTicketSucessAuthnWithUserDetails() throws LoginException, GSSException {
-        final KerberosRealm kerberosRealm = createKerberosRealm("test@REALM");
-
-        final User expectedUser = new User("test@REALM", roles.toArray(new String[roles.size()]), null, null, null, true);
+        final String username = randomPrincipalName();
+        final KerberosRealm kerberosRealm = createKerberosRealm(username);
+        final String expectedUsername = maybeRemoveRealmName(username);
+        final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
         final byte[] decodedTicket = "base64encodedticket".getBytes(StandardCharsets.UTF_8);
         final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());
-        mockKerberosTicketValidator(decodedTicket, keytabPath, krbDebug, new Tuple<>("test@REALM", "out-token"), null);
+        mockKerberosTicketValidator(decodedTicket, keytabPath, krbDebug, new Tuple<>(username, "out-token"), null);
         final KerberosAuthenticationToken kerberosAuthenticationToken = new KerberosAuthenticationToken(decodedTicket);
 
         final PlainActionFuture<AuthenticationResult> future = new PlainActionFuture<>();
@@ -69,7 +70,8 @@ public void testAuthenticateWithValidTicketSucessAuthnWithUserDetails() throws L
     }
 
     public void testFailedAuthorization() throws LoginException, GSSException {
-        final KerberosRealm kerberosRealm = createKerberosRealm("test@REALM");
+        final String username = randomPrincipalName();
+        final KerberosRealm kerberosRealm = createKerberosRealm(username);
         final byte[] decodedTicket = "base64encodedticket".getBytes(StandardCharsets.UTF_8);
         final Path keytabPath = config.env().configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(config.settings()));
         final boolean krbDebug = KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(config.settings());
@@ -80,13 +82,15 @@ public void testFailedAuthorization() throws LoginException, GSSException {
 
         ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class, future::actionGet);
         assertThat(e.status(), is(RestStatus.FORBIDDEN));
-        assertThat(e.getMessage(), equalTo("Expected UPN '" + Arrays.asList("test@REALM") + "' but was 'does-not-exist@REALM'"));
+        assertThat(e.getMessage(), equalTo("Expected UPN '" + Arrays.asList(maybeRemoveRealmName(username)) + "' but was '"
+                + maybeRemoveRealmName("does-not-exist@REALM") + "'"));
     }
 
     public void testLookupUser() {
-        final KerberosRealm kerberosRealm = createKerberosRealm("test@REALM");
+        final String username = randomPrincipalName();
+        final KerberosRealm kerberosRealm = createKerberosRealm(username);
         final PlainActionFuture<User> future = new PlainActionFuture<>();
-        kerberosRealm.lookupUser("test@REALM", future);
+        kerberosRealm.lookupUser(username, future);
         assertThat(future.actionGet(), is(nullValue()));
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/support/KerberosTestCase.java

@@ -196,7 +196,7 @@ public static Path writeKeyTab(final Path keytabPath, final String content) thro
      * @return {@link Settings} for kerberos realm
      */
     public static Settings buildKerberosRealmSettings(final String keytabPath) {
-        return buildKerberosRealmSettings(keytabPath, 100, "10m", true);
+        return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
     }
 
     /**
@@ -206,14 +206,16 @@ public static Settings buildKerberosRealmSettings(final String keytabPath) {
      * @param maxUsersInCache max users to be maintained in cache
      * @param cacheTTL time to live for cached entries
      * @param enableDebugging for krb5 logs
+     * @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
      * @return {@link Settings} for kerberos realm
      */
     public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
-            final boolean enableDebugging) {
+            final boolean enableDebugging, final boolean removeRealmName) {
         final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
                 .put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
                 .put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
-                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging);
+                .put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
+                .put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
         return builder.build();
     }