Revisit and rationalise the Authentication class

[ywangd]

We would like to revisit the Authentication class to make it provide better and easier to use interface to the consumers.

#79809 enables run-as for all authentication schemes in addition to realm which is already supported. This adds more complexity to an Authentication object and how it should be used. For an example, building the role associated to an user now has to consider whether the user is the authenticated user or run-as user and the authentication scheme of the authenticated user. The existing Authentication class can answer all these question today. But its interface and internals are not aligned for these questions and the usage is error prone. For example, the Authentication object itself does not know whether the user has run-as. This information is kept by the User object. If the User object has an authenticatedUser, it's the run-as user. Otherwise it is not. But the information about realms for each User is directly kept in Authentication. Therefore, for full picture, the caller must check both User and Authentication realms and understands the nuance of their differenent combinations.

• Refactor CompositeRolesStore to separate roleDescriptors resolving (Refactor CompositeRolesStore for separation of concerns #80926)
• Move effective role descriptor checking from Resolver to CompositeRolesStore
• Rework Role and LimitedRole to support more general limiting #81192
• Replace Authentication with AuthenticationContext in places other than CompositeRolesStore

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[tvernum]

My first draft of a suggested model is something more like this:

class AuthenticationContext {

    private Version version;

    private ResolvedUser effectiveUser;
    private ResolvedUser authenticatedUser;

    private AuthenticationInfo authInfo;

    boolean hasLookupUser() {
        return effectiveUser != authenticatedUser;
    }

}

class ResolvedUser {
    User user;
    RealmRef realm;

    boolean isServiceAccount() { .. }
    boolean isApiKey() { .. }

    boolean hasNamedRoles() { return isServiceAccount() == false && isApiKey() == false; }

    // Not sure if this is really needed / useful
    RoleReference roles() {
        if(hasNamedRoles()) {
            return NamedRoles(user.roles());
        } else {
            // ...
        }
    }

}
    
class AuthenticationInfo {
    AuthenticationType type;
    Map<String,Object> metadata;
}

I haven't put a lot of thought into the class names, but I think the overall structure would probably work.

The only question is whether to also use this as an opportunity to do something with authorization_realms and represent them in the model as well (I haven't done that here, but I would like to).

[ywangd]

The only question is whether to also use this as an opportunity to do something with authorization_realms and represent them in the model as well (I haven't done that here, but I would like to).

This is a good point. I also would like to. The challenge is that this function is currently managed internally by the supporting realms and buried under the common Realm#authenticate interface which only cares about the User and not realms. IIUC, this is by design because we don't want the realm to tell us directly about its realm information which is managed externally (previously by AuthenticationService and now AuthenticationChain).

Assuming this is still the principal, it's likely that we need to formalise the interface for delegated authorization and externalise the delegation process similar to "run-as" lookup, maybe something like:

realm.authenticate(token, ActionListener.wrap( user -> {
  maybeDelegateAuthorization(user, realm.getDelegatedRealms());
}));

It could also be an opportunity to support "authorization delegation" for native realms (we have an ER for it).

[ywangd]

@tvernum and I discussed in a separate channel and we settled down on the following design (it can still be tweaked during the implementation phase)

UPDATED: 2021-11-24

public static class Subject {

    public enum Type {
        USER,
        API_KEY,
        SERVICE_ACCOUNT,
    }

    private final User user;
    private final Authentication.RealmRef realm;
    private final Type type;
    private final Map<String, Object> metadata;

    public List<RoleReference> getRoleReferences(AnonymousUser anonymousUser) { }
}

public class AuthenticationContext {

    private final Version version;
    private final Subject effectiveSubject;
    private final Subject authenticatingSubject;
    private final Authentication.AuthenticationType type;

    public boolean isRunAs() { }

    public Authentication toAuthentication() { }

    public static AuthenticationContext fromAuthentication(Authentication authentication) { }
}

public interface RoleReference {

    RoleKey cacheKey();
    void resolve(RoleReferenceResolver resolver, ActionListener<RolesRetrievalResult> listener);

    final class NamedRoleReference implements RoleReference {
        public final String[] roleNames;
    }

    final class ApiKeyRoleReference implements RoleReference {
        private final String apiKeyId;
        private final BytesReference roleDescriptorsBytes;
    }

    final class BwcApiKeyRoleReference implements RoleReference {
        private final String apiKeyId;
        private final Map<String, Object> roleDescriptorsMap;
    }

    final class ServiceAccountRoleReference implements RoleReference {
        private final String principal;
    }
}

public interface RoleReferenceResolver {

    void resolveNamedRoleReference(RoleReference.NamedRoleReference namedRoleReference, ActionListener<RolesRetrievalResult> listener);

    void resolveApiKeyRoleReference(RoleReference.ApiKeyRoleReference apiKeyRoleReference, ActionListener<RolesRetrievalResult> listener);

    void resolveBwcApiKeyRoleReference( RoleReference.BwcApiKeyRoleReference bwcApiKeyRoleReference, ActionListener<RolesRetrievalResult> listener);

    void resolveServiceAccountRoleReference(ServiceAccountRoleReference roleReference, ActionListener<RolesRetrievalResult> listener);
}

[ywangd]

Updated the class design based on the latest development.