Allow an AuthenticationResult to return metadata #34382
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR elastic#34290 made it impossible to use thread-context values to pass authentication metadata out of a realm. The SAML realm used this technique to allow the SamlAuthenticateAction to process the parsed SAML token, and apply them to the access token that was generated. This new method adds metadata to the AuthenticationResult itself, and then the authentication service makes this result available on the thread context. Closes: elastic#34332
tvernum
added
>bug
review
v7.0.0
:Security/Authentication
Collaborator
|
Pinging @elastic/es-security |
jaymode
approved these changes
Oct 10, 2018
| try (ThreadContext.StoredContext ignore = threadContext.stashContext()) { | ||
| authenticationService.authenticate(SamlAuthenticateAction.NAME, request, saml, ActionListener.wrap(authentication -> { | ||
| final Map<String, Object> tokenMeta = threadContext.getTransient(SamlRealm.CONTEXT_TOKEN_DATA); | ||
| AuthenticationResult result = threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY); |
Member
There was a problem hiding this comment.
I wonder if we should consider putting the metadata object on the authentication object? It might be extra overhead that we don't need so I am not asking for it to be done here.
This comment has been minimized.
This comment has been minimized.
1 similar comment
Contributor
Author
|
run gradle build tests |
tvernum
added a commit
that referenced
this pull request
Oct 12, 2018
PR #34290 made it impossible to use thread-context values to pass authentication metadata out of a realm. The SAML realm used this technique to allow the SamlAuthenticateAction to process the parsed SAML token, and apply them to the access token that was generated. This new method adds metadata to the AuthenticationResult itself, and then the authentication service makes this result available on the thread context. Closes: #34332
tvernum
added a commit
that referenced
this pull request
Oct 12, 2018
PR #34290 made it impossible to use thread-context values to pass authentication metadata out of a realm. The SAML realm used this technique to allow the SamlAuthenticateAction to process the parsed SAML token, and apply them to the access token that was generated. This new method adds metadata to the AuthenticationResult itself, and then the authentication service makes this result available on the thread context. Closes: #34332
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Oct 15, 2018
* elastic/master: Mute PartitionedRoutingIT#testShrinking on Windows Mute testToQuery test [TEST] Make sure there are shards started so that `ESIntegTestCase#assertSameDocIdsOnShards()` does not fail with shard not found. Change shard changes api's threadpool from get to search (elastic#34421) Update TESTING.asciidoc title (elastic#34401) Tests: Fix DateFormatter equals tests with locale (elastic#34435) Docs: Remove unnecessary qualifier from wildcard import note (elastic#34419) CCR/TEST: AwaitsFix testFailOverOnFollower [Painless] Add a Map for java names to classes for use in the custom classloader (elastic#34424) TEST: Fix indentation in FullClusterRestartIT (elastic#34420) [WIP] Ingest Attachement: Upgrade tika to v1.19.1 (elastic#33896) NETWORKING: Upgrade Netty to 4.1.30 (elastic#34417) Allow an AuthenticationResult to return metadata (elastic#34382) [ML] Add an ingest pipeline definition to structure finder (elastic#34350) Handle pre-6.x time fields (elastic#34373) ListenableFuture should preserve ThreadContext (elastic#34394)
kcm
pushed a commit
that referenced
this pull request
Oct 30, 2018
PR #34290 made it impossible to use thread-context values to pass authentication metadata out of a realm. The SAML realm used this technique to allow the SamlAuthenticateAction to process the parsed SAML token, and apply them to the access token that was generated. This new method adds metadata to the AuthenticationResult itself, and then the authentication service makes this result available on the thread context. Closes: #34332
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR #34290 made it impossible to use thread-context values to pass
authentication metadata out of a realm. The SAML realm used this
technique to allow the SamlAuthenticateAction to process the parsed
SAML token, and apply them to the access token that was generated.
This new method adds metadata to the AuthenticationResult itself, and
then the authentication service makes this result available on the
thread context.
Closes: #34332