Add the capability for the LDAP and AD realms to bind using Kerberos credentials

[bizybot]

This commit adds support for LDAP bind using SASL-GSSAPI as an
alternative to simple bind.

• new configuration setting bind_mode with value sasl_gssapi will
  enable LDAP bind using GSSAPI. Defaults to simple bind.
• GSSAPI bind can use either a keytab or a password.
• Actual authentication to LDAP realm would not use GSSAPI.

Testing is done by enabling SASL on OpenLDAP and mapping a user
from Kerberos(mapped to bind DN) in a dockerized environment.
Verified the GSSAPI bind happens either using keytab or credentials.

Closes #39878

[bizybot]

@elasticmachine run elasticsearch-ci/1

[elasticmachine]

Pinging @elastic/es-security

[bizybot]

@elasticmachine run elasticsearch-ci/packaging-sample

[bizybot]

unrelated failure
@elasticmachine run elasticsearch-ci/1

[albertzaharovits]

This looks solid in the test department! Nice job 👍
I have left a few comments around simplifying realm configuration, that will have repercussions on BindRequestBuilder as well.
I still have to grok the tests, but I will do that in a follow-up.

[albertzaharovits]

I like the switch validation !
But, can't we infer the mode from if SASL_GSSAPI_PRINCIPAL is present. SASL_GSSAPI_PRINCIPAL cannot be null in the way we use the library, right? Also, using SASL_GSSAPI_PRINCIPAL together with a BIND_DN should trigger a settings validation error.

[bizybot]

Right now other than simple and sasl_gssapi we do not wish to support other bind types but there are other bind types via SASL that the LDAP has support for. So relying on the presence of SASL_GSSAPI_PRINCIPAL or SASL_GSSAPI_KEYTAB_PATH is something I would like to avoid.

Right now it gets ignored but I agree to throw settings validation error in presence of both BIND_DN and SASL_GSSAPI_PRINCIPAL settings. I will make these changes. Thank you.

[albertzaharovits]

Wouldn't other bind methods not also have their setting keys namespaced similarly to sasl_gssapi ? So there would be no ambiguity? To me this is a case of namespaced settings versus conditional settings, as in #30241 . The conditional setting is harder to validate in the code, compared to the namespaced ones, because the validation of the namespaced ones is just to get the whole namespace and validate them as a group. It's also simpler from a user perspective, because he has fewer settings to worry about.

[albertzaharovits]

This is just an opinion, do as you think, or ask for other's opinions.

[albertzaharovits]

can't these be moved to x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy ?

[bizybot]

No, as unboundid dependencies are in the core we need to have these here. Thank you.

[albertzaharovits]

I think these are a lot of obscure permissions we're granting for any plugin (that inherits x-pack-plugin-core). I worry especially about the maintainability. In this case I think we should move the unboundid dependency over to the security plugin. I think it should not have been a dependecy in plugin-core in the first place. The only imported class from that dependecy in plugin-core is an enum, LdapSearchScope, which I think we should emulate our own and use that in plugin-core and adapt the APIs.

What do you think?

[bizybot]

++ on moving the dependencies and getting the permissions in one place, though I see a TODO which I think is a non-trivial change and would require considerable thought as I am not much aware of what needs to be done here.
https://github.com/elastic/elasticsearch/blob/73bfdc4066be080dc4cad1f0521bf6ea14cded93/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java#L95..L124

I think I will pick this up later as a cleanup task. Thank you.

[albertzaharovits]

I believe enhancements shouldn't go in patch releases.

[albertzaharovits]

And another suggestion: I would change the PR title.
The PR adds the capability for the LDAP and AD realms to bind using Kerberos credentials.
IMO, SASL and his friend GSSAPI are too low level details for the title.

[albertzaharovits]

Call me hypercritical, but this is woefully complex. And it all stems from that conditional setting I'm gripping about...

What I don't lilke:
This class can deduce the SASL principal, if it needs to, but it cannot deduce the bind DN. So, in case it needs the bind DN, it will use the provided function for that. But the caller needs to know when the bind DN is required, so that it can pass the function. This requires for the caller to know of the internals of the BindRequestBuilder which is a violation of the abstraction.

[albertzaharovits]

I suggest we create a separate BindRequestBuilder for the SASL case only, and have the caller (or another wrapper) handle the decision of which BindRequest type to build, given the realm settings.

[albertzaharovits]

I had another pass and I'll admit I am opinionated on the setting topic and I would like to have someone else opinion on it. Besides that, I would also like to move the JVM permissions (and unboundid dependency) inside the security plugin and away from the plugin-core.

[albertzaharovits]

Thank you for the iterations Yogesh!

[bizybot]

@elasticmachine run elasticsearch-ci/1

[tvernum]

This PR is stale and we are not planning to proceed with it at this time.