Deprecate empty `any` and `all` rules for API-based role mappings

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine

https://www.elastic.co/products/elasticsearch

Other

69.41k stars 24.56k forks source link

Deprecate empty `any` and `all` rules for API-based role mappings #110573

Open albertzaharovits opened 2 months ago

albertzaharovits commented 2 months ago

Empty any and all rules for API-based role mappings are trappy and should not be allowed (but they've always been). We should start by deprecating them, and eventually remove them. Deprecation entails emitting response warning headers when such role mappings are created or changed, as well as when such role mappings are actually used to assign roles to authn users.

elasticsearchmachine commented 2 months ago

Pinging @elastic/es-security (Team:Security)