search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.6k stars 24.37k forks source link

Run as / impersonate should give better error when used in conjunction with an Active Directory realm #81137

Open philippkahr opened 2 years ago

philippkahr commented 2 years ago

Elasticsearch version (bin/elasticsearch --version): 7.15.0

Plugins installed: [none]

JVM version (java -version): bundled

OS version (uname -a if on a Unix-like system): CentOS 7

Description of the problem including expected versus actual behavior:

The error displayed (under Step 3), is not helpful. The Active Directory Realm config states that

The use of a bind user enables the run as feature to be used with the Active Directory realm and the ability to maintain a set of pooled connections to Active Directory. These pooled connection reduce the number of resources that must be created and destroyed with every user authentication.

The error message should reflect that statement.

Steps to reproduce:

  1. Configure an Active Directory Realm without a bind_dn
  2. Run the impersonate API against the _security/_authenticate API. using a curl similar to curl -H "es-security-runas-user: active-directory-username" -u elastic .../_security/_authenticate
  3. Now you should see this error 
    "action [cluster:admin/xpack/security/user/authenticate] is unauthorized for user [elastic] run as [active-directory-username] with roles [], this action is granted by the cluster privileges [manage_security,all]"
  1. Add the bind_dn
  2. Run the same command as above
  3. Now you see the groups, roles and everything listed.
elasticmachine commented 2 years ago

Pinging @elastic/es-security (Team:Security)

ywangd commented 2 years ago

Thanks for reporting. Yes we need to improve error messages around failures due to run-as. This issue #72904 is along the same line that error message of run-as failure does not tell you the actual problem.

tvernum commented 2 years ago

What I suspect we ought to do is add a "failed with error message" to realm lookup like we have with realm authentication.
Realms that cannot support lookup (particularly if that is due to specific config) can then add a message of "realm [x] cannot perform lookup of users because ..."
Then, when the AuthcService fails to lookup a user it can print out the set of messages (just like when authc fails).