From 89312b83caaa2a6d558778cd7660305aa83d154a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Tue, 21 Feb 2023 18:23:59 +0100 Subject: [PATCH 1/9] explain local_users --- seacatauth/batman/elk.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index ec5b606c..0ddfd1bc 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -29,6 +29,9 @@ class ELKIntegration(asab.config.Configurable): 'username': 'elastic', 'password': 'elastic', + # List of elasticsearch system users + # If Seacat Auth has users with one of these usernames, it will not sync them + # to avoid interfering with kibana system users 'local_users': 'elastic kibana logstash_system beats_system remote_monitoring_user', 'mapped_roles_prefixes': '*/elk:', # Prefix of roles that will be transfered to Kibana From 9141ebe4223f8d63938ed15007b17e07fb39acc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Tue, 21 Feb 2023 18:24:41 +0100 Subject: [PATCH 2/9] remove obsolete role prefix feature --- seacatauth/batman/elk.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index 0ddfd1bc..6e1582b3 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -34,8 +34,6 @@ class ELKIntegration(asab.config.Configurable): # to avoid interfering with kibana system users 'local_users': 'elastic kibana logstash_system beats_system remote_monitoring_user', - 'mapped_roles_prefixes': '*/elk:', # Prefix of roles that will be transfered to Kibana - # Resources with this prefix will be mapped to Kibana users as roles # E.g.: Resource "elk:kibana-analyst" will be mapped to role "kibana-analyst" "resource_prefix": "elk:", @@ -64,10 +62,6 @@ def __init__(self, batman_svc, config_section_name="batman:elk", config=None): )) self.ELKSeacatFlagRole = self.Config.get("managed_role") - # TODO: Obsolete, back compat only. Use resources instead of roles. - # - self.RolePrefixes = re.split(r"\s+", self.Config.get("mapped_roles_prefixes")) - lu = re.split(r'\s+', self.Config.get('local_users'), flags=re.MULTILINE) lu.append(username) From ee9875c1cfdff3480c37ffcbb690a748cd75b974 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Tue, 21 Feb 2023 18:25:31 +0100 Subject: [PATCH 3/9] do not create kibana roles based on seacat tenants --- seacatauth/batman/elk.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index 6e1582b3..d6b31274 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -173,12 +173,6 @@ async def sync(self, cred: dict, elk_resources: typing.Iterable): for resource in user_resources.intersection(elk_resources) ) - # ELK roles from tenants - for tenant in authz: - if tenant == "*": - continue - elk_roles.add("tenant_{}".format(tenant)) - json["roles"] = list(elk_roles) try: From 34020f12e2170a8ad3bff3f2715b99137ff9c7f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Tue, 21 Feb 2023 18:26:42 +0100 Subject: [PATCH 4/9] fix: apply the seacat_managed flag properly --- seacatauth/batman/elk.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index d6b31274..fd50b505 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -152,9 +152,7 @@ async def sync(self, cred: dict, elk_resources: typing.Iterable): if v is not None: json['full_name'] = v - elk_roles = set( - self.ELKSeacatFlagRole, # Add a role that marks users managed by Seacat Auth - ) + elk_roles = {self.ELKSeacatFlagRole} # Add a role that marks users managed by Seacat Auth # Get authz dict authz = await build_credentials_authz(self.TenantService, self.RoleService, cred["_id"]) From 13e315248bb0589fb3a6e298fff3db2953ec1a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Wed, 22 Feb 2023 09:05:22 +0100 Subject: [PATCH 5/9] rename the seacat user flag for better comprehension --- seacatauth/batman/elk.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index fd50b505..4033ca87 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -38,8 +38,9 @@ class ELKIntegration(asab.config.Configurable): # E.g.: Resource "elk:kibana-analyst" will be mapped to role "kibana-analyst" "resource_prefix": "elk:", - 'managed_role': 'seacat_managed', # 'flags' users in ElasticSearch/Kibana that is managed by us, + # This role 'flags' users in ElasticSearch/Kibana that is managed by Seacat Auth # There should be a role created in the ElasticSearch that grants no rights + "seacat_user_flag": "seacat_managed", } @@ -60,7 +61,7 @@ def __init__(self, batman_svc, config_section_name="batman:elk", config=None): self.ELKResourceRegex = re.compile("^{}".format( re.escape(self.Config.get("resource_prefix")) )) - self.ELKSeacatFlagRole = self.Config.get("managed_role") + self.ELKSeacatFlagRole = self.Config.get("seacat_user_flag") lu = re.split(r'\s+', self.Config.get('local_users'), flags=re.MULTILINE) lu.append(username) From d318ecc3297cdadcf730704448c8aa4853fa0237 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Wed, 22 Feb 2023 09:07:58 +0100 Subject: [PATCH 6/9] unify quotes --- seacatauth/batman/elk.py | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index 4033ca87..5daa68f6 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -25,14 +25,14 @@ class ELKIntegration(asab.config.Configurable): """ ConfigDefaults = { - 'url': 'http://localhost:9200/', - 'username': 'elastic', - 'password': 'elastic', + "url": "http://localhost:9200/", + "username": "elastic", + "password": "elastic", # List of elasticsearch system users # If Seacat Auth has users with one of these usernames, it will not sync them # to avoid interfering with kibana system users - 'local_users': 'elastic kibana logstash_system beats_system remote_monitoring_user', + "local_users": "elastic kibana logstash_system beats_system remote_monitoring_user", # Resources with this prefix will be mapped to Kibana users as roles # E.g.: Resource "elk:kibana-analyst" will be mapped to role "kibana-analyst" @@ -52,18 +52,18 @@ def __init__(self, batman_svc, config_section_name="batman:elk", config=None): self.RoleService = self.BatmanService.App.get_service("seacatauth.RoleService") self.ResourceService = self.BatmanService.App.get_service("seacatauth.ResourceService") - username = self.Config.get('username') - password = self.Config.get('password') + username = self.Config.get("username") + password = self.Config.get("password") self.BasicAuth = aiohttp.BasicAuth(username, password) - self.URL = self.Config.get('url').rstrip('/') + self.URL = self.Config.get("url").rstrip("/") self.ResourcePrefix = self.Config.get("resource_prefix") self.ELKResourceRegex = re.compile("^{}".format( re.escape(self.Config.get("resource_prefix")) )) self.ELKSeacatFlagRole = self.Config.get("seacat_user_flag") - lu = re.split(r'\s+', self.Config.get('local_users'), flags=re.MULTILINE) + lu = re.split(r"\s+", self.Config.get("local_users"), flags=re.MULTILINE) lu.append(username) self.LocalUsers = frozenset(lu) @@ -108,7 +108,7 @@ async def _initialize_resources(self): if resource_id not in existing_elk_resources: await self.ResourceService.create( resource_id, - description="Grants access to ELK role '{}.".format(role) + description="Grants access to ELK role {!r}.".format(role) ) async def sync_all(self): @@ -122,7 +122,7 @@ async def sync_all(self): async def sync(self, cred: dict, elk_resources: typing.Iterable): - username = cred.get('username') + username = cred.get("username") if username is None: # Be defensive L.info("Cannot create user: No username", struct_data={"cid": cred["_id"]}) @@ -133,25 +133,25 @@ async def sync(self, cred: dict, elk_resources: typing.Iterable): return json = { - 'enabled': cred.get('suspended', False) is not True, + "enabled": cred.get("suspended", False) is not True, # Generate technical password - 'password': self.BatmanService.generate_password(cred['_id']), + "password": self.BatmanService.generate_password(cred['_id']), - 'metadata': { + "metadata": { # We are managed by SeaCat Auth - 'seacatauth': True + "seacatauth": True }, } - v = cred.get('email') + v = cred.get("email") if v is not None: - json['email'] = v + json["email"] = v - v = cred.get('full_name') + v = cred.get("full_name") if v is not None: - json['full_name'] = v + json["full_name"] = v elk_roles = {self.ELKSeacatFlagRole} # Add a role that marks users managed by Seacat Auth @@ -176,7 +176,7 @@ async def sync(self, cred: dict, elk_resources: typing.Iterable): try: async with aiohttp.ClientSession(auth=self.BasicAuth) as session: - async with session.post('{}/_xpack/security/user/{}'.format(self.URL, username), json=json) as resp: + async with session.post("{}/_xpack/security/user/{}".format(self.URL, username), json=json) as resp: if resp.status == 200: # Everything is alright here pass From a66fdf6c4bb2f2ceddda30c9571cdaa9b5ba6013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Wed, 22 Feb 2023 09:09:52 +0100 Subject: [PATCH 7/9] unify quotes --- seacatauth/batman/elk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index 5daa68f6..3981606f 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -136,7 +136,7 @@ async def sync(self, cred: dict, elk_resources: typing.Iterable): "enabled": cred.get("suspended", False) is not True, # Generate technical password - "password": self.BatmanService.generate_password(cred['_id']), + "password": self.BatmanService.generate_password(cred["_id"]), "metadata": { # We are managed by SeaCat Auth From 587a6882aad086461610b14c2bffacbc77b73424 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Thu, 23 Feb 2023 13:47:40 +0100 Subject: [PATCH 8/9] update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf1cdabc..d39ad869 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ - Fix sync method in Batman module (3c68cb8, PLUM Sprint 230210) - Fix cookie client session flow (#155, PLUM Sprint 230210) - Renaming resources without description (#158, PLUM Sprint 230210) +- Batman does not add nonexistent roles to Kibana users (#159, PLUM Sprint 230210) ### Features - Allow unsetting some client features (#148, PLUM Sprint 230113) From 0fe5fc6007ca4bf244e4724a4662fb7f93f82c44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Thu, 23 Feb 2023 13:50:19 +0100 Subject: [PATCH 9/9] TODO: Remove resource if its respective kibana role has been removed --- seacatauth/batman/elk.py | 1 + 1 file changed, 1 insertion(+) diff --git a/seacatauth/batman/elk.py b/seacatauth/batman/elk.py index 3981606f..a835b219 100644 --- a/seacatauth/batman/elk.py +++ b/seacatauth/batman/elk.py @@ -79,6 +79,7 @@ async def initialize(self): await self.sync_all() async def _initialize_resources(self): + # TODO: Remove resource if its respective kibana role has been removed """ Fetches roles from ELK and creates a Seacat Auth resource for each one of them. """