fix xnode swapping secondary user

jakelandis · Apr 3, 2024 · f3a4957 · f3a4957
1 parent 7187bba
commit f3a4957
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/...rc/javaRestTest/java/org/elasticsearch/secondary/auth/actions/SecondaryAuthActionsIT.java b/...rc/javaRestTest/java/org/elasticsearch/secondary/auth/actions/SecondaryAuthActionsIT.java
@@ -37,6 +37,10 @@ public class SecondaryAuthActionsIT extends ESRestTestCase {
     @ClassRule
     public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
         .distribution(DistributionType.DEFAULT)
+        .nodes(2)
+        // ensure secondary auth actions go across the cluster, so we don't attempt to double swap out the user in context
+        .node(0, n -> n.setting("node.roles", "[master]"))
+        .node(1, n -> n.setting("node.roles", "[data]"))
         .setting("xpack.watcher.enabled", "false")
         .setting("xpack.ml.enabled", "false")
         .setting("xpack.security.enabled", "true")
@@ -45,6 +49,7 @@ public class SecondaryAuthActionsIT extends ESRestTestCase {
         .user("test_admin", "x-pack-test-password", "superuser", false)
         .user("test_user", "x-pack-test-password", "logsrole", false)
         .plugin("secondary-auth-actions-extension")
+
         .build();
 
     @Before

diff --git a/...ty/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java b/...ty/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
@@ -104,6 +104,7 @@ operations are blocked on license expiration. All data operations (read and writ
             threadContext
         );
         final boolean useSystemUser = AuthorizationUtils.shouldReplaceUserWithSystem(threadContext, action);
+
         try {
             if (useSystemUser) {
                 securityContext.executeAsSystemUser(original -> applyInternal(task, chain, action, request, contextPreservingListener));
@@ -114,12 +115,14 @@ operations are blocked on license expiration. All data operations (read and writ
                     TransportVersion.current(), // current version since this is on the same node
                     (original) -> { applyInternal(task, chain, action, request, contextPreservingListener); }
                 );
-            } else if (secondaryAuthActions.get().contains(action)) {
+            } else if (secondaryAuthActions.get().contains(action) && threadContext.getHeader("secondary_auth_action_applied") == null) {
                 SecondaryAuthentication secondaryAuth = securityContext.getSecondaryAuthentication();
                 if (secondaryAuth == null) {
                     throw new IllegalArgumentException("es-secondary-authorization header must be used to call action [" + action + "]");
                 } else {
                     secondaryAuth.execute(ignore -> {
+                        // this header exists to ensure that if this action goes across nodes we don't attempt to swap out the user again
+                        threadContext.putHeader("secondary_auth_action_applied", "true");
                         applyInternal(task, chain, action, request, contextPreservingListener);
                         return null;
                     });