elastic/elasticsearch

Username letter case for role mapping

Open

#48,120 opened on Oct 16, 2019

View on GitHub
 (8 comments) (3 reactions) (0 assignees)Java (76,700 stars) (25,882 forks)batch import
:Security/Authentication>bugTeam:Securityhelp wanted

Description

Role mapping IS letter case dependent if the rule to map roles looks at the username field. If the rule looks at the dn or groups fields, then it IS NOT letter case dependent. What this is contingent upon is the datatype of the field (DistinguishedName for dn and groups, and String for username).

Most of the time this works flawlessly, but in the case of LDAP and AD realms, the username, although of type String, is used as part of a DN during a bind operation, during authentication. In this situation the letter casing of the username is not important during authentication but it is still relevant during role mapping.

Given that the username, of type String, is letter case agnostic for certain realms during authentication, should the role mapping process also be agnostic of letter cases when dealing with such users in such realms? I think it should (hence labeling it a bug), but first I think we must make realms express if they account or not for username letter casing.

Contributor guide

Tech stack
java
Domain
securityauthenticationauthorization
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
needs maintainer response
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
LDAP/AD realm configurationElasticsearch role mappingJava backend experience
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Investigate how different realms handle username case sensitivity, especially LDAP and AD. Look at the realm source code to see if there is an existing mechanism for case insensitive username matching. Examine the role mapping code to understand how username is compared. The issue suggests that realms should express whether they account for username letter casing, so part of the research should involve designing a configuration option for realms to indicate case sensitivity. Check existing tests and documentation for role mapping to see if there are any related discussions.