OpenSearch/x-pack/qa/security-migrate-tests/roles.yml

# A role that has all sorts of configuration:
# - it can monitor the cluster
# - for index1 and index2 it can do CRUD things and refresh
# - for other indices it has search-only privileges
actual_role:
  run_as: [ "joe" ]
  cluster:
    - monitor
  indices:
    - names: [ "index1", "index2" ]
      privileges: [ "read", "write", "create_index", "indices:admin/refresh" ]
      field_security:
        grant:
          - foo
          - bar
      query:
        bool:
          must_not:
            match:
              hidden: true
    - names: "*"
      privileges: [ "read" ]
Add comments inadvertently removed during migrate A few files had their first comment removed even though it did not contain a license. This re-adds those comments. 2018-04-24 14:41:09 -04:00			`# A role that has all sorts of configuration:`
			`# - it can monitor the cluster`
			`# - for index1 and index2 it can do CRUD things and refresh`
			`# - for other indices it has search-only privileges`
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00			`actual_role:`
			`run_as: [ "joe" ]`
			`cluster:`
			`- monitor`
			`indices:`
			`- names: [ "index1", "index2" ]`
			`privileges: [ "read", "write", "create_index", "indices:admin/refresh" ]`
Add option to deny access to fields (elastic/elasticsearch#2879) To deny access to a fields users can name exceptions to field permissions with the following syntax: "fields": { "grant": [list of field names patterns], "except": [list of patterns that are forbidden] } See doc for the rules for this. This commit also reverts elastic/elasticsearch#2720 closes elastic/elasticsearch#2681 Original commit: elastic/x-pack-elasticsearch@d6537028ec0cf214e5c5fbf3cc144b8eb5444161 2016-09-13 10:38:58 -04:00			`field_security:`
			`grant:`
			`- foo`
			`- bar`
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00			`query:`
			`bool:`
			`must_not:`
			`match:`
			`hidden: true`
			`- names: "*"`
			`privileges: [ "read" ]`