[TEST] consolidate different assertAuthorizationException methods in one place

Original commit: elastic/x-pack-elasticsearch@27de6db7e0
This commit is contained in:
javanna 2016-10-06 16:29:32 +02:00 committed by Luca Cavanna
parent 3dbea2f4c2
commit 06b5d42741
9 changed files with 349 additions and 577 deletions

View File

@ -5,24 +5,25 @@
*/ */
package org.elasticsearch.integration; package org.elasticsearch.integration;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesAction;
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateAction;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse; import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
import org.elasticsearch.client.Client; import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData; import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredStringTests; import org.elasticsearch.xpack.security.authc.support.SecuredStringTests;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.SecurityIntegTestCase;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.hasSize;
/** /**
@ -103,29 +104,14 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase {
// now lets try with "user" // now lets try with "user"
try { Map<String, String> auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
Map<String, String> auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", transportClientPassword()));
transportClientPassword())); assertThrowsAuthorizationException(client.filterWithHeader(auth).admin().indices().preparePutTemplate("template1")
client.filterWithHeader(auth) .setTemplate("test_*")::get, PutIndexTemplateAction.NAME, "user");
.admin().indices().preparePutTemplate("template1")
.setTemplate("test_*")
.get();
fail("expected an authorization exception as template APIs should require cluster ALL permission");
} catch (ElasticsearchSecurityException e) {
// expected
assertAuthorizationException(e);
}
try { Map<String, String> headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
Map<String, String> headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", SecuredStringTests.build("test123")));
SecuredStringTests.build("test123"))); assertThrowsAuthorizationException(client.filterWithHeader(headers).admin().indices().prepareGetTemplates("template1")::get,
client.filterWithHeader(headers) GetIndexTemplatesAction.NAME, "user");
.admin().indices().prepareGetTemplates("template1")
.get();
fail("expected an authorization exception as template APIs should require cluster ALL permission");
} catch (ElasticsearchSecurityException e) {
// expected
assertAuthorizationException(e);
}
} }
} }

View File

@ -5,23 +5,19 @@
*/ */
package org.elasticsearch.integration; package org.elasticsearch.integration;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.index.IndexRequestBuilder; import org.elasticsearch.action.index.IndexRequestBuilder;
import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.crypto.CryptoService;
import org.elasticsearch.xpack.security.crypto.CryptoService;
import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.xpack.security.crypto.CryptoService;
import java.util.Locale; import java.util.Locale;
import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery; import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.notNullValue;
public class ScrollIdSigningTests extends SecurityIntegTestCase { public class ScrollIdSigningTests extends SecurityIntegTestCase {
public void testSearchAndClearScroll() throws Exception { public void testSearchAndClearScroll() throws Exception {
@ -66,14 +62,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase {
String scrollId = response.getScrollId(); String scrollId = response.getScrollId();
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) : String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
scrollId + randomAsciiOfLength(randomIntBetween(3, 10)); scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
try { try {
client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2)).get(); assertThrowsAuthorizationException(client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2))::get,
fail("Expected an authorization exception to be thrown when scroll id is tampered"); equalTo("invalid request. tampered signed text"));
} catch (Exception e) {
ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e,
ElasticsearchSecurityException.class);
assertThat(ese, notNullValue());
assertAuthorizationException(ese);
} finally { } finally {
clearScroll(scrollId); clearScroll(scrollId);
} }
@ -92,14 +84,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase {
String scrollId = response.getScrollId(); String scrollId = response.getScrollId();
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) : String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
scrollId + randomAsciiOfLength(randomIntBetween(3, 10)); scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
try { try {
client().prepareClearScroll().addScrollId(tamperedScrollId).get(); assertThrowsAuthorizationException(client().prepareClearScroll().addScrollId(tamperedScrollId)::get,
fail("Expected an authorization exception to be thrown when scroll id is tampered"); equalTo("invalid request. tampered signed text"));
} catch (Exception e) {
ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e,
ElasticsearchSecurityException.class);
assertThat(ese, notNullValue());
assertAuthorizationException(ese);
} finally { } finally {
clearScroll(scrollId); clearScroll(scrollId);
} }

View File

@ -6,8 +6,6 @@
package org.elasticsearch.test; package org.elasticsearch.test;
import org.elasticsearch.AbstractOldXPackIndicesBackwardsCompatibilityTestCase; import org.elasticsearch.AbstractOldXPackIndicesBackwardsCompatibilityTestCase;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequestBuilder;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo; import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse; import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
@ -43,7 +41,6 @@ import java.util.stream.Collectors;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoTimeout; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoTimeout;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.hamcrest.core.IsCollectionContaining.hasItem; import static org.hamcrest.core.IsCollectionContaining.hasItem;
@ -362,11 +359,10 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
assertThat(clusterHealthResponse.getStatus(), is(ClusterHealthStatus.GREEN)); assertThat(clusterHealthResponse.getStatus(), is(ClusterHealthStatus.GREEN));
} }
protected static void assertThrowsAuthorizationException(ActionRequestBuilder actionRequestBuilder) { /**
ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class, actionRequestBuilder::get); * Creates the indices provided as argument, randomly associating them with aliases, indexes one dummy document per index
SecurityTestsUtils.assertAuthorizationException(e, containsString("is unauthorized for user [")); * and refreshes the new indices
} */
protected void createIndicesWithRandomAliases(String... indices) { protected void createIndicesWithRandomAliases(String... indices) {
if (randomBoolean()) { if (randomBoolean()) {
//no aliases //no aliases
@ -388,7 +384,7 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
for (String index : indices) { for (String index : indices) {
client().prepareIndex(index, "type").setSource("field", "value").get(); client().prepareIndex(index, "type").setSource("field", "value").get();
} }
refresh(); refresh(indices);
} }
@Override @Override

View File

@ -5,11 +5,16 @@
*/ */
package org.elasticsearch.test; package org.elasticsearch.test;
import org.apache.lucene.util.LuceneTestCase;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.RestStatus;
import org.hamcrest.Matcher; import org.hamcrest.Matcher;
import static org.apache.lucene.util.LuceneTestCase.expectThrows;
import static org.elasticsearch.xpack.security.test.SecurityAssertions.assertContainsWWWAuthenticateHeader; import static org.elasticsearch.xpack.security.test.SecurityAssertions.assertContainsWWWAuthenticateHeader;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.either;
import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.CoreMatchers.nullValue;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertThat; import static org.junit.Assert.assertThat;
@ -31,13 +36,38 @@ public class SecurityTestsUtils {
assertThat(e.getMessage(), messageMatcher); assertThat(e.getMessage(), messageMatcher);
} }
public static void assertAuthorizationException(ElasticsearchSecurityException e) { public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable, String action, String user) {
assertThat(e.status(), is(RestStatus.FORBIDDEN)); assertThrowsAuthorizationException(throwingRunnable,
containsString("[" + action + "] is unauthorized for user [" + user + "]"));
} }
public static void assertAuthorizationException(ElasticsearchSecurityException e, Matcher<String> messageMatcher) { public static void assertThrowsAuthorizationExceptionRunAs(LuceneTestCase.ThrowingRunnable throwingRunnable,
assertAuthorizationException(e); String action, String user, String runAs) {
assertThat(e.getMessage(), messageMatcher); assertThrowsAuthorizationException(throwingRunnable,
containsString("[" + action + "] is unauthorized for user [" + user + "] run as [" + runAs + "]"));
} }
public static void assertThrowsAuthorizationExceptionDefaultUsers(LuceneTestCase.ThrowingRunnable throwingRunnable, String action) {
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, throwingRunnable);
assertAuthorizationExceptionDefaultUsers(exception, action);
}
public static void assertAuthorizationExceptionDefaultUsers(Throwable throwable, String action) {
assertAuthorizationException(throwable, either(containsString("[" + action + "] is unauthorized for user ["
+ SecuritySettingsSource.DEFAULT_USER_NAME + "]")).or(containsString("[" + action + "] is unauthorized for user ["
+ SecuritySettingsSource.DEFAULT_TRANSPORT_CLIENT_USER_NAME + "]")));
}
public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable,
Matcher<String> messageMatcher) {
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, throwingRunnable);
assertAuthorizationException(securityException, messageMatcher);
}
private static void assertAuthorizationException(Throwable throwable, Matcher<String> messageMatcher) {
assertThat(throwable, instanceOf(ElasticsearchSecurityException.class));
ElasticsearchSecurityException securityException = (ElasticsearchSecurityException) throwable;
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
assertThat(throwable.getMessage(), messageMatcher);
}
} }

View File

@ -5,17 +5,16 @@
*/ */
package org.elasticsearch.xpack.security.authz; package org.elasticsearch.xpack.security.authz;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.SecurityIntegTestCase;
import java.util.Collections; import java.util.Collections;
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
import static org.hamcrest.CoreMatchers.containsString;
public class AnalyzeTests extends SecurityIntegTestCase { public class AnalyzeTests extends SecurityIntegTestCase {
protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray()))); protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
@ -59,34 +58,28 @@ public class AnalyzeTests extends SecurityIntegTestCase {
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get(); .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get();
try { //fails: user doesn't have permissions for analyze on index non_authorized
//fails: user doesn't have permissions for analyze on index non_authorized assertThrowsAuthorizationException(client().filterWithHeader(
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
.admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard").get(); .admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard")::get,
} catch(ElasticsearchSecurityException e) { AnalyzeAction.NAME, "analyze_indices");
assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_indices]"));
}
try { //fails: user doesn't have permissions for cluster level analyze
//fails: user doesn't have permissions for cluster level analyze assertThrowsAuthorizationException(client().filterWithHeader(
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get(); .admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard")::get,
} catch(ElasticsearchSecurityException e) { "cluster:admin/analyze", "analyze_indices");
assertAuthorizationException(e, containsString("action [cluster:admin/analyze] is unauthorized for user [analyze_indices]"));
}
} }
public void testAnalyzeWithoutIndices() { public void testAnalyzeWithoutIndices() {
//this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level //this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level
SecuredString passwd = new SecuredString("test123".toCharArray()); SecuredString passwd = new SecuredString("test123".toCharArray());
try { //fails: user doesn't have permissions for analyze on index test_1
//fails: user doesn't have permissions for analyze on index test_1 assertThrowsAuthorizationException(client().filterWithHeader(
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get(); .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard")::get,
} catch(ElasticsearchSecurityException e) { AnalyzeAction.NAME, "analyze_cluster");
assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_cluster]"));
}
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get(); .admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get();

View File

@ -68,7 +68,6 @@ import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest;
@ -97,7 +96,8 @@ import java.util.Collections;
import java.util.List; import java.util.List;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthenticationException; import static org.elasticsearch.test.SecurityTestsUtils.assertAuthenticationException;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionRunAs;
import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.arrayContaining;
import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
@ -144,67 +144,49 @@ public class AuthorizationServiceTests extends ESTestCase {
public void testIndicesActionsAreNotAuthorized() { public void testIndicesActionsAreNotAuthorized() {
TransportRequest request = mock(TransportRequest.class); TransportRequest request = mock(TransportRequest.class);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request); () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request),
fail("action beginning with indices should have failed"); "indices:", SystemUser.INSTANCE.principal());
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request);
assertAuthorizationException(e, verifyNoMoreInteractions(auditTrail);
containsString("action [indices:] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]"));
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testClusterAdminActionsAreNotAuthorized() { public void testClusterAdminActionsAreNotAuthorized() {
TransportRequest request = mock(TransportRequest.class); TransportRequest request = mock(TransportRequest.class);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request); () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request),
fail("action beginning with cluster:admin/whatever should have failed"); "cluster:admin/whatever", SystemUser.INSTANCE.principal());
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request);
assertAuthorizationException(e, verifyNoMoreInteractions(auditTrail);
containsString("action [cluster:admin/whatever] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]"));
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testClusterAdminSnapshotStatusActionIsNotAuthorized() { public void testClusterAdminSnapshotStatusActionIsNotAuthorized() {
TransportRequest request = mock(TransportRequest.class); TransportRequest request = mock(TransportRequest.class);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request); () -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request),
fail("action beginning with cluster:admin/snapshot/status should have failed"); "cluster:admin/snapshot/status", SystemUser.INSTANCE.principal());
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request);
assertAuthorizationException(e, containsString("action [cluster:admin/snapshot/status] is unauthorized for user [" + verifyNoMoreInteractions(auditTrail);
SystemUser.INSTANCE.principal() + "]"));
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testNoRolesCausesDenial() { public void testNoRolesCausesDenial() {
TransportRequest request = new SearchRequest(); TransportRequest request = new SearchRequest();
User user = new User("test user"); User user = new User("test user");
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("user without roles should be denied"); "indices:a", "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testUnknownRoleCausesDenial() { public void testUnknownRoleCausesDenial() {
TransportRequest request = new SearchRequest(); TransportRequest request = new SearchRequest();
User user = new User("test user", "non-existent-role"); User user = new User("test user", "non-existent-role");
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("user with unknown role only should have been denied"); "indices:a", "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testThatNonIndicesAndNonClusterActionIsDenied() { public void testThatNonIndicesAndNonClusterActionIsDenied() {
@ -212,14 +194,11 @@ public class AuthorizationServiceTests extends ESTestCase {
User user = new User("test user", "a_all"); User user = new User("test user", "a_all");
when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build()); when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build());
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), "whatever", request); () -> authorizationService.authorize(createAuthentication(user), "whatever", request),
fail("non indices and non cluster requests should be denied"); "whatever", "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, "whatever", request);
assertAuthorizationException(e, containsString("action [whatever] is unauthorized for user [test user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "whatever", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testThatRoleWithNoIndicesIsDenied() { public void testThatRoleWithNoIndicesIsDenied() {
@ -227,14 +206,11 @@ public class AuthorizationServiceTests extends ESTestCase {
User user = new User("test user", "no_indices"); User user = new User("test user", "no_indices");
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build()); when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("user only has cluster roles so indices requests should fail"); "indices:a", "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testSearchAgainstEmptyCluster() { public void testSearchAgainstEmptyCluster() {
@ -248,14 +224,12 @@ public class AuthorizationServiceTests extends ESTestCase {
//ignore_unavailable set to false, user is not authorized for this index nor does it exist //ignore_unavailable set to false, user is not authorized for this index nor does it exist
SearchRequest searchRequest = new SearchRequest("does_not_exist") SearchRequest searchRequest = new SearchRequest("does_not_exist")
.indicesOptions(IndicesOptions.fromOptions(false, true, true, false)); .indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
try {
authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest); assertThrowsAuthorizationException(
fail("indices request for b should be denied since there is no such index"); () -> authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest),
} catch (ElasticsearchSecurityException e) { SearchAction.NAME, "test user");
assertAuthorizationException(e, containsString("action [" + SearchAction.NAME + "] is unauthorized for user [test user]")); verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest);
verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest); verifyNoMoreInteractions(auditTrail);
verifyNoMoreInteractions(auditTrail);
}
} }
{ {
@ -312,16 +286,13 @@ public class AuthorizationServiceTests extends ESTestCase {
when(clusterService.state()).thenReturn(state); when(clusterService.state()).thenReturn(state);
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("indices request for b should be denied since there is no such index"); "indices:a", "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "indices:a", request); verify(clusterService, times(2)).state();
verifyNoMoreInteractions(auditTrail); verify(state, times(3)).metaData();
verify(clusterService, times(2)).state();
verify(state, times(3)).metaData();
}
} }
public void testCreateIndexWithAliasWithoutPermissions() { public void testCreateIndexWithAliasWithoutPermissions() {
@ -333,17 +304,13 @@ public class AuthorizationServiceTests extends ESTestCase {
when(clusterService.state()).thenReturn(state); when(clusterService.state()).thenReturn(state);
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request); () -> authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request),
fail("indices creation request with alias should be denied since user does not have permission to alias"); IndicesAliasesAction.NAME, "test user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request);
assertAuthorizationException(e, verifyNoMoreInteractions(auditTrail);
containsString("action [" + IndicesAliasesAction.NAME + "] is unauthorized for user [test user]")); verify(clusterService).state();
verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request); verify(state, times(2)).metaData();
verifyNoMoreInteractions(auditTrail);
verify(clusterService).state();
verify(state, times(2)).metaData();
}
} }
public void testCreateIndexWithAlias() { public void testCreateIndexWithAlias() {
@ -409,17 +376,13 @@ public class AuthorizationServiceTests extends ESTestCase {
when(clusterService.state()).thenReturn(state); when(clusterService.state()).thenReturn(state);
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request); () -> authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request),
fail("indices request for b should be denied since there is no such index"); "indices:a", anonymousUser.principal());
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(anonymousUser, "indices:a", request);
assertAuthorizationException(e, verifyNoMoreInteractions(auditTrail);
containsString("action [indices:a] is unauthorized for user [" + anonymousUser.principal() + "]")); verify(clusterService, times(2)).state();
verify(auditTrail).accessDenied(anonymousUser, "indices:a", request); verify(state, times(3)).metaData();
verifyNoMoreInteractions(auditTrail);
verify(clusterService, times(2)).state();
verify(state, times(3)).metaData();
}
} }
public void testDenialForAnonymousUserAuthorizationExceptionDisabled() { public void testDenialForAnonymousUserAuthorizationExceptionDisabled() {
@ -453,14 +416,11 @@ public class AuthorizationServiceTests extends ESTestCase {
TransportRequest request = mock(TransportRequest.class); TransportRequest request = mock(TransportRequest.class);
User user = new User("test user", null, new User("run as me", new String[] { "admin" })); User user = new User("test user", null, new User("run as me", new String[] { "admin" }));
assertThat(user.runAs(), is(notNullValue())); assertThat(user.runAs(), is(notNullValue()));
try { assertThrowsAuthorizationExceptionRunAs(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("user without roles should be denied for run as"); "indices:a", "test user", "run as me"); // run as [run as me]
} catch (ElasticsearchSecurityException e) { verify(auditTrail).runAsDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).runAsDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testRunAsRequestRunningAsUnAllowedUser() { public void testRunAsRequestRunningAsUnAllowedUser() {
@ -473,14 +433,11 @@ public class AuthorizationServiceTests extends ESTestCase {
.add(IndexPrivilege.ALL, "a") .add(IndexPrivilege.ALL, "a")
.build()); .build());
try { assertThrowsAuthorizationExceptionRunAs(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("user without roles should be denied for run as"); "indices:a", "test user", "run as me");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).runAsDenied(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).runAsDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testRunAsRequestWithRunAsUserWithoutPermission() { public void testRunAsRequestWithRunAsUserWithoutPermission() {
@ -507,15 +464,12 @@ public class AuthorizationServiceTests extends ESTestCase {
.build()); .build());
} }
try { assertThrowsAuthorizationExceptionRunAs(
authorizationService.authorize(createAuthentication(user), "indices:a", request); () -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
fail("the run as user's role doesn't exist so they should not get authorized"); "indices:a", "test user", "run as me");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).runAsGranted(user, "indices:a", request);
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]")); verify(auditTrail).accessDenied(user, "indices:a", request);
verify(auditTrail).runAsGranted(user, "indices:a", request); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, "indices:a", request);
verifyNoMoreInteractions(auditTrail);
}
} }
public void testRunAsRequestWithValidPermissions() { public void testRunAsRequestWithValidPermissions() {
@ -577,14 +531,11 @@ public class AuthorizationServiceTests extends ESTestCase {
for (Tuple<String, TransportRequest> requestTuple : requests) { for (Tuple<String, TransportRequest> requestTuple : requests) {
String action = requestTuple.v1(); String action = requestTuple.v1();
TransportRequest request = requestTuple.v2(); TransportRequest request = requestTuple.v2();
try { assertThrowsAuthorizationException(
authorizationService.authorize(createAuthentication(user), action, request); () -> authorizationService.authorize(createAuthentication(user), action, request),
fail("only the xpack user can execute operation [" + action + "] against the internal index"); action, "all_access_user");
} catch (ElasticsearchSecurityException e) { verify(auditTrail).accessDenied(user, action, request);
assertAuthorizationException(e, containsString("action [" + action + "] is unauthorized for user [all_access_user]")); verifyNoMoreInteractions(auditTrail);
verify(auditTrail).accessDenied(user, action, request);
verifyNoMoreInteractions(auditTrail);
}
} }
// we should allow waiting for the health of the index or any index if the user has this permission // we should allow waiting for the health of the index or any index if the user has this permission
@ -729,10 +680,8 @@ public class AuthorizationServiceTests extends ESTestCase {
TransportRequest request = compositeRequest.v2(); TransportRequest request = compositeRequest.v2();
User user = new User("test user", "no_indices"); User user = new User("test user", "no_indices");
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build()); when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationException(
() -> authorizationService.authorize(createAuthentication(user), action, request)); () -> authorizationService.authorize(createAuthentication(user), action, request), action, "test user");
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
assertThat(securityException.getMessage(), containsString("[" + action + "] is unauthorized for user [" + user.principal() + "]"));
verify(auditTrail).accessDenied(user, action, request); verify(auditTrail).accessDenied(user, action, request);
verifyNoMoreInteractions(auditTrail); verifyNoMoreInteractions(auditTrail);
} }
@ -795,11 +744,8 @@ public class AuthorizationServiceTests extends ESTestCase {
when(rolesStore.role("roleDenied")).thenReturn(Role.builder("roleDenied").add(IndexPrivilege.ALL, "a").build()); when(rolesStore.role("roleDenied")).thenReturn(Role.builder("roleDenied").add(IndexPrivilege.ALL, "a").build());
mockEmptyMetaData(); mockEmptyMetaData();
authorizationService.authorize(createAuthentication(userAllowed), action, request); authorizationService.authorize(createAuthentication(userAllowed), action, request);
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationException(
() -> authorizationService.authorize(createAuthentication(userDenied), action, request)); () -> authorizationService.authorize(createAuthentication(userDenied), action, request), action, "userDenied");
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
assertThat(securityException.getMessage(),
containsString("[" + action + "] is unauthorized for user [" + userDenied.principal() + "]"));
} }
private static Tuple<String, TransportRequest> randomCompositeRequest() { private static Tuple<String, TransportRequest> randomCompositeRequest() {

View File

@ -5,28 +5,29 @@
*/ */
package org.elasticsearch.xpack.security.authz; package org.elasticsearch.xpack.security.authz;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.indices.alias.Alias; import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesAction;
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder; import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder;
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse; import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse;
import org.elasticsearch.action.admin.indices.create.CreateIndexAction;
import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.client.Client; import org.elasticsearch.client.Client;
import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.junit.Before; import org.junit.Before;
import java.util.Collections; import java.util.Collections;
import java.util.Map; import java.util.Map;
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
public class IndexAliasesTests extends SecurityIntegTestCase { public class IndexAliasesTests extends SecurityIntegTestCase {
@ -100,19 +101,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
new SecuredString("test123".toCharArray()))); new SecuredString("test123".toCharArray())));
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").get()); assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").get());
try { assertThrowsAuthorizationException(
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get,
fail("add alias should have failed due to missing manage_aliases privileges"); IndicesAliasesAction.NAME, "create_only");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
}
try { IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias")::get);
fail("add alias should have failed due to missing manage_aliases privileges"); assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
} }
public void testCreateIndexAndAliasesCreateOnlyPermission() { public void testCreateIndexAndAliasesCreateOnlyPermission() {
@ -120,80 +115,56 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
// the same create index request // the same create index request
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
new SecuredString("test123".toCharArray()))); new SecuredString("test123".toCharArray())));
try {
client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2")).get(); assertThrowsAuthorizationException(
fail("create index should have failed due to missing manage_aliases privileges"); client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2"))::get,
} catch(ElasticsearchSecurityException e) { IndicesAliasesAction.NAME, "create_only");
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
}
} }
public void testDeleteAliasesCreateOnlyPermission() { public void testDeleteAliasesCreateOnlyPermission() {
//user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases //user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
new SecuredString("test123".toCharArray()))); new SecuredString("test123".toCharArray())));
try {
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get();
fail("remove alias should have failed due to missing manage_aliases privileges");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
}
try { assertThrowsAuthorizationException(
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1")::get,
fail("remove alias should have failed due to missing manage_aliases privileges"); IndicesAliasesAction.NAME, "create_only");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[alias_*"));
}
try { IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*")::get);
fail("remove alias should have failed due to missing manage_aliases privileges"); assertThat(indexNotFoundException.toString(), containsString("[alias_*"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]")); indexNotFoundException = expectThrows(IndexNotFoundException.class,
} client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} }
public void testGetAliasesCreateOnlyPermissionStrict() { public void testGetAliasesCreateOnlyPermissionStrict() {
//user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though //user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
new SecuredString("test123".toCharArray()))); new SecuredString("test123".toCharArray())));
try {
client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1").setIndices("test_1")
.setIndicesOptions(IndicesOptions.strictExpand()).get();
fail("get alias should have failed due to missing manage_aliases privileges");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [create_only]"));
}
try { assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1")
client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1") .setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get, GetAliasesAction.NAME, "create_only");
.setIndicesOptions(IndicesOptions.strictExpand()).get();
fail("get alias should have failed due to missing manage_aliases privileges");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
try { IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers)
client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1") .admin().indices().prepareGetAliases("_all")
.setIndicesOptions(IndicesOptions.strictExpand()).get(); .setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get);
fail("get alias should have failed due to missing manage_aliases privileges"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]")); indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
} .prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get);
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
.setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get(); .setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get();
assertEquals(0, getAliasesResponse.getAliases().size()); assertEquals(0, getAliasesResponse.getAliases().size());
try { //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias //and there is no way to "allow_no_aliases" like we can do with indices.
//and there is no way to "allow_no_aliases" like we can do with indices. indexNotFoundException = expectThrows(IndexNotFoundException.class,
client().filterWithHeader(headers).admin().indices().prepareGetAliases().get(); client().filterWithHeader(headers).admin().indices().prepareGetAliases()::get);
fail("get alias should have failed due to missing manage_aliases privileges"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
} }
public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() { public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() {
@ -205,35 +176,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
.setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); .setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size()); assertEquals(0, getAliasesResponse.getAliases().size());
try { IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers)
client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1") .admin().indices().prepareGetAliases("_all")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); .setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
fail("get alias should have failed due empty set of indices after indices resolution"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
try { indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1") .prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
fail("get alias should have failed due empty set of indices after indices resolution");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
.setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); .setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size()); assertEquals(0, getAliasesResponse.getAliases().size());
try { //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias //and there is no way to "allow_no_aliases" like we can do with indices.
//and there is no way to "allow_no_aliases" like we can do with indices. indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
client().filterWithHeader(headers).admin().indices().prepareGetAliases() .prepareGetAliases().setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
fail("get alias should have failed due to missing manage_aliases privileges");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
} }
public void testCreateIndexThenAliasesCreateAndAliasesPermission() { public void testCreateIndexThenAliasesCreateAndAliasesPermission() {
@ -250,15 +210,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//ok: user has manage_aliases on test_* //ok: user has manage_aliases on test_*
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias_2").get()); assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias_2").get());
try { //fails: user doesn't have manage_aliases on alias_1
//fails: user doesn't have manage_aliases on alias_1 assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "alias_1") .addAlias("test_1", "alias_1").addAlias("test_1", "test_alias")::get,
.addAlias("test_1", "test_alias").get(); IndicesAliasesAction.NAME, "create_test_aliases_test");
fail("add alias should have failed due to missing manage_aliases privileges on alias_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
}
} }
public void testCreateIndexAndAliasesCreateAndAliasesPermission() { public void testCreateIndexAndAliasesCreateAndAliasesPermission() {
@ -269,15 +224,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
new SecuredString("test123".toCharArray()))); new SecuredString("test123".toCharArray())));
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get()); assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get());
try { //fails: user doesn't have manage_aliases on alias_1
//fails: user doesn't have manage_aliases on alias_1 assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareCreate("test_2")
client().filterWithHeader(headers).admin().indices().prepareCreate("test_2").addAlias(new Alias("test_alias")) .addAlias(new Alias("test_alias")).addAlias(new Alias("alias_2"))::get,
.addAlias(new Alias("alias_2")).get(); IndicesAliasesAction.NAME, "create_test_aliases_test");
fail("create index should have failed due to missing manage_aliases privileges on alias_2");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
}
} }
public void testDeleteAliasesCreateAndAliasesPermission() { public void testDeleteAliasesCreateAndAliasesPermission() {
@ -297,40 +247,23 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//ok: user has manage_aliases on test_* //ok: user has manage_aliases on test_*
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get()); assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get());
try { //fails: all aliases have been deleted, no existing aliases match test_alias_*
//fails: all aliases have been deleted, no existing aliases match test_alias_* IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*")::get);
fail("remove alias should have failed due to no existing matching aliases to expand test_alias_* to"); assertThat(indexNotFoundException.toString(), containsString("[test_alias_*]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_alias_*]"));
}
try { //fails: all aliases have been deleted, no existing aliases match _all
//fails: all aliases have been deleted, no existing aliases match _all indexNotFoundException = expectThrows(IndexNotFoundException.class,
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
fail("remove alias should have failed due to no existing matching aliases to expand _all to"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
try { //fails: user doesn't have manage_aliases on alias_1
//fails: user doesn't have manage_aliases on alias_1 assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get(); .removeAlias("test_1", "alias_1")::get, IndicesAliasesAction.NAME, "create_test_aliases_test");
fail("remove alias should have failed due to missing manage_aliases privileges on alias_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
}
try { //fails: user doesn't have manage_aliases on alias_1
//fails: user doesn't have manage_aliases on alias_1 assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
client().filterWithHeader(headers).admin().indices().prepareAliases() .removeAlias("test_1", new String[]{"_all", "alias_1"})::get, IndicesAliasesAction.NAME, "create_test_aliases_test");
.removeAlias("test_1", new String[]{"_all", "alias_1"}).get();
fail("remove alias should have failed due to missing manage_aliases privileges on alias_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
}
} }
public void testGetAliasesCreateAndAliasesPermission() { public void testGetAliasesCreateAndAliasesPermission() {
@ -376,24 +309,14 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
assertAliases(client.admin().indices().prepareGetAliases(), assertAliases(client.admin().indices().prepareGetAliases(),
"test_1", "test_alias"); "test_1", "test_alias");
try { //fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non
//fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non // authorized alias (alias_1) causes the request to fail
// authorized alias (alias_1) causes the request to fail assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1")::get,
client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1").get(); GetAliasesAction.NAME, "create_test_aliases_test");
fail("get alias should have failed due to missing manage_aliases privileges on alias_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]"));
}
try { //fails: user doesn't have manage_aliases on alias_1
//fails: user doesn't have manage_aliases on alias_1 assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("alias_1")::get,
client.admin().indices().prepareGetAliases().setAliases("alias_1").get(); GetAliasesAction.NAME, "create_test_aliases_test");
fail("get alias should have failed due to missing manage_aliases privileges on alias_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]"));
}
} }
public void testCreateIndexThenAliasesCreateAndAliasesPermission2() { public void testCreateIndexThenAliasesCreateAndAliasesPermission2() {
@ -405,31 +328,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
// on both aliases and indices // on both aliases and indices
assertAcked(client.admin().indices().prepareCreate("test_1")); assertAcked(client.admin().indices().prepareCreate("test_1"));
try { //fails: user doesn't have manage_aliases aliases on test_1
//fails: user doesn't have manage_aliases aliases on test_1 assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get,
client.admin().indices().prepareAliases().addAlias("test_1", "test_alias").get(); IndicesAliasesAction.NAME, "create_test_aliases_alias");
fail("add alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
try { //fails: user doesn't have manage_aliases aliases on test_1
//fails: user doesn't have manage_aliases aliases on test_1 assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "alias_1")::get,
client.admin().indices().prepareAliases().addAlias("test_1", "alias_1").get(); IndicesAliasesAction.NAME, "create_test_aliases_alias");
fail("add alias should have failed due to missing manage_aliases privileges on test_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
try { //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareAliases().addAlias("test_*", "alias_1").get(); client.admin().indices().prepareAliases().addAlias("test_*", "alias_1")::get);
fail("add alias should have failed due to missing manage_aliases privileges on test_1"); assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
} }
public void testCreateIndexAndAliasesCreateAndAliasesPermission2() { public void testCreateIndexAndAliasesCreateAndAliasesPermission2() {
@ -440,23 +350,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
// on both aliases and indices // on both aliases and indices
try {
//fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole
client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get();
fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
try { //fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole
//fails: user doesn't have manage_aliases on test_*, create index is rejected as a whole assertThrowsAuthorizationException(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias"))::get,
client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1")).get(); IndicesAliasesAction.NAME, "create_test_aliases_alias");
fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
} }
public void testDeleteAliasesCreateAndAliasesPermission2() { public void testDeleteAliasesCreateAndAliasesPermission2() {
@ -466,32 +363,15 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
// on both aliases and indices // on both aliases and indices
try {
//fails: user doesn't have manage_aliases on test_1
client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias").get();
fail("remove alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
try { //fails: user doesn't have manage_aliases on test_1
//fails: user doesn't have manage_aliases on test_1 assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias")::get,
client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get(); IndicesAliasesAction.NAME, "create_test_aliases_alias");
fail("remove alias should have failed due to missing manage_aliases privileges on test_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
}
try { //fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced
//fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1").get(); client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1")::get);
fail("remove alias should have failed due to missing manage_aliases privileges on test_*");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
} }
}
public void testGetAliasesCreateAndAliasesPermission2() { public void testGetAliasesCreateAndAliasesPermission2() {
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER,
@ -502,14 +382,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
// on both aliases and indices // on both aliases and indices
assertAcked(client.admin().indices().prepareCreate("test_1")); assertAcked(client.admin().indices().prepareCreate("test_1"));
try { //fails: user doesn't have manage_aliases aliases on test_1, nor test_alias
//fails: user doesn't have manage_aliases aliases on test_1, nor test_alias assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1")::get,
client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1").get(); GetAliasesAction.NAME, "create_test_aliases_alias");
fail("get alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_alias]"));
}
//user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards //user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases() GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases()
@ -520,37 +395,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get(); getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
assertEquals(0, getAliasesResponse.getAliases().size()); assertEquals(0, getAliasesResponse.getAliases().size());
try { //fails: no existing aliases to replace wildcards
//fails: no existing aliases to replace wildcards IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*").get(); client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*")::get);
fail("get alias should have failed due to missing manage_aliases privileges on test_1"); assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
try { //fails: no existing aliases to replace _all
//fails: no existing aliases to replace _all indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all").get(); client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all")::get);
fail("get alias should have failed due to missing manage_aliases privileges on test_1"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
try { //fails: no existing aliases to replace empty aliases
//fails: no existing aliases to replace empty aliases indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareGetAliases().setIndices("test_1").get(); client.admin().indices().prepareGetAliases().setIndices("test_1")::get);
fail("get alias should have failed due to missing manage_aliases privileges on test_1"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
try { //fails: no existing aliases to replace empty aliases
//fails: no existing aliases to replace empty aliases indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices().prepareGetAliases()::get);
client.admin().indices().prepareGetAliases().get(); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
fail("get alias should have failed due to missing manage_aliases privileges on test_1");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
} }
public void testCreateIndexThenAliasesCreateAndAliasesPermission3() { public void testCreateIndexThenAliasesCreateAndAliasesPermission3() {
@ -588,26 +450,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1")) assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1"))
.addAlias(new Alias("alias_2")).addAlias(new Alias("alias_3"))); .addAlias(new Alias("alias_2")).addAlias(new Alias("alias_3")));
try { //fails: user doesn't have manage_aliases privilege on non_authorized
//fails: user doesn't have manage_aliases privilege on non_authorized assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized")
client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized").removeAlias("test_1", "test_alias").get(); .removeAlias("test_1", "test_alias")::get, IndicesAliasesAction.NAME, "create_test_aliases_test_alias");
fail("remove alias should have failed due to missing manage_aliases privileges on non_authorized");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e,
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test_alias]"));
}
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1")); assertAcked(client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1"));
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all")); assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all"));
try { //fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases
//fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
client.admin().indices().prepareAliases().removeAlias("test_1", "_all").get(); client.admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
fail("remove alias should have failed due to no existing aliases matching _all"); assertThat(indexNotFoundException.toString(), containsString("[_all]"));
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
} }
public void testGetAliasesCreateAndAliasesPermission3() { public void testGetAliasesCreateAndAliasesPermission3() {
@ -646,14 +500,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
} }
public void testCreateIndexAliasesOnlyPermission() { public void testCreateIndexAliasesOnlyPermission() {
try { assertThrowsAuthorizationException(client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER,
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray()))))
basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray())))) .admin().indices().prepareCreate("test_1")::get, CreateIndexAction.NAME, "aliases_only");
.admin().indices().prepareCreate("test_1").get();
fail("Expected ElasticsearchSecurityException");
} catch (ElasticsearchSecurityException e) {
assertThat(e.getMessage(), is("action [indices:admin/create] is unauthorized for user [aliases_only]"));
}
} }
public void testGetAliasesAliasesOnlyPermissionStrict() { public void testGetAliasesAliasesOnlyPermissionStrict() {
@ -662,33 +511,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
final Client client = client().filterWithHeader(headers); final Client client = client().filterWithHeader(headers);
//user has manage_aliases only permissions on both alias_* and test_* //user has manage_aliases only permissions on both alias_* and test_*
//ok: manage_aliases on both test_* and alias_* //security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found
try { IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices()
//security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found .prepareGetAliases("alias_1").addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen())::get);
client.admin().indices().prepareGetAliases("alias_1") assertEquals("no such index", indexNotFoundException.getMessage());
.addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
fail("Expected IndexNotFoundException");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
try { //fails: no manage_aliases privilege on non_authorized alias
//fails: no manage_aliases privilege on non_authorized alias assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1")
client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1") .setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only");
.setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
fail("Expected ElasticsearchSecurityException");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]"));
}
try { //fails: no manage_aliases privilege on non_authorized index
//fails: no manage_aliases privilege on non_authorized index assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized")
client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized") .setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only");
.setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
fail("Expected ElasticsearchSecurityException");
} catch(ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]"));
}
} }
public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() { public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() {

View File

@ -6,11 +6,16 @@
package org.elasticsearch.xpack.security.authz; package org.elasticsearch.xpack.security.authz;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.get.GetAction;
import org.elasticsearch.action.get.MultiGetAction;
import org.elasticsearch.action.get.MultiGetResponse; import org.elasticsearch.action.get.MultiGetResponse;
import org.elasticsearch.action.search.MultiSearchResponse; import org.elasticsearch.action.search.MultiSearchResponse;
import org.elasticsearch.action.search.SearchAction;
import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.termvectors.MultiTermVectorsAction;
import org.elasticsearch.action.termvectors.MultiTermVectorsResponse; import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
import org.elasticsearch.action.termvectors.TermVectorsAction;
import org.elasticsearch.client.Requests; import org.elasticsearch.client.Requests;
import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.SearchHit;
@ -20,9 +25,9 @@ import org.elasticsearch.test.SecuritySettingsSource;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers;
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.core.IsCollectionContaining.hasItems; import static org.hamcrest.core.IsCollectionContaining.hasItems;
import static org.hamcrest.core.IsEqual.equalTo; import static org.hamcrest.core.IsEqual.equalTo;
import static org.hamcrest.core.IsInstanceOf.instanceOf; import static org.hamcrest.core.IsInstanceOf.instanceOf;
@ -118,12 +123,12 @@ public class ReadActionsTests extends SecurityIntegTestCase {
public void testExplicitNonAuthorizedIndex() { public void testExplicitNonAuthorizedIndex() {
createIndicesWithRandomAliases("test1", "test2", "index1"); createIndicesWithRandomAliases("test1", "test2", "index1");
assertThrowsAuthorizationException(client().prepareSearch("test*", "index1")); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("test*", "index1")::get, SearchAction.NAME);
} }
public void testIndexNotFound() { public void testIndexNotFound() {
createIndicesWithRandomAliases("test1", "test2", "index1"); createIndicesWithRandomAliases("test1", "test2", "index1");
assertThrowsAuthorizationException(client().prepareSearch("missing")); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("missing")::get, SearchAction.NAME);
} }
public void testIndexNotFoundIgnoreUnavailable() { public void testIndexNotFoundIgnoreUnavailable() {
@ -212,7 +217,7 @@ public class ReadActionsTests extends SecurityIntegTestCase {
assertTrue(multiSearchResponse.getResponses()[1].isFailure()); assertTrue(multiSearchResponse.getResponses()[1].isFailure());
Exception exception = multiSearchResponse.getResponses()[1].getFailure(); Exception exception = multiSearchResponse.getResponses()[1].getFailure();
assertThat(exception, instanceOf(ElasticsearchSecurityException.class)); assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user [")); assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME);
} }
{ {
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch() MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
@ -243,7 +248,7 @@ public class ReadActionsTests extends SecurityIntegTestCase {
assertTrue(multiSearchResponse.getResponses()[1].isFailure()); assertTrue(multiSearchResponse.getResponses()[1].isFailure());
Exception exception = multiSearchResponse.getResponses()[1].getFailure(); Exception exception = multiSearchResponse.getResponses()[1].getFailure();
assertThat(exception, instanceOf(ElasticsearchSecurityException.class)); assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user [")); assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME);
} }
{ {
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch() MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
@ -333,13 +338,9 @@ public class ReadActionsTests extends SecurityIntegTestCase {
client().prepareGet("test1", "type", "id").get(); client().prepareGet("test1", "type", "id").get();
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("index1", "type", "id")::get, GetAction.NAME);
() -> client().prepareGet("index1", "type", "id").get());
assertAuthorizationException(securityException);
securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("missing", "type", "id")::get, GetAction.NAME);
() -> client().prepareGet("missing", "type", "id").get());
assertAuthorizationException(securityException);
expectThrows(IndexNotFoundException.class, () -> client().prepareGet("test5", "type", "id").get()); expectThrows(IndexNotFoundException.class, () -> client().prepareGet("test5", "type", "id").get());
} }
@ -357,7 +358,8 @@ public class ReadActionsTests extends SecurityIntegTestCase {
assertEquals("test1", multiGetResponse.getResponses()[0].getResponse().getIndex()); assertEquals("test1", multiGetResponse.getResponses()[0].getResponse().getIndex());
assertTrue(multiGetResponse.getResponses()[1].isFailed()); assertTrue(multiGetResponse.getResponses()[1].isFailed());
assertEquals("index1", multiGetResponse.getResponses()[1].getFailure().getIndex()); assertEquals("index1", multiGetResponse.getResponses()[1].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) multiGetResponse.getResponses()[1].getFailure().getFailure()); assertAuthorizationExceptionDefaultUsers(multiGetResponse.getResponses()[1].getFailure().getFailure(),
MultiGetAction.NAME + "[shard]");
assertFalse(multiGetResponse.getResponses()[2].isFailed()); assertFalse(multiGetResponse.getResponses()[2].isFailed());
assertEquals("test3", multiGetResponse.getResponses()[2].getResponse().getIndex()); assertEquals("test3", multiGetResponse.getResponses()[2].getResponse().getIndex());
assertTrue(multiGetResponse.getResponses()[3].isFailed()); assertTrue(multiGetResponse.getResponses()[3].isFailed());
@ -374,13 +376,9 @@ public class ReadActionsTests extends SecurityIntegTestCase {
createIndicesWithRandomAliases("test1", "index1"); createIndicesWithRandomAliases("test1", "index1");
client().prepareTermVectors("test1", "type", "id").get(); client().prepareTermVectors("test1", "type", "id").get();
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("index1", "type", "id")::get, TermVectorsAction.NAME);
() -> client().prepareTermVectors("index1", "type", "id").get());
assertAuthorizationException(securityException);
securityException = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("missing", "type", "id")::get, TermVectorsAction.NAME);
() -> client().prepareTermVectors("missing", "type", "id").get());
assertAuthorizationException(securityException);
expectThrows(IndexNotFoundException.class, () -> client().prepareTermVectors("test5", "type", "id").get()); expectThrows(IndexNotFoundException.class, () -> client().prepareTermVectors("test5", "type", "id").get());
} }
@ -398,12 +396,13 @@ public class ReadActionsTests extends SecurityIntegTestCase {
assertEquals("test1", response.getResponses()[0].getResponse().getIndex()); assertEquals("test1", response.getResponses()[0].getResponse().getIndex());
assertTrue(response.getResponses()[1].isFailed()); assertTrue(response.getResponses()[1].isFailed());
assertEquals("index1", response.getResponses()[1].getFailure().getIndex()); assertEquals("index1", response.getResponses()[1].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) response.getResponses()[1].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(response.getResponses()[1].getFailure().getCause(),
MultiTermVectorsAction.NAME + "[shard]");
assertFalse(response.getResponses()[2].isFailed()); assertFalse(response.getResponses()[2].isFailed());
assertEquals("test3", response.getResponses()[2].getResponse().getIndex()); assertEquals("test3", response.getResponses()[2].getResponse().getIndex());
assertTrue(response.getResponses()[3].isFailed()); assertTrue(response.getResponses()[3].isFailed());
assertEquals("missing", response.getResponses()[3].getFailure().getIndex()); assertEquals("missing", response.getResponses()[3].getFailure().getIndex());
//different behaviour compared to get api: we leak information about a non existing index that the current user is not //different behaviour compared to term_vector api: we leak information about a non existing index that the current user is not
//authorized for. Should rather be an authorization exception but we only authorize at the shard level in mget. If we //authorized for. Should rather be an authorization exception but we only authorize at the shard level in mget. If we
//authorized globally, we would fail the whole mget request which is not desirable. //authorized globally, we would fail the whole mget request which is not desirable.
assertThat(response.getResponses()[3].getFailure().getCause(), instanceOf(IndexNotFoundException.class)); assertThat(response.getResponses()[3].getFailure().getCause(), instanceOf(IndexNotFoundException.class));

View File

@ -7,16 +7,21 @@ package org.elasticsearch.xpack.security.authz;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.DocWriteRequest; import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.bulk.BulkResponse; import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.delete.DeleteAction;
import org.elasticsearch.action.delete.DeleteRequest; import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.index.IndexAction;
import org.elasticsearch.action.index.IndexRequest; import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.update.UpdateAction;
import org.elasticsearch.action.update.UpdateRequest; import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.index.engine.DocumentMissingException; import org.elasticsearch.index.engine.DocumentMissingException;
import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.test.SecuritySettingsSource;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers;
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers;
import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.core.IsInstanceOf.instanceOf; import static org.hamcrest.core.IsInstanceOf.instanceOf;
@ -41,14 +46,13 @@ public class WriteActionsTests extends SecurityIntegTestCase {
createIndex("test1", "index1"); createIndex("test1", "index1");
client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
assertThrowsAuthorizationException(client().prepareIndex("index1", "type", "id").setSource("field", "value")); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get,
IndexAction.NAME);
client().prepareIndex("test4", "type", "id").setSource("field", "value").get(); client().prepareIndex("test4", "type", "id").setSource("field", "value").get();
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get,
() -> client().prepareIndex("missing", "type", "id").setSource("field", "value").get()); IndexAction.NAME);
assertAuthorizationException(exception);
assertThat(exception.getMessage(), containsString("[indices:data/write/index] is unauthorized"));
} }
public void testDelete() { public void testDelete() {
@ -56,14 +60,11 @@ public class WriteActionsTests extends SecurityIntegTestCase {
client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status()); assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status());
assertThrowsAuthorizationException(client().prepareDelete("index1", "type", "id")); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME);
assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status()); assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status());
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME);
() -> client().prepareDelete("missing", "type", "id").get());
assertAuthorizationException(exception);
assertThat(exception.getMessage(), containsString("[indices:data/write/delete] is unauthorized"));
} }
public void testUpdate() { public void testUpdate() {
@ -71,14 +72,13 @@ public class WriteActionsTests extends SecurityIntegTestCase {
client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
assertEquals(RestStatus.OK, client().prepareUpdate("test1", "type", "id").setDoc("field2", "value2").get().status()); assertEquals(RestStatus.OK, client().prepareUpdate("test1", "type", "id").setDoc("field2", "value2").get().status());
assertThrowsAuthorizationException(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2")); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2")::get,
UpdateAction.NAME);
expectThrows(DocumentMissingException.class, () -> client().prepareUpdate("test4", "type", "id").setDoc("field2", "value2").get()); expectThrows(DocumentMissingException.class, () -> client().prepareUpdate("test4", "type", "id").setDoc("field2", "value2").get());
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2")::get,
() -> client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2").get()); UpdateAction.NAME);
assertAuthorizationException(exception);
assertThat(exception.getMessage(), containsString("[indices:data/write/update] is unauthorized"));
} }
public void testBulk() { public void testBulk() {
@ -105,7 +105,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
assertTrue(bulkResponse.getItems()[1].isFailed()); assertTrue(bulkResponse.getItems()[1].isFailed());
assertEquals(DocWriteRequest.OpType.INDEX, bulkResponse.getItems()[1].getOpType()); assertEquals(DocWriteRequest.OpType.INDEX, bulkResponse.getItems()[1].getOpType());
assertEquals("index1", bulkResponse.getItems()[1].getFailure().getIndex()); assertEquals("index1", bulkResponse.getItems()[1].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[1].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[1].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[1].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[1].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
assertFalse(bulkResponse.getItems()[2].isFailed()); assertFalse(bulkResponse.getItems()[2].isFailed());
@ -116,7 +116,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
assertEquals("missing", bulkResponse.getItems()[3].getFailure().getIndex()); assertEquals("missing", bulkResponse.getItems()[3].getFailure().getIndex());
assertThat(bulkResponse.getItems()[3].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class)); assertThat(bulkResponse.getItems()[3].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[3].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[3].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[3].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[3].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
assertFalse(bulkResponse.getItems()[4].isFailed()); assertFalse(bulkResponse.getItems()[4].isFailed());
@ -125,7 +125,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
assertTrue(bulkResponse.getItems()[5].isFailed()); assertTrue(bulkResponse.getItems()[5].isFailed());
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[5].getOpType()); assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[5].getOpType());
assertEquals("index1", bulkResponse.getItems()[5].getFailure().getIndex()); assertEquals("index1", bulkResponse.getItems()[5].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[5].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[5].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[5].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[5].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
assertFalse(bulkResponse.getItems()[6].isFailed()); assertFalse(bulkResponse.getItems()[6].isFailed());
@ -134,7 +134,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
assertTrue(bulkResponse.getItems()[7].isFailed()); assertTrue(bulkResponse.getItems()[7].isFailed());
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[7].getOpType()); assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[7].getOpType());
assertEquals("missing", bulkResponse.getItems()[7].getFailure().getIndex()); assertEquals("missing", bulkResponse.getItems()[7].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[7].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[7].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[7].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[7].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
assertFalse(bulkResponse.getItems()[8].isFailed()); assertFalse(bulkResponse.getItems()[8].isFailed());
@ -146,7 +146,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
assertTrue(bulkResponse.getItems()[10].isFailed()); assertTrue(bulkResponse.getItems()[10].isFailed());
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[10].getOpType()); assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[10].getOpType());
assertEquals("index1", bulkResponse.getItems()[10].getFailure().getIndex()); assertEquals("index1", bulkResponse.getItems()[10].getFailure().getIndex());
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[10].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[10].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[10].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[10].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
assertTrue(bulkResponse.getItems()[11].isFailed()); assertTrue(bulkResponse.getItems()[11].isFailed());
@ -157,7 +157,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[12].getOpType()); assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[12].getOpType());
assertEquals("missing", bulkResponse.getItems()[12].getFailure().getIndex()); assertEquals("missing", bulkResponse.getItems()[12].getFailure().getIndex());
assertThat(bulkResponse.getItems()[12].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class)); assertThat(bulkResponse.getItems()[12].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[12].getFailure().getCause()); assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[12].getFailure().getCause(), BulkAction.NAME + "[s]");
assertThat(bulkResponse.getItems()[12].getFailure().getCause().getMessage(), assertThat(bulkResponse.getItems()[12].getFailure().getCause().getMessage(),
containsString("[indices:data/write/bulk[s]] is unauthorized")); containsString("[indices:data/write/bulk[s]] is unauthorized"));
} }