[TEST] consolidate different assertAuthorizationException methods in one place
Original commit: elastic/x-pack-elasticsearch@27de6db7e0
This commit is contained in:
parent
3dbea2f4c2
commit
06b5d42741
|
@ -5,24 +5,25 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.integration;
|
package org.elasticsearch.integration;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesAction;
|
||||||
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse;
|
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse;
|
||||||
|
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateAction;
|
||||||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
|
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
|
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
|
||||||
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||||
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.xpack.security.authc.support.SecuredStringTests;
|
import org.elasticsearch.xpack.security.authc.support.SecuredStringTests;
|
||||||
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
|
||||||
|
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
||||||
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.Matchers.hasSize;
|
import static org.hamcrest.Matchers.hasSize;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -103,29 +104,14 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
// now lets try with "user"
|
// now lets try with "user"
|
||||||
|
|
||||||
try {
|
Map<String, String> auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
|
||||||
Map<String, String> auth = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
|
transportClientPassword()));
|
||||||
transportClientPassword()));
|
assertThrowsAuthorizationException(client.filterWithHeader(auth).admin().indices().preparePutTemplate("template1")
|
||||||
client.filterWithHeader(auth)
|
.setTemplate("test_*")::get, PutIndexTemplateAction.NAME, "user");
|
||||||
.admin().indices().preparePutTemplate("template1")
|
|
||||||
.setTemplate("test_*")
|
|
||||||
.get();
|
|
||||||
fail("expected an authorization exception as template APIs should require cluster ALL permission");
|
|
||||||
} catch (ElasticsearchSecurityException e) {
|
|
||||||
// expected
|
|
||||||
assertAuthorizationException(e);
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
Map<String, String> headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
|
||||||
Map<String, String> headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user",
|
SecuredStringTests.build("test123")));
|
||||||
SecuredStringTests.build("test123")));
|
assertThrowsAuthorizationException(client.filterWithHeader(headers).admin().indices().prepareGetTemplates("template1")::get,
|
||||||
client.filterWithHeader(headers)
|
GetIndexTemplatesAction.NAME, "user");
|
||||||
.admin().indices().prepareGetTemplates("template1")
|
|
||||||
.get();
|
|
||||||
fail("expected an authorization exception as template APIs should require cluster ALL permission");
|
|
||||||
} catch (ElasticsearchSecurityException e) {
|
|
||||||
// expected
|
|
||||||
assertAuthorizationException(e);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,23 +5,19 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.integration;
|
package org.elasticsearch.integration;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
|
||||||
import org.elasticsearch.ExceptionsHelper;
|
|
||||||
import org.elasticsearch.action.index.IndexRequestBuilder;
|
import org.elasticsearch.action.index.IndexRequestBuilder;
|
||||||
import org.elasticsearch.action.search.SearchResponse;
|
import org.elasticsearch.action.search.SearchResponse;
|
||||||
import org.elasticsearch.common.unit.TimeValue;
|
import org.elasticsearch.common.unit.TimeValue;
|
||||||
import org.elasticsearch.xpack.security.crypto.CryptoService;
|
|
||||||
import org.elasticsearch.xpack.security.crypto.CryptoService;
|
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
|
import org.elasticsearch.xpack.security.crypto.CryptoService;
|
||||||
|
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
|
|
||||||
import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
|
import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
import static org.hamcrest.Matchers.notNullValue;
|
|
||||||
|
|
||||||
public class ScrollIdSigningTests extends SecurityIntegTestCase {
|
public class ScrollIdSigningTests extends SecurityIntegTestCase {
|
||||||
public void testSearchAndClearScroll() throws Exception {
|
public void testSearchAndClearScroll() throws Exception {
|
||||||
|
@ -66,14 +62,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase {
|
||||||
String scrollId = response.getScrollId();
|
String scrollId = response.getScrollId();
|
||||||
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
|
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
|
||||||
scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
|
scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
|
||||||
|
|
||||||
try {
|
try {
|
||||||
client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2)).get();
|
assertThrowsAuthorizationException(client().prepareSearchScroll(tamperedScrollId).setScroll(TimeValue.timeValueMinutes(2))::get,
|
||||||
fail("Expected an authorization exception to be thrown when scroll id is tampered");
|
equalTo("invalid request. tampered signed text"));
|
||||||
} catch (Exception e) {
|
|
||||||
ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e,
|
|
||||||
ElasticsearchSecurityException.class);
|
|
||||||
assertThat(ese, notNullValue());
|
|
||||||
assertAuthorizationException(ese);
|
|
||||||
} finally {
|
} finally {
|
||||||
clearScroll(scrollId);
|
clearScroll(scrollId);
|
||||||
}
|
}
|
||||||
|
@ -92,14 +84,10 @@ public class ScrollIdSigningTests extends SecurityIntegTestCase {
|
||||||
String scrollId = response.getScrollId();
|
String scrollId = response.getScrollId();
|
||||||
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
|
String tamperedScrollId = randomBoolean() ? scrollId.substring(randomIntBetween(1, 10)) :
|
||||||
scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
|
scrollId + randomAsciiOfLength(randomIntBetween(3, 10));
|
||||||
|
|
||||||
try {
|
try {
|
||||||
client().prepareClearScroll().addScrollId(tamperedScrollId).get();
|
assertThrowsAuthorizationException(client().prepareClearScroll().addScrollId(tamperedScrollId)::get,
|
||||||
fail("Expected an authorization exception to be thrown when scroll id is tampered");
|
equalTo("invalid request. tampered signed text"));
|
||||||
} catch (Exception e) {
|
|
||||||
ElasticsearchSecurityException ese = (ElasticsearchSecurityException) ExceptionsHelper.unwrap(e,
|
|
||||||
ElasticsearchSecurityException.class);
|
|
||||||
assertThat(ese, notNullValue());
|
|
||||||
assertAuthorizationException(ese);
|
|
||||||
} finally {
|
} finally {
|
||||||
clearScroll(scrollId);
|
clearScroll(scrollId);
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,8 +6,6 @@
|
||||||
package org.elasticsearch.test;
|
package org.elasticsearch.test;
|
||||||
|
|
||||||
import org.elasticsearch.AbstractOldXPackIndicesBackwardsCompatibilityTestCase;
|
import org.elasticsearch.AbstractOldXPackIndicesBackwardsCompatibilityTestCase;
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
|
||||||
import org.elasticsearch.action.ActionRequestBuilder;
|
|
||||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||||
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
|
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
|
||||||
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
|
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
|
||||||
|
@ -43,7 +41,6 @@ import java.util.stream.Collectors;
|
||||||
|
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoTimeout;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoTimeout;
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
import static org.hamcrest.core.IsCollectionContaining.hasItem;
|
import static org.hamcrest.core.IsCollectionContaining.hasItem;
|
||||||
|
|
||||||
|
@ -362,11 +359,10 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
|
||||||
assertThat(clusterHealthResponse.getStatus(), is(ClusterHealthStatus.GREEN));
|
assertThat(clusterHealthResponse.getStatus(), is(ClusterHealthStatus.GREEN));
|
||||||
}
|
}
|
||||||
|
|
||||||
protected static void assertThrowsAuthorizationException(ActionRequestBuilder actionRequestBuilder) {
|
/**
|
||||||
ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class, actionRequestBuilder::get);
|
* Creates the indices provided as argument, randomly associating them with aliases, indexes one dummy document per index
|
||||||
SecurityTestsUtils.assertAuthorizationException(e, containsString("is unauthorized for user ["));
|
* and refreshes the new indices
|
||||||
}
|
*/
|
||||||
|
|
||||||
protected void createIndicesWithRandomAliases(String... indices) {
|
protected void createIndicesWithRandomAliases(String... indices) {
|
||||||
if (randomBoolean()) {
|
if (randomBoolean()) {
|
||||||
//no aliases
|
//no aliases
|
||||||
|
@ -388,7 +384,7 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
|
||||||
for (String index : indices) {
|
for (String index : indices) {
|
||||||
client().prepareIndex(index, "type").setSource("field", "value").get();
|
client().prepareIndex(index, "type").setSource("field", "value").get();
|
||||||
}
|
}
|
||||||
refresh();
|
refresh(indices);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -5,11 +5,16 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.test;
|
package org.elasticsearch.test;
|
||||||
|
|
||||||
|
import org.apache.lucene.util.LuceneTestCase;
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.rest.RestStatus;
|
import org.elasticsearch.rest.RestStatus;
|
||||||
import org.hamcrest.Matcher;
|
import org.hamcrest.Matcher;
|
||||||
|
|
||||||
|
import static org.apache.lucene.util.LuceneTestCase.expectThrows;
|
||||||
import static org.elasticsearch.xpack.security.test.SecurityAssertions.assertContainsWWWAuthenticateHeader;
|
import static org.elasticsearch.xpack.security.test.SecurityAssertions.assertContainsWWWAuthenticateHeader;
|
||||||
|
import static org.hamcrest.CoreMatchers.containsString;
|
||||||
|
import static org.hamcrest.CoreMatchers.either;
|
||||||
|
import static org.hamcrest.CoreMatchers.instanceOf;
|
||||||
import static org.hamcrest.CoreMatchers.nullValue;
|
import static org.hamcrest.CoreMatchers.nullValue;
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
import static org.junit.Assert.assertThat;
|
import static org.junit.Assert.assertThat;
|
||||||
|
@ -31,13 +36,38 @@ public class SecurityTestsUtils {
|
||||||
assertThat(e.getMessage(), messageMatcher);
|
assertThat(e.getMessage(), messageMatcher);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void assertAuthorizationException(ElasticsearchSecurityException e) {
|
public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable, String action, String user) {
|
||||||
assertThat(e.status(), is(RestStatus.FORBIDDEN));
|
assertThrowsAuthorizationException(throwingRunnable,
|
||||||
|
containsString("[" + action + "] is unauthorized for user [" + user + "]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void assertAuthorizationException(ElasticsearchSecurityException e, Matcher<String> messageMatcher) {
|
public static void assertThrowsAuthorizationExceptionRunAs(LuceneTestCase.ThrowingRunnable throwingRunnable,
|
||||||
assertAuthorizationException(e);
|
String action, String user, String runAs) {
|
||||||
assertThat(e.getMessage(), messageMatcher);
|
assertThrowsAuthorizationException(throwingRunnable,
|
||||||
|
containsString("[" + action + "] is unauthorized for user [" + user + "] run as [" + runAs + "]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void assertThrowsAuthorizationExceptionDefaultUsers(LuceneTestCase.ThrowingRunnable throwingRunnable, String action) {
|
||||||
|
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, throwingRunnable);
|
||||||
|
assertAuthorizationExceptionDefaultUsers(exception, action);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void assertAuthorizationExceptionDefaultUsers(Throwable throwable, String action) {
|
||||||
|
assertAuthorizationException(throwable, either(containsString("[" + action + "] is unauthorized for user ["
|
||||||
|
+ SecuritySettingsSource.DEFAULT_USER_NAME + "]")).or(containsString("[" + action + "] is unauthorized for user ["
|
||||||
|
+ SecuritySettingsSource.DEFAULT_TRANSPORT_CLIENT_USER_NAME + "]")));
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void assertThrowsAuthorizationException(LuceneTestCase.ThrowingRunnable throwingRunnable,
|
||||||
|
Matcher<String> messageMatcher) {
|
||||||
|
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class, throwingRunnable);
|
||||||
|
assertAuthorizationException(securityException, messageMatcher);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void assertAuthorizationException(Throwable throwable, Matcher<String> messageMatcher) {
|
||||||
|
assertThat(throwable, instanceOf(ElasticsearchSecurityException.class));
|
||||||
|
ElasticsearchSecurityException securityException = (ElasticsearchSecurityException) throwable;
|
||||||
|
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
|
||||||
|
assertThat(throwable.getMessage(), messageMatcher);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,17 +5,16 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.xpack.security.authz;
|
package org.elasticsearch.xpack.security.authz;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
|
||||||
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||||
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
|
||||||
|
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
|
||||||
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
|
||||||
import static org.hamcrest.CoreMatchers.containsString;
|
|
||||||
|
|
||||||
public class AnalyzeTests extends SecurityIntegTestCase {
|
public class AnalyzeTests extends SecurityIntegTestCase {
|
||||||
protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
|
protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
|
||||||
|
@ -59,34 +58,28 @@ public class AnalyzeTests extends SecurityIntegTestCase {
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
||||||
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get();
|
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get();
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have permissions for analyze on index non_authorized
|
||||||
//fails: user doesn't have permissions for analyze on index non_authorized
|
assertThrowsAuthorizationException(client().filterWithHeader(
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
||||||
.admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard").get();
|
.admin().indices().prepareAnalyze("this is my text").setIndex("non_authorized").setAnalyzer("standard")::get,
|
||||||
} catch(ElasticsearchSecurityException e) {
|
AnalyzeAction.NAME, "analyze_indices");
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_indices]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have permissions for cluster level analyze
|
||||||
//fails: user doesn't have permissions for cluster level analyze
|
assertThrowsAuthorizationException(client().filterWithHeader(
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd)))
|
||||||
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get();
|
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard")::get,
|
||||||
} catch(ElasticsearchSecurityException e) {
|
"cluster:admin/analyze", "analyze_indices");
|
||||||
assertAuthorizationException(e, containsString("action [cluster:admin/analyze] is unauthorized for user [analyze_indices]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testAnalyzeWithoutIndices() {
|
public void testAnalyzeWithoutIndices() {
|
||||||
//this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level
|
//this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level
|
||||||
|
|
||||||
SecuredString passwd = new SecuredString("test123".toCharArray());
|
SecuredString passwd = new SecuredString("test123".toCharArray());
|
||||||
try {
|
//fails: user doesn't have permissions for analyze on index test_1
|
||||||
//fails: user doesn't have permissions for analyze on index test_1
|
assertThrowsAuthorizationException(client().filterWithHeader(
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
|
Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
|
||||||
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get();
|
.admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard")::get,
|
||||||
} catch(ElasticsearchSecurityException e) {
|
AnalyzeAction.NAME, "analyze_cluster");
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/analyze] is unauthorized for user [analyze_cluster]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
|
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd)))
|
||||||
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get();
|
.admin().indices().prepareAnalyze("this is my text").setAnalyzer("standard").get();
|
||||||
|
|
|
@ -68,7 +68,6 @@ import org.elasticsearch.cluster.service.ClusterService;
|
||||||
import org.elasticsearch.common.collect.Tuple;
|
import org.elasticsearch.common.collect.Tuple;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.rest.RestStatus;
|
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.transport.TransportRequest;
|
import org.elasticsearch.transport.TransportRequest;
|
||||||
|
@ -97,7 +96,8 @@ import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthenticationException;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthenticationException;
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
|
||||||
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionRunAs;
|
||||||
import static org.hamcrest.Matchers.arrayContaining;
|
import static org.hamcrest.Matchers.arrayContaining;
|
||||||
import static org.hamcrest.Matchers.containsInAnyOrder;
|
import static org.hamcrest.Matchers.containsInAnyOrder;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
|
@ -144,67 +144,49 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
|
|
||||||
public void testIndicesActionsAreNotAuthorized() {
|
public void testIndicesActionsAreNotAuthorized() {
|
||||||
TransportRequest request = mock(TransportRequest.class);
|
TransportRequest request = mock(TransportRequest.class);
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request);
|
() -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "indices:", request),
|
||||||
fail("action beginning with indices should have failed");
|
"indices:", SystemUser.INSTANCE.principal());
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request);
|
||||||
assertAuthorizationException(e,
|
verifyNoMoreInteractions(auditTrail);
|
||||||
containsString("action [indices:] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]"));
|
|
||||||
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "indices:", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testClusterAdminActionsAreNotAuthorized() {
|
public void testClusterAdminActionsAreNotAuthorized() {
|
||||||
TransportRequest request = mock(TransportRequest.class);
|
TransportRequest request = mock(TransportRequest.class);
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request);
|
() -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/whatever", request),
|
||||||
fail("action beginning with cluster:admin/whatever should have failed");
|
"cluster:admin/whatever", SystemUser.INSTANCE.principal());
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request);
|
||||||
assertAuthorizationException(e,
|
verifyNoMoreInteractions(auditTrail);
|
||||||
containsString("action [cluster:admin/whatever] is unauthorized for user [" + SystemUser.INSTANCE.principal() + "]"));
|
|
||||||
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/whatever", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testClusterAdminSnapshotStatusActionIsNotAuthorized() {
|
public void testClusterAdminSnapshotStatusActionIsNotAuthorized() {
|
||||||
TransportRequest request = mock(TransportRequest.class);
|
TransportRequest request = mock(TransportRequest.class);
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request);
|
() -> authorizationService.authorize(createAuthentication(SystemUser.INSTANCE), "cluster:admin/snapshot/status", request),
|
||||||
fail("action beginning with cluster:admin/snapshot/status should have failed");
|
"cluster:admin/snapshot/status", SystemUser.INSTANCE.principal());
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request);
|
||||||
assertAuthorizationException(e, containsString("action [cluster:admin/snapshot/status] is unauthorized for user [" +
|
verifyNoMoreInteractions(auditTrail);
|
||||||
SystemUser.INSTANCE.principal() + "]"));
|
|
||||||
verify(auditTrail).accessDenied(SystemUser.INSTANCE, "cluster:admin/snapshot/status", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testNoRolesCausesDenial() {
|
public void testNoRolesCausesDenial() {
|
||||||
TransportRequest request = new SearchRequest();
|
TransportRequest request = new SearchRequest();
|
||||||
User user = new User("test user");
|
User user = new User("test user");
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("user without roles should be denied");
|
"indices:a", "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testUnknownRoleCausesDenial() {
|
public void testUnknownRoleCausesDenial() {
|
||||||
TransportRequest request = new SearchRequest();
|
TransportRequest request = new SearchRequest();
|
||||||
User user = new User("test user", "non-existent-role");
|
User user = new User("test user", "non-existent-role");
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("user with unknown role only should have been denied");
|
"indices:a", "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testThatNonIndicesAndNonClusterActionIsDenied() {
|
public void testThatNonIndicesAndNonClusterActionIsDenied() {
|
||||||
|
@ -212,14 +194,11 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
User user = new User("test user", "a_all");
|
User user = new User("test user", "a_all");
|
||||||
when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build());
|
when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build());
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), "whatever", request);
|
() -> authorizationService.authorize(createAuthentication(user), "whatever", request),
|
||||||
fail("non indices and non cluster requests should be denied");
|
"whatever", "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, "whatever", request);
|
||||||
assertAuthorizationException(e, containsString("action [whatever] is unauthorized for user [test user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "whatever", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testThatRoleWithNoIndicesIsDenied() {
|
public void testThatRoleWithNoIndicesIsDenied() {
|
||||||
|
@ -227,14 +206,11 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
User user = new User("test user", "no_indices");
|
User user = new User("test user", "no_indices");
|
||||||
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
|
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("user only has cluster roles so indices requests should fail");
|
"indices:a", "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testSearchAgainstEmptyCluster() {
|
public void testSearchAgainstEmptyCluster() {
|
||||||
|
@ -248,14 +224,12 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
//ignore_unavailable set to false, user is not authorized for this index nor does it exist
|
//ignore_unavailable set to false, user is not authorized for this index nor does it exist
|
||||||
SearchRequest searchRequest = new SearchRequest("does_not_exist")
|
SearchRequest searchRequest = new SearchRequest("does_not_exist")
|
||||||
.indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
|
.indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
|
||||||
try {
|
|
||||||
authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest);
|
assertThrowsAuthorizationException(
|
||||||
fail("indices request for b should be denied since there is no such index");
|
() -> authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest),
|
||||||
} catch (ElasticsearchSecurityException e) {
|
SearchAction.NAME, "test user");
|
||||||
assertAuthorizationException(e, containsString("action [" + SearchAction.NAME + "] is unauthorized for user [test user]"));
|
verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest);
|
||||||
verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest);
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -312,16 +286,13 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
when(clusterService.state()).thenReturn(state);
|
when(clusterService.state()).thenReturn(state);
|
||||||
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("indices request for b should be denied since there is no such index");
|
"indices:a", "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "indices:a", request);
|
verify(clusterService, times(2)).state();
|
||||||
verifyNoMoreInteractions(auditTrail);
|
verify(state, times(3)).metaData();
|
||||||
verify(clusterService, times(2)).state();
|
|
||||||
verify(state, times(3)).metaData();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexWithAliasWithoutPermissions() {
|
public void testCreateIndexWithAliasWithoutPermissions() {
|
||||||
|
@ -333,17 +304,13 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
when(clusterService.state()).thenReturn(state);
|
when(clusterService.state()).thenReturn(state);
|
||||||
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request);
|
() -> authorizationService.authorize(createAuthentication(user), CreateIndexAction.NAME, request),
|
||||||
fail("indices creation request with alias should be denied since user does not have permission to alias");
|
IndicesAliasesAction.NAME, "test user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request);
|
||||||
assertAuthorizationException(e,
|
verifyNoMoreInteractions(auditTrail);
|
||||||
containsString("action [" + IndicesAliasesAction.NAME + "] is unauthorized for user [test user]"));
|
verify(clusterService).state();
|
||||||
verify(auditTrail).accessDenied(user, IndicesAliasesAction.NAME, request);
|
verify(state, times(2)).metaData();
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
verify(clusterService).state();
|
|
||||||
verify(state, times(2)).metaData();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexWithAlias() {
|
public void testCreateIndexWithAlias() {
|
||||||
|
@ -409,17 +376,13 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
when(clusterService.state()).thenReturn(state);
|
when(clusterService.state()).thenReturn(state);
|
||||||
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(anonymousUser), "indices:a", request),
|
||||||
fail("indices request for b should be denied since there is no such index");
|
"indices:a", anonymousUser.principal());
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(anonymousUser, "indices:a", request);
|
||||||
assertAuthorizationException(e,
|
verifyNoMoreInteractions(auditTrail);
|
||||||
containsString("action [indices:a] is unauthorized for user [" + anonymousUser.principal() + "]"));
|
verify(clusterService, times(2)).state();
|
||||||
verify(auditTrail).accessDenied(anonymousUser, "indices:a", request);
|
verify(state, times(3)).metaData();
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
verify(clusterService, times(2)).state();
|
|
||||||
verify(state, times(3)).metaData();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDenialForAnonymousUserAuthorizationExceptionDisabled() {
|
public void testDenialForAnonymousUserAuthorizationExceptionDisabled() {
|
||||||
|
@ -453,14 +416,11 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
TransportRequest request = mock(TransportRequest.class);
|
TransportRequest request = mock(TransportRequest.class);
|
||||||
User user = new User("test user", null, new User("run as me", new String[] { "admin" }));
|
User user = new User("test user", null, new User("run as me", new String[] { "admin" }));
|
||||||
assertThat(user.runAs(), is(notNullValue()));
|
assertThat(user.runAs(), is(notNullValue()));
|
||||||
try {
|
assertThrowsAuthorizationExceptionRunAs(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("user without roles should be denied for run as");
|
"indices:a", "test user", "run as me"); // run as [run as me]
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).runAsDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).runAsDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testRunAsRequestRunningAsUnAllowedUser() {
|
public void testRunAsRequestRunningAsUnAllowedUser() {
|
||||||
|
@ -473,14 +433,11 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
.add(IndexPrivilege.ALL, "a")
|
.add(IndexPrivilege.ALL, "a")
|
||||||
.build());
|
.build());
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationExceptionRunAs(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("user without roles should be denied for run as");
|
"indices:a", "test user", "run as me");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).runAsDenied(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).runAsDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testRunAsRequestWithRunAsUserWithoutPermission() {
|
public void testRunAsRequestWithRunAsUserWithoutPermission() {
|
||||||
|
@ -507,15 +464,12 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
.build());
|
.build());
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationExceptionRunAs(
|
||||||
authorizationService.authorize(createAuthentication(user), "indices:a", request);
|
() -> authorizationService.authorize(createAuthentication(user), "indices:a", request),
|
||||||
fail("the run as user's role doesn't exist so they should not get authorized");
|
"indices:a", "test user", "run as me");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).runAsGranted(user, "indices:a", request);
|
||||||
assertAuthorizationException(e, containsString("action [indices:a] is unauthorized for user [test user] run as [run as me]"));
|
verify(auditTrail).accessDenied(user, "indices:a", request);
|
||||||
verify(auditTrail).runAsGranted(user, "indices:a", request);
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, "indices:a", request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testRunAsRequestWithValidPermissions() {
|
public void testRunAsRequestWithValidPermissions() {
|
||||||
|
@ -577,14 +531,11 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
for (Tuple<String, TransportRequest> requestTuple : requests) {
|
for (Tuple<String, TransportRequest> requestTuple : requests) {
|
||||||
String action = requestTuple.v1();
|
String action = requestTuple.v1();
|
||||||
TransportRequest request = requestTuple.v2();
|
TransportRequest request = requestTuple.v2();
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
authorizationService.authorize(createAuthentication(user), action, request);
|
() -> authorizationService.authorize(createAuthentication(user), action, request),
|
||||||
fail("only the xpack user can execute operation [" + action + "] against the internal index");
|
action, "all_access_user");
|
||||||
} catch (ElasticsearchSecurityException e) {
|
verify(auditTrail).accessDenied(user, action, request);
|
||||||
assertAuthorizationException(e, containsString("action [" + action + "] is unauthorized for user [all_access_user]"));
|
verifyNoMoreInteractions(auditTrail);
|
||||||
verify(auditTrail).accessDenied(user, action, request);
|
|
||||||
verifyNoMoreInteractions(auditTrail);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// we should allow waiting for the health of the index or any index if the user has this permission
|
// we should allow waiting for the health of the index or any index if the user has this permission
|
||||||
|
@ -729,10 +680,8 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
TransportRequest request = compositeRequest.v2();
|
TransportRequest request = compositeRequest.v2();
|
||||||
User user = new User("test user", "no_indices");
|
User user = new User("test user", "no_indices");
|
||||||
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
|
when(rolesStore.role("no_indices")).thenReturn(Role.builder("no_indices").cluster(ClusterPrivilege.action("")).build());
|
||||||
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationException(
|
||||||
() -> authorizationService.authorize(createAuthentication(user), action, request));
|
() -> authorizationService.authorize(createAuthentication(user), action, request), action, "test user");
|
||||||
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
|
|
||||||
assertThat(securityException.getMessage(), containsString("[" + action + "] is unauthorized for user [" + user.principal() + "]"));
|
|
||||||
verify(auditTrail).accessDenied(user, action, request);
|
verify(auditTrail).accessDenied(user, action, request);
|
||||||
verifyNoMoreInteractions(auditTrail);
|
verifyNoMoreInteractions(auditTrail);
|
||||||
}
|
}
|
||||||
|
@ -795,11 +744,8 @@ public class AuthorizationServiceTests extends ESTestCase {
|
||||||
when(rolesStore.role("roleDenied")).thenReturn(Role.builder("roleDenied").add(IndexPrivilege.ALL, "a").build());
|
when(rolesStore.role("roleDenied")).thenReturn(Role.builder("roleDenied").add(IndexPrivilege.ALL, "a").build());
|
||||||
mockEmptyMetaData();
|
mockEmptyMetaData();
|
||||||
authorizationService.authorize(createAuthentication(userAllowed), action, request);
|
authorizationService.authorize(createAuthentication(userAllowed), action, request);
|
||||||
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationException(
|
||||||
() -> authorizationService.authorize(createAuthentication(userDenied), action, request));
|
() -> authorizationService.authorize(createAuthentication(userDenied), action, request), action, "userDenied");
|
||||||
assertThat(securityException.status(), is(RestStatus.FORBIDDEN));
|
|
||||||
assertThat(securityException.getMessage(),
|
|
||||||
containsString("[" + action + "] is unauthorized for user [" + userDenied.principal() + "]"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static Tuple<String, TransportRequest> randomCompositeRequest() {
|
private static Tuple<String, TransportRequest> randomCompositeRequest() {
|
||||||
|
|
|
@ -5,28 +5,29 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.xpack.security.authz;
|
package org.elasticsearch.xpack.security.authz;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
|
||||||
import org.elasticsearch.action.admin.indices.alias.Alias;
|
import org.elasticsearch.action.admin.indices.alias.Alias;
|
||||||
|
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
|
||||||
|
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesAction;
|
||||||
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder;
|
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder;
|
||||||
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse;
|
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse;
|
||||||
|
import org.elasticsearch.action.admin.indices.create.CreateIndexAction;
|
||||||
import org.elasticsearch.action.support.IndicesOptions;
|
import org.elasticsearch.action.support.IndicesOptions;
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||||
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationException;
|
||||||
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
||||||
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
|
||||||
import static org.hamcrest.CoreMatchers.containsString;
|
import static org.hamcrest.CoreMatchers.containsString;
|
||||||
import static org.hamcrest.CoreMatchers.equalTo;
|
import static org.hamcrest.CoreMatchers.equalTo;
|
||||||
import static org.hamcrest.CoreMatchers.is;
|
|
||||||
|
|
||||||
public class IndexAliasesTests extends SecurityIntegTestCase {
|
public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
|
@ -100,19 +101,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
new SecuredString("test123".toCharArray())));
|
new SecuredString("test123".toCharArray())));
|
||||||
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").get());
|
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").get());
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get,
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges");
|
IndicesAliasesAction.NAME, "create_only");
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias")::get);
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges");
|
assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[test_*]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexAndAliasesCreateOnlyPermission() {
|
public void testCreateIndexAndAliasesCreateOnlyPermission() {
|
||||||
|
@ -120,80 +115,56 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
// the same create index request
|
// the same create index request
|
||||||
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
||||||
new SecuredString("test123".toCharArray())));
|
new SecuredString("test123".toCharArray())));
|
||||||
try {
|
|
||||||
client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2")).get();
|
assertThrowsAuthorizationException(
|
||||||
fail("create index should have failed due to missing manage_aliases privileges");
|
client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2"))::get,
|
||||||
} catch(ElasticsearchSecurityException e) {
|
IndicesAliasesAction.NAME, "create_only");
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteAliasesCreateOnlyPermission() {
|
public void testDeleteAliasesCreateOnlyPermission() {
|
||||||
//user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases
|
//user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases
|
||||||
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
||||||
new SecuredString("test123".toCharArray())));
|
new SecuredString("test123".toCharArray())));
|
||||||
try {
|
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get();
|
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases] is unauthorized for user [create_only]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1")::get,
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges");
|
IndicesAliasesAction.NAME, "create_only");
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[alias_*"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_*")::get);
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges");
|
assertThat(indexNotFoundException.toString(), containsString("[alias_*"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
}
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
||||||
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesCreateOnlyPermissionStrict() {
|
public void testGetAliasesCreateOnlyPermissionStrict() {
|
||||||
//user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though
|
//user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though
|
||||||
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
|
||||||
new SecuredString("test123".toCharArray())));
|
new SecuredString("test123".toCharArray())));
|
||||||
try {
|
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1").setIndices("test_1")
|
|
||||||
.setIndicesOptions(IndicesOptions.strictExpand()).get();
|
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [create_only]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1")
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1")
|
.setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get, GetAliasesAction.NAME, "create_only");
|
||||||
.setIndicesOptions(IndicesOptions.strictExpand()).get();
|
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers)
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1")
|
.admin().indices().prepareGetAliases("_all")
|
||||||
.setIndicesOptions(IndicesOptions.strictExpand()).get();
|
.setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get);
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
|
||||||
}
|
.prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.strictExpand())::get);
|
||||||
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
|
|
||||||
GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
|
GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
|
||||||
.setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get();
|
.setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get();
|
||||||
assertEquals(0, getAliasesResponse.getAliases().size());
|
assertEquals(0, getAliasesResponse.getAliases().size());
|
||||||
|
|
||||||
try {
|
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
|
||||||
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
|
//and there is no way to "allow_no_aliases" like we can do with indices.
|
||||||
//and there is no way to "allow_no_aliases" like we can do with indices.
|
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases().get();
|
client().filterWithHeader(headers).admin().indices().prepareGetAliases()::get);
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() {
|
public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() {
|
||||||
|
@ -205,35 +176,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
.setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
.setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
||||||
assertEquals(0, getAliasesResponse.getAliases().size());
|
assertEquals(0, getAliasesResponse.getAliases().size());
|
||||||
|
|
||||||
try {
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers)
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1")
|
.admin().indices().prepareGetAliases("_all")
|
||||||
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
.setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
|
||||||
fail("get alias should have failed due empty set of indices after indices resolution");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertEquals("no such index", e.getMessage());
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases().setIndices("test_1")
|
.prepareGetAliases().setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
|
||||||
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
fail("get alias should have failed due empty set of indices after indices resolution");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertEquals("no such index", e.getMessage());
|
|
||||||
}
|
|
||||||
|
|
||||||
getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
|
getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
|
||||||
.setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
.setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
||||||
assertEquals(0, getAliasesResponse.getAliases().size());
|
assertEquals(0, getAliasesResponse.getAliases().size());
|
||||||
|
|
||||||
try {
|
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
|
||||||
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
|
//and there is no way to "allow_no_aliases" like we can do with indices.
|
||||||
//and there is no way to "allow_no_aliases" like we can do with indices.
|
indexNotFoundException = expectThrows(IndexNotFoundException.class, client().filterWithHeader(headers).admin().indices()
|
||||||
client().filterWithHeader(headers).admin().indices().prepareGetAliases()
|
.prepareGetAliases().setIndicesOptions(IndicesOptions.lenientExpandOpen())::get);
|
||||||
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexThenAliasesCreateAndAliasesPermission() {
|
public void testCreateIndexThenAliasesCreateAndAliasesPermission() {
|
||||||
|
@ -250,15 +210,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
//ok: user has manage_aliases on test_*
|
//ok: user has manage_aliases on test_*
|
||||||
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias_2").get());
|
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_*", "test_alias_2").get());
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().addAlias("test_1", "alias_1")
|
.addAlias("test_1", "alias_1").addAlias("test_1", "test_alias")::get,
|
||||||
.addAlias("test_1", "test_alias").get();
|
IndicesAliasesAction.NAME, "create_test_aliases_test");
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges on alias_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexAndAliasesCreateAndAliasesPermission() {
|
public void testCreateIndexAndAliasesCreateAndAliasesPermission() {
|
||||||
|
@ -269,15 +224,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
new SecuredString("test123".toCharArray())));
|
new SecuredString("test123".toCharArray())));
|
||||||
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get());
|
assertAcked(client().filterWithHeader(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get());
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareCreate("test_2")
|
||||||
client().filterWithHeader(headers).admin().indices().prepareCreate("test_2").addAlias(new Alias("test_alias"))
|
.addAlias(new Alias("test_alias")).addAlias(new Alias("alias_2"))::get,
|
||||||
.addAlias(new Alias("alias_2")).get();
|
IndicesAliasesAction.NAME, "create_test_aliases_test");
|
||||||
fail("create index should have failed due to missing manage_aliases privileges on alias_2");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteAliasesCreateAndAliasesPermission() {
|
public void testDeleteAliasesCreateAndAliasesPermission() {
|
||||||
|
@ -297,40 +247,23 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
//ok: user has manage_aliases on test_*
|
//ok: user has manage_aliases on test_*
|
||||||
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get());
|
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get());
|
||||||
|
|
||||||
try {
|
//fails: all aliases have been deleted, no existing aliases match test_alias_*
|
||||||
//fails: all aliases have been deleted, no existing aliases match test_alias_*
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*")::get);
|
||||||
fail("remove alias should have failed due to no existing matching aliases to expand test_alias_* to");
|
assertThat(indexNotFoundException.toString(), containsString("[test_alias_*]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[test_alias_*]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: all aliases have been deleted, no existing aliases match _all
|
||||||
//fails: all aliases have been deleted, no existing aliases match _all
|
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all").get();
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
||||||
fail("remove alias should have failed due to no existing matching aliases to expand _all to");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get();
|
.removeAlias("test_1", "alias_1")::get, IndicesAliasesAction.NAME, "create_test_aliases_test");
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on alias_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases()
|
.removeAlias("test_1", new String[]{"_all", "alias_1"})::get, IndicesAliasesAction.NAME, "create_test_aliases_test");
|
||||||
.removeAlias("test_1", new String[]{"_all", "alias_1"}).get();
|
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on alias_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesCreateAndAliasesPermission() {
|
public void testGetAliasesCreateAndAliasesPermission() {
|
||||||
|
@ -376,24 +309,14 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
assertAliases(client.admin().indices().prepareGetAliases(),
|
assertAliases(client.admin().indices().prepareGetAliases(),
|
||||||
"test_1", "test_alias");
|
"test_1", "test_alias");
|
||||||
|
|
||||||
try {
|
//fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non
|
||||||
//fails: user has manage_aliases on test_*, although _all aliases and empty indices can be resolved, the explicit non
|
// authorized alias (alias_1) causes the request to fail
|
||||||
// authorized alias (alias_1) causes the request to fail
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1")::get,
|
||||||
client.admin().indices().prepareGetAliases().setAliases("_all", "alias_1").get();
|
GetAliasesAction.NAME, "create_test_aliases_test");
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on alias_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("alias_1")::get,
|
||||||
client.admin().indices().prepareGetAliases().setAliases("alias_1").get();
|
GetAliasesAction.NAME, "create_test_aliases_test");
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on alias_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_test]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexThenAliasesCreateAndAliasesPermission2() {
|
public void testCreateIndexThenAliasesCreateAndAliasesPermission2() {
|
||||||
|
@ -405,31 +328,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
// on both aliases and indices
|
// on both aliases and indices
|
||||||
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases aliases on test_1
|
||||||
//fails: user doesn't have manage_aliases aliases on test_1
|
assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "test_alias")::get,
|
||||||
client.admin().indices().prepareAliases().addAlias("test_1", "test_alias").get();
|
IndicesAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases aliases on test_1
|
||||||
//fails: user doesn't have manage_aliases aliases on test_1
|
assertThrowsAuthorizationException(client.admin().indices().prepareAliases().addAlias("test_1", "alias_1")::get,
|
||||||
client.admin().indices().prepareAliases().addAlias("test_1", "alias_1").get();
|
IndicesAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges on test_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
||||||
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareAliases().addAlias("test_*", "alias_1").get();
|
client.admin().indices().prepareAliases().addAlias("test_*", "alias_1")::get);
|
||||||
fail("add alias should have failed due to missing manage_aliases privileges on test_1");
|
assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[test_*]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexAndAliasesCreateAndAliasesPermission2() {
|
public void testCreateIndexAndAliasesCreateAndAliasesPermission2() {
|
||||||
|
@ -440,23 +350,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
|
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
|
||||||
// on both aliases and indices
|
// on both aliases and indices
|
||||||
try {
|
|
||||||
//fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole
|
|
||||||
client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get();
|
|
||||||
fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on test_1, create index is rejected as a whole
|
||||||
//fails: user doesn't have manage_aliases on test_*, create index is rejected as a whole
|
assertThrowsAuthorizationException(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias"))::get,
|
||||||
client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1")).get();
|
IndicesAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
fail("create index should have failed due to missing manage_aliases privileges on test_1 and test_alias");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteAliasesCreateAndAliasesPermission2() {
|
public void testDeleteAliasesCreateAndAliasesPermission2() {
|
||||||
|
@ -466,32 +363,15 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
|
//user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases
|
||||||
// on both aliases and indices
|
// on both aliases and indices
|
||||||
try {
|
|
||||||
//fails: user doesn't have manage_aliases on test_1
|
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias").get();
|
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on test_1
|
||||||
//fails: user doesn't have manage_aliases on test_1
|
assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "test_alias")::get,
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1").get();
|
IndicesAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on test_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced
|
||||||
//fails: user doesn't have manage_aliases on test_*, wildcards can't get replaced
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1").get();
|
client.admin().indices().prepareAliases().removeAlias("test_*", "alias_1")::get);
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on test_*");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[test_*]"));
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
public void testGetAliasesCreateAndAliasesPermission2() {
|
public void testGetAliasesCreateAndAliasesPermission2() {
|
||||||
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER,
|
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER,
|
||||||
|
@ -502,14 +382,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
// on both aliases and indices
|
// on both aliases and indices
|
||||||
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases aliases on test_1, nor test_alias
|
||||||
//fails: user doesn't have manage_aliases aliases on test_1, nor test_alias
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1")::get,
|
||||||
client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1").get();
|
GetAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
//user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
//user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
||||||
GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases()
|
GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases()
|
||||||
|
@ -520,37 +395,24 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
|
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
|
||||||
assertEquals(0, getAliasesResponse.getAliases().size());
|
assertEquals(0, getAliasesResponse.getAliases().size());
|
||||||
|
|
||||||
try {
|
//fails: no existing aliases to replace wildcards
|
||||||
//fails: no existing aliases to replace wildcards
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*").get();
|
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*")::get);
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on test_1");
|
assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[test_*]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: no existing aliases to replace _all
|
||||||
//fails: no existing aliases to replace _all
|
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all").get();
|
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all")::get);
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on test_1");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: no existing aliases to replace empty aliases
|
||||||
//fails: no existing aliases to replace empty aliases
|
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1").get();
|
client.admin().indices().prepareGetAliases().setIndices("test_1")::get);
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on test_1");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: no existing aliases to replace empty aliases
|
||||||
//fails: no existing aliases to replace empty aliases
|
indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices().prepareGetAliases()::get);
|
||||||
client.admin().indices().prepareGetAliases().get();
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
fail("get alias should have failed due to missing manage_aliases privileges on test_1");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexThenAliasesCreateAndAliasesPermission3() {
|
public void testCreateIndexThenAliasesCreateAndAliasesPermission3() {
|
||||||
|
@ -588,26 +450,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1"))
|
assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).addAlias(new Alias("alias_1"))
|
||||||
.addAlias(new Alias("alias_2")).addAlias(new Alias("alias_3")));
|
.addAlias(new Alias("alias_2")).addAlias(new Alias("alias_3")));
|
||||||
|
|
||||||
try {
|
//fails: user doesn't have manage_aliases privilege on non_authorized
|
||||||
//fails: user doesn't have manage_aliases privilege on non_authorized
|
assertThrowsAuthorizationException(client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized")
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_1", "non_authorized").removeAlias("test_1", "test_alias").get();
|
.removeAlias("test_1", "test_alias")::get, IndicesAliasesAction.NAME, "create_test_aliases_test_alias");
|
||||||
fail("remove alias should have failed due to missing manage_aliases privileges on non_authorized");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e,
|
|
||||||
containsString("action [indices:admin/aliases] is unauthorized for user [create_test_aliases_test_alias]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1"));
|
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_1", "alias_1"));
|
||||||
|
|
||||||
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all"));
|
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all"));
|
||||||
|
|
||||||
try {
|
//fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases
|
||||||
//fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_1", "_all").get();
|
client.admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
||||||
fail("remove alias should have failed due to no existing aliases matching _all");
|
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertThat(e.toString(), containsString("[_all]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesCreateAndAliasesPermission3() {
|
public void testGetAliasesCreateAndAliasesPermission3() {
|
||||||
|
@ -646,14 +500,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexAliasesOnlyPermission() {
|
public void testCreateIndexAliasesOnlyPermission() {
|
||||||
try {
|
assertThrowsAuthorizationException(client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER,
|
||||||
client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER,
|
basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray()))))
|
||||||
basicAuthHeaderValue("aliases_only", new SecuredString("test123".toCharArray()))))
|
.admin().indices().prepareCreate("test_1")::get, CreateIndexAction.NAME, "aliases_only");
|
||||||
.admin().indices().prepareCreate("test_1").get();
|
|
||||||
fail("Expected ElasticsearchSecurityException");
|
|
||||||
} catch (ElasticsearchSecurityException e) {
|
|
||||||
assertThat(e.getMessage(), is("action [indices:admin/create] is unauthorized for user [aliases_only]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesAliasesOnlyPermissionStrict() {
|
public void testGetAliasesAliasesOnlyPermissionStrict() {
|
||||||
|
@ -662,33 +511,18 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
final Client client = client().filterWithHeader(headers);
|
final Client client = client().filterWithHeader(headers);
|
||||||
//user has manage_aliases only permissions on both alias_* and test_*
|
//user has manage_aliases only permissions on both alias_* and test_*
|
||||||
|
|
||||||
//ok: manage_aliases on both test_* and alias_*
|
//security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found
|
||||||
try {
|
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices()
|
||||||
//security plugin lets it through, but es core intercepts it due to strict indices options and throws index not found
|
.prepareGetAliases("alias_1").addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen())::get);
|
||||||
client.admin().indices().prepareGetAliases("alias_1")
|
assertEquals("no such index", indexNotFoundException.getMessage());
|
||||||
.addIndices("test_1").setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
|
|
||||||
fail("Expected IndexNotFoundException");
|
|
||||||
} catch(IndexNotFoundException e) {
|
|
||||||
assertEquals("no such index", e.getMessage());
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: no manage_aliases privilege on non_authorized alias
|
||||||
//fails: no manage_aliases privilege on non_authorized alias
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1")
|
||||||
client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1")
|
.setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only");
|
||||||
.setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
|
|
||||||
fail("Expected ElasticsearchSecurityException");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
//fails: no manage_aliases privilege on non_authorized index
|
||||||
//fails: no manage_aliases privilege on non_authorized index
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized")
|
||||||
client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized")
|
.setIndicesOptions(IndicesOptions.strictExpandOpen())::get, GetAliasesAction.NAME, "aliases_only");
|
||||||
.setIndicesOptions(IndicesOptions.strictExpandOpen()).get();
|
|
||||||
fail("Expected ElasticsearchSecurityException");
|
|
||||||
} catch(ElasticsearchSecurityException e) {
|
|
||||||
assertAuthorizationException(e, containsString("action [indices:admin/aliases/get] is unauthorized for user [aliases_only]"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() {
|
public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() {
|
||||||
|
|
|
@ -6,11 +6,16 @@
|
||||||
package org.elasticsearch.xpack.security.authz;
|
package org.elasticsearch.xpack.security.authz;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
|
import org.elasticsearch.action.get.GetAction;
|
||||||
|
import org.elasticsearch.action.get.MultiGetAction;
|
||||||
import org.elasticsearch.action.get.MultiGetResponse;
|
import org.elasticsearch.action.get.MultiGetResponse;
|
||||||
import org.elasticsearch.action.search.MultiSearchResponse;
|
import org.elasticsearch.action.search.MultiSearchResponse;
|
||||||
|
import org.elasticsearch.action.search.SearchAction;
|
||||||
import org.elasticsearch.action.search.SearchResponse;
|
import org.elasticsearch.action.search.SearchResponse;
|
||||||
import org.elasticsearch.action.support.IndicesOptions;
|
import org.elasticsearch.action.support.IndicesOptions;
|
||||||
|
import org.elasticsearch.action.termvectors.MultiTermVectorsAction;
|
||||||
import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
|
import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
|
||||||
|
import org.elasticsearch.action.termvectors.TermVectorsAction;
|
||||||
import org.elasticsearch.client.Requests;
|
import org.elasticsearch.client.Requests;
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
import org.elasticsearch.search.SearchHit;
|
import org.elasticsearch.search.SearchHit;
|
||||||
|
@ -20,9 +25,9 @@ import org.elasticsearch.test.SecuritySettingsSource;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers;
|
||||||
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers;
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits;
|
||||||
import static org.hamcrest.CoreMatchers.containsString;
|
|
||||||
import static org.hamcrest.core.IsCollectionContaining.hasItems;
|
import static org.hamcrest.core.IsCollectionContaining.hasItems;
|
||||||
import static org.hamcrest.core.IsEqual.equalTo;
|
import static org.hamcrest.core.IsEqual.equalTo;
|
||||||
import static org.hamcrest.core.IsInstanceOf.instanceOf;
|
import static org.hamcrest.core.IsInstanceOf.instanceOf;
|
||||||
|
@ -118,12 +123,12 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
public void testExplicitNonAuthorizedIndex() {
|
public void testExplicitNonAuthorizedIndex() {
|
||||||
createIndicesWithRandomAliases("test1", "test2", "index1");
|
createIndicesWithRandomAliases("test1", "test2", "index1");
|
||||||
assertThrowsAuthorizationException(client().prepareSearch("test*", "index1"));
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("test*", "index1")::get, SearchAction.NAME);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testIndexNotFound() {
|
public void testIndexNotFound() {
|
||||||
createIndicesWithRandomAliases("test1", "test2", "index1");
|
createIndicesWithRandomAliases("test1", "test2", "index1");
|
||||||
assertThrowsAuthorizationException(client().prepareSearch("missing"));
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareSearch("missing")::get, SearchAction.NAME);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testIndexNotFoundIgnoreUnavailable() {
|
public void testIndexNotFoundIgnoreUnavailable() {
|
||||||
|
@ -212,7 +217,7 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(multiSearchResponse.getResponses()[1].isFailure());
|
assertTrue(multiSearchResponse.getResponses()[1].isFailure());
|
||||||
Exception exception = multiSearchResponse.getResponses()[1].getFailure();
|
Exception exception = multiSearchResponse.getResponses()[1].getFailure();
|
||||||
assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
|
assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
|
||||||
assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user ["));
|
assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME);
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
|
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
|
||||||
|
@ -243,7 +248,7 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(multiSearchResponse.getResponses()[1].isFailure());
|
assertTrue(multiSearchResponse.getResponses()[1].isFailure());
|
||||||
Exception exception = multiSearchResponse.getResponses()[1].getFailure();
|
Exception exception = multiSearchResponse.getResponses()[1].getFailure();
|
||||||
assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
|
assertThat(exception, instanceOf(ElasticsearchSecurityException.class));
|
||||||
assertAuthorizationException((ElasticsearchSecurityException)exception, containsString("is unauthorized for user ["));
|
assertAuthorizationExceptionDefaultUsers(exception, SearchAction.NAME);
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
|
MultiSearchResponse multiSearchResponse = client().prepareMultiSearch()
|
||||||
|
@ -333,13 +338,9 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
client().prepareGet("test1", "type", "id").get();
|
client().prepareGet("test1", "type", "id").get();
|
||||||
|
|
||||||
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("index1", "type", "id")::get, GetAction.NAME);
|
||||||
() -> client().prepareGet("index1", "type", "id").get());
|
|
||||||
assertAuthorizationException(securityException);
|
|
||||||
|
|
||||||
securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareGet("missing", "type", "id")::get, GetAction.NAME);
|
||||||
() -> client().prepareGet("missing", "type", "id").get());
|
|
||||||
assertAuthorizationException(securityException);
|
|
||||||
|
|
||||||
expectThrows(IndexNotFoundException.class, () -> client().prepareGet("test5", "type", "id").get());
|
expectThrows(IndexNotFoundException.class, () -> client().prepareGet("test5", "type", "id").get());
|
||||||
}
|
}
|
||||||
|
@ -357,7 +358,8 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
assertEquals("test1", multiGetResponse.getResponses()[0].getResponse().getIndex());
|
assertEquals("test1", multiGetResponse.getResponses()[0].getResponse().getIndex());
|
||||||
assertTrue(multiGetResponse.getResponses()[1].isFailed());
|
assertTrue(multiGetResponse.getResponses()[1].isFailed());
|
||||||
assertEquals("index1", multiGetResponse.getResponses()[1].getFailure().getIndex());
|
assertEquals("index1", multiGetResponse.getResponses()[1].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) multiGetResponse.getResponses()[1].getFailure().getFailure());
|
assertAuthorizationExceptionDefaultUsers(multiGetResponse.getResponses()[1].getFailure().getFailure(),
|
||||||
|
MultiGetAction.NAME + "[shard]");
|
||||||
assertFalse(multiGetResponse.getResponses()[2].isFailed());
|
assertFalse(multiGetResponse.getResponses()[2].isFailed());
|
||||||
assertEquals("test3", multiGetResponse.getResponses()[2].getResponse().getIndex());
|
assertEquals("test3", multiGetResponse.getResponses()[2].getResponse().getIndex());
|
||||||
assertTrue(multiGetResponse.getResponses()[3].isFailed());
|
assertTrue(multiGetResponse.getResponses()[3].isFailed());
|
||||||
|
@ -374,13 +376,9 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
createIndicesWithRandomAliases("test1", "index1");
|
createIndicesWithRandomAliases("test1", "index1");
|
||||||
client().prepareTermVectors("test1", "type", "id").get();
|
client().prepareTermVectors("test1", "type", "id").get();
|
||||||
|
|
||||||
ElasticsearchSecurityException securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("index1", "type", "id")::get, TermVectorsAction.NAME);
|
||||||
() -> client().prepareTermVectors("index1", "type", "id").get());
|
|
||||||
assertAuthorizationException(securityException);
|
|
||||||
|
|
||||||
securityException = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareTermVectors("missing", "type", "id")::get, TermVectorsAction.NAME);
|
||||||
() -> client().prepareTermVectors("missing", "type", "id").get());
|
|
||||||
assertAuthorizationException(securityException);
|
|
||||||
|
|
||||||
expectThrows(IndexNotFoundException.class, () -> client().prepareTermVectors("test5", "type", "id").get());
|
expectThrows(IndexNotFoundException.class, () -> client().prepareTermVectors("test5", "type", "id").get());
|
||||||
}
|
}
|
||||||
|
@ -398,12 +396,13 @@ public class ReadActionsTests extends SecurityIntegTestCase {
|
||||||
assertEquals("test1", response.getResponses()[0].getResponse().getIndex());
|
assertEquals("test1", response.getResponses()[0].getResponse().getIndex());
|
||||||
assertTrue(response.getResponses()[1].isFailed());
|
assertTrue(response.getResponses()[1].isFailed());
|
||||||
assertEquals("index1", response.getResponses()[1].getFailure().getIndex());
|
assertEquals("index1", response.getResponses()[1].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) response.getResponses()[1].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(response.getResponses()[1].getFailure().getCause(),
|
||||||
|
MultiTermVectorsAction.NAME + "[shard]");
|
||||||
assertFalse(response.getResponses()[2].isFailed());
|
assertFalse(response.getResponses()[2].isFailed());
|
||||||
assertEquals("test3", response.getResponses()[2].getResponse().getIndex());
|
assertEquals("test3", response.getResponses()[2].getResponse().getIndex());
|
||||||
assertTrue(response.getResponses()[3].isFailed());
|
assertTrue(response.getResponses()[3].isFailed());
|
||||||
assertEquals("missing", response.getResponses()[3].getFailure().getIndex());
|
assertEquals("missing", response.getResponses()[3].getFailure().getIndex());
|
||||||
//different behaviour compared to get api: we leak information about a non existing index that the current user is not
|
//different behaviour compared to term_vector api: we leak information about a non existing index that the current user is not
|
||||||
//authorized for. Should rather be an authorization exception but we only authorize at the shard level in mget. If we
|
//authorized for. Should rather be an authorization exception but we only authorize at the shard level in mget. If we
|
||||||
//authorized globally, we would fail the whole mget request which is not desirable.
|
//authorized globally, we would fail the whole mget request which is not desirable.
|
||||||
assertThat(response.getResponses()[3].getFailure().getCause(), instanceOf(IndexNotFoundException.class));
|
assertThat(response.getResponses()[3].getFailure().getCause(), instanceOf(IndexNotFoundException.class));
|
||||||
|
|
|
@ -7,16 +7,21 @@ package org.elasticsearch.xpack.security.authz;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.action.DocWriteRequest;
|
import org.elasticsearch.action.DocWriteRequest;
|
||||||
|
import org.elasticsearch.action.bulk.BulkAction;
|
||||||
import org.elasticsearch.action.bulk.BulkResponse;
|
import org.elasticsearch.action.bulk.BulkResponse;
|
||||||
|
import org.elasticsearch.action.delete.DeleteAction;
|
||||||
import org.elasticsearch.action.delete.DeleteRequest;
|
import org.elasticsearch.action.delete.DeleteRequest;
|
||||||
|
import org.elasticsearch.action.index.IndexAction;
|
||||||
import org.elasticsearch.action.index.IndexRequest;
|
import org.elasticsearch.action.index.IndexRequest;
|
||||||
|
import org.elasticsearch.action.update.UpdateAction;
|
||||||
import org.elasticsearch.action.update.UpdateRequest;
|
import org.elasticsearch.action.update.UpdateRequest;
|
||||||
import org.elasticsearch.index.engine.DocumentMissingException;
|
import org.elasticsearch.index.engine.DocumentMissingException;
|
||||||
import org.elasticsearch.rest.RestStatus;
|
import org.elasticsearch.rest.RestStatus;
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.elasticsearch.test.SecuritySettingsSource;
|
import org.elasticsearch.test.SecuritySettingsSource;
|
||||||
|
|
||||||
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
|
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationExceptionDefaultUsers;
|
||||||
|
import static org.elasticsearch.test.SecurityTestsUtils.assertThrowsAuthorizationExceptionDefaultUsers;
|
||||||
import static org.hamcrest.CoreMatchers.containsString;
|
import static org.hamcrest.CoreMatchers.containsString;
|
||||||
import static org.hamcrest.core.IsInstanceOf.instanceOf;
|
import static org.hamcrest.core.IsInstanceOf.instanceOf;
|
||||||
|
|
||||||
|
@ -41,14 +46,13 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
createIndex("test1", "index1");
|
createIndex("test1", "index1");
|
||||||
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
||||||
|
|
||||||
assertThrowsAuthorizationException(client().prepareIndex("index1", "type", "id").setSource("field", "value"));
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get,
|
||||||
|
IndexAction.NAME);
|
||||||
|
|
||||||
client().prepareIndex("test4", "type", "id").setSource("field", "value").get();
|
client().prepareIndex("test4", "type", "id").setSource("field", "value").get();
|
||||||
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
|
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
|
||||||
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get,
|
||||||
() -> client().prepareIndex("missing", "type", "id").setSource("field", "value").get());
|
IndexAction.NAME);
|
||||||
assertAuthorizationException(exception);
|
|
||||||
assertThat(exception.getMessage(), containsString("[indices:data/write/index] is unauthorized"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDelete() {
|
public void testDelete() {
|
||||||
|
@ -56,14 +60,11 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
||||||
assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status());
|
assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status());
|
||||||
|
|
||||||
assertThrowsAuthorizationException(client().prepareDelete("index1", "type", "id"));
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME);
|
||||||
|
|
||||||
assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status());
|
assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status());
|
||||||
|
|
||||||
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME);
|
||||||
() -> client().prepareDelete("missing", "type", "id").get());
|
|
||||||
assertAuthorizationException(exception);
|
|
||||||
assertThat(exception.getMessage(), containsString("[indices:data/write/delete] is unauthorized"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testUpdate() {
|
public void testUpdate() {
|
||||||
|
@ -71,14 +72,13 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
||||||
assertEquals(RestStatus.OK, client().prepareUpdate("test1", "type", "id").setDoc("field2", "value2").get().status());
|
assertEquals(RestStatus.OK, client().prepareUpdate("test1", "type", "id").setDoc("field2", "value2").get().status());
|
||||||
|
|
||||||
assertThrowsAuthorizationException(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2"));
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("index1", "type", "id").setDoc("field2", "value2")::get,
|
||||||
|
UpdateAction.NAME);
|
||||||
|
|
||||||
expectThrows(DocumentMissingException.class, () -> client().prepareUpdate("test4", "type", "id").setDoc("field2", "value2").get());
|
expectThrows(DocumentMissingException.class, () -> client().prepareUpdate("test4", "type", "id").setDoc("field2", "value2").get());
|
||||||
|
|
||||||
ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class,
|
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2")::get,
|
||||||
() -> client().prepareUpdate("missing", "type", "id").setDoc("field2", "value2").get());
|
UpdateAction.NAME);
|
||||||
assertAuthorizationException(exception);
|
|
||||||
assertThat(exception.getMessage(), containsString("[indices:data/write/update] is unauthorized"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testBulk() {
|
public void testBulk() {
|
||||||
|
@ -105,7 +105,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(bulkResponse.getItems()[1].isFailed());
|
assertTrue(bulkResponse.getItems()[1].isFailed());
|
||||||
assertEquals(DocWriteRequest.OpType.INDEX, bulkResponse.getItems()[1].getOpType());
|
assertEquals(DocWriteRequest.OpType.INDEX, bulkResponse.getItems()[1].getOpType());
|
||||||
assertEquals("index1", bulkResponse.getItems()[1].getFailure().getIndex());
|
assertEquals("index1", bulkResponse.getItems()[1].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[1].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[1].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[1].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[1].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
assertFalse(bulkResponse.getItems()[2].isFailed());
|
assertFalse(bulkResponse.getItems()[2].isFailed());
|
||||||
|
@ -116,7 +116,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
|
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
|
||||||
assertEquals("missing", bulkResponse.getItems()[3].getFailure().getIndex());
|
assertEquals("missing", bulkResponse.getItems()[3].getFailure().getIndex());
|
||||||
assertThat(bulkResponse.getItems()[3].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
|
assertThat(bulkResponse.getItems()[3].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[3].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[3].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[3].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[3].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
assertFalse(bulkResponse.getItems()[4].isFailed());
|
assertFalse(bulkResponse.getItems()[4].isFailed());
|
||||||
|
@ -125,7 +125,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(bulkResponse.getItems()[5].isFailed());
|
assertTrue(bulkResponse.getItems()[5].isFailed());
|
||||||
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[5].getOpType());
|
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[5].getOpType());
|
||||||
assertEquals("index1", bulkResponse.getItems()[5].getFailure().getIndex());
|
assertEquals("index1", bulkResponse.getItems()[5].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[5].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[5].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[5].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[5].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
assertFalse(bulkResponse.getItems()[6].isFailed());
|
assertFalse(bulkResponse.getItems()[6].isFailed());
|
||||||
|
@ -134,7 +134,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(bulkResponse.getItems()[7].isFailed());
|
assertTrue(bulkResponse.getItems()[7].isFailed());
|
||||||
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[7].getOpType());
|
assertEquals(DocWriteRequest.OpType.DELETE, bulkResponse.getItems()[7].getOpType());
|
||||||
assertEquals("missing", bulkResponse.getItems()[7].getFailure().getIndex());
|
assertEquals("missing", bulkResponse.getItems()[7].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[7].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[7].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[7].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[7].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
assertFalse(bulkResponse.getItems()[8].isFailed());
|
assertFalse(bulkResponse.getItems()[8].isFailed());
|
||||||
|
@ -146,7 +146,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
assertTrue(bulkResponse.getItems()[10].isFailed());
|
assertTrue(bulkResponse.getItems()[10].isFailed());
|
||||||
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[10].getOpType());
|
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[10].getOpType());
|
||||||
assertEquals("index1", bulkResponse.getItems()[10].getFailure().getIndex());
|
assertEquals("index1", bulkResponse.getItems()[10].getFailure().getIndex());
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[10].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[10].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[10].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[10].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
assertTrue(bulkResponse.getItems()[11].isFailed());
|
assertTrue(bulkResponse.getItems()[11].isFailed());
|
||||||
|
@ -157,7 +157,7 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
||||||
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[12].getOpType());
|
assertEquals(DocWriteRequest.OpType.UPDATE, bulkResponse.getItems()[12].getOpType());
|
||||||
assertEquals("missing", bulkResponse.getItems()[12].getFailure().getIndex());
|
assertEquals("missing", bulkResponse.getItems()[12].getFailure().getIndex());
|
||||||
assertThat(bulkResponse.getItems()[12].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
|
assertThat(bulkResponse.getItems()[12].getFailure().getCause(), instanceOf(ElasticsearchSecurityException.class));
|
||||||
assertAuthorizationException((ElasticsearchSecurityException) bulkResponse.getItems()[12].getFailure().getCause());
|
assertAuthorizationExceptionDefaultUsers(bulkResponse.getItems()[12].getFailure().getCause(), BulkAction.NAME + "[s]");
|
||||||
assertThat(bulkResponse.getItems()[12].getFailure().getCause().getMessage(),
|
assertThat(bulkResponse.getItems()[12].getFailure().getCause().getMessage(),
|
||||||
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
containsString("[indices:data/write/bulk[s]] is unauthorized"));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue