From 0b5af276a8b3d4cf3e94ff6ba4264d1bd1f0334c Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Wed, 16 Jan 2019 07:52:38 -0700 Subject: [PATCH] Allow system privilege to execute proxied actions (#37508) Currently all proxied actions are denied for the `SystemPrivilege`. Unfortunately, there are use cases (CCR) where we would like to proxy actions to a remote node that are normally performed by the system context. This commit allows the system context to perform proxy actions if they are actions that the system context is normally allowed to execute. --- .../transport/TransportActionProxy.java | 8 +++++ .../authz/privilege/SystemPrivilege.java | 35 ++++++++++++------- .../authz/privilege/PrivilegeTests.java | 1 + 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java index a5b926249f8..e1e3c25f083 100644 --- a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java +++ b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java @@ -175,6 +175,14 @@ public final class TransportActionProxy { return request; } + /** + * Unwraps a proxy action and returns the underlying action + */ + public static String unwrapAction(String action) { + assert isProxyAction(action) : "Attempted to unwrap non-proxy action: " + action; + return action.substring(PROXY_ACTION_PREFIX.length()); + } + /** * Returns true iff the given action is a proxy action */ diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java index c673b8ee327..ca8318212c9 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.core.security.authz.privilege; +import org.elasticsearch.transport.TransportActionProxy; import org.elasticsearch.xpack.core.security.support.Automatons; import java.util.Collections; @@ -14,19 +15,27 @@ public final class SystemPrivilege extends Privilege { public static SystemPrivilege INSTANCE = new SystemPrivilege(); - private static final Predicate PREDICATE = Automatons.predicate(Automatons. - minusAndMinimize(Automatons.patterns( - "internal:*", - "indices:monitor/*", // added for monitoring - "cluster:monitor/*", // added for monitoring - "cluster:admin/bootstrap/*", // for the bootstrap service - "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener - "indices:admin/mapping/put", // needed for recovery and shrink api - "indices:admin/template/put", // needed for the TemplateUpgradeService - "indices:admin/template/delete", // needed for the TemplateUpgradeService - "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs - "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly - ), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user! + private static final Predicate ALLOWED_ACTIONS = Automatons.predicate( + "internal:*", + "indices:monitor/*", // added for monitoring + "cluster:monitor/*", // added for monitoring + "cluster:admin/bootstrap/*", // for the bootstrap service + "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener + "indices:admin/mapping/put", // needed for recovery and shrink api + "indices:admin/template/put", // needed for the TemplateUpgradeService + "indices:admin/template/delete", // needed for the TemplateUpgradeService + "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs + "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly + ); + + private static final Predicate PREDICATE = (action) -> { + // Only allow a proxy action if the underlying action is allowed + if (TransportActionProxy.isProxyAction(action)) { + return ALLOWED_ACTIONS.test(TransportActionProxy.unwrapAction(action)); + } else { + return ALLOWED_ACTIONS.test(action); + } + }; private SystemPrivilege() { super(Collections.singleton("internal")); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java index 58432cdf6c7..1484e7a8781 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java @@ -123,6 +123,7 @@ public class PrivilegeTests extends ESTestCase { assertThat(predicate.test("indices:admin/mapping/put"), is(true)); assertThat(predicate.test("indices:admin/mapping/whatever"), is(false)); assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false)); + assertThat(predicate.test("internal:transport/proxy/indices:monitor/whatever"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));