honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Security: Add index template permissions for system user (elastic/x-pack-elasticsearch#1937) 

As the TemplateUpgradeService requires permissions to add and
delete index template, we have to grant those to the _system user.

This commit adds such permissions plus an integration test.

Original commit: elastic/x-pack-elasticsearch@a76ca9c738
This commit is contained in:
Alexander Reelsen 2017-07-10 16:15:13 +02:00 committed by GitHub
parent f70f432695
commit 1a57120a6b
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/SystemPrivilege.java
View File

@ -20,7 +20,9 @@ public final class SystemPrivilege extends Privilege {
"indices:monitor/*", // added for monitoring
"cluster:monitor/*", // added for monitoring
"cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
"indices:admin/mapping/put" // needed for recovery and shrink api
"indices:admin/mapping/put", // needed for recovery and shrink api
"indices:admin/template/put", // needed for the TemplateUpgradeService
"indices:admin/template/delete" // needed for the TemplateUpgradeService
), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
private SystemPrivilege() {

74
plugin/src/test/java/org/elasticsearch/xpack/security/TemplateUpgraderTests.java Normal file
View File

@ -0,0 +1,74 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.security;
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
import org.elasticsearch.cluster.metadata.TemplateUpgradeService;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.test.ESIntegTestCase.Scope;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.hasItem;
import static org.hamcrest.Matchers.not;
/**
* This test ensures, that the plugin template upgrader can add and remove
* templates when started within security, as this requires certain
* system priviliges
*/
@ClusterScope(maxNumDataNodes = 1, scope = Scope.SUITE, numClientNodes = 0)
public class TemplateUpgraderTests extends SecurityIntegTestCase {
public void testTemplatesWorkAsExpected() throws Exception {
ClusterService clusterService = internalCluster().getInstance(ClusterService.class, internalCluster().getMasterName());
ThreadPool threadPool = internalCluster().getInstance(ThreadPool.class, internalCluster().getMasterName());
Client client = internalCluster().getInstance(Client.class, internalCluster().getMasterName());
UnaryOperator<Map<String, IndexTemplateMetaData>> indexTemplateMetaDataUpgraders = map -> {
map.remove("removed-template");
map.put("added-template", IndexTemplateMetaData.builder("added-template")
.order(1)
.patterns(Collections.singletonList(randomAlphaOfLength(10))).build());
return map;
};
PutIndexTemplateResponse putIndexTemplateResponse = client().admin().indices().preparePutTemplate("removed-template")
.setOrder(1)
.setPatterns(Collections.singletonList(randomAlphaOfLength(10)))
.get();
assertAcked(putIndexTemplateResponse);
assertTemplates("removed-template", "added-template");
TemplateUpgradeService templateUpgradeService = new TemplateUpgradeService(Settings.EMPTY, client, clusterService, threadPool,
Collections.singleton(indexTemplateMetaDataUpgraders));
// ensure the cluster listener gets triggered
ClusterChangedEvent event = new ClusterChangedEvent("testing", clusterService.state(), clusterService.state());
templateUpgradeService.clusterChanged(event);
assertBusy(() -> assertTemplates("added-template", "removed-template"));
}
private void assertTemplates(String existingTemplate, String deletedTemplate) {
GetIndexTemplatesResponse response = client().admin().indices().prepareGetTemplates().get();
List<String> templateNames = response.getIndexTemplates().stream().map(IndexTemplateMetaData::name).collect(Collectors.toList());
assertThat(templateNames, hasItem(existingTemplate));
assertThat(templateNames, not(hasItem(deletedTemplate)));
}
}