Remove reserved roles for code search (#50115)
The "code_user" and "code_admin" reserved roles existed to support code search which is no longer included in Kibana. The "kibana_system" role included privileges to read/write from the code search indices, but no longer needs that access. Backport of: #50068
This commit is contained in:
Tim Vernum
GitHub
parent
e287427a03
commit
2811b97b76
|
|
@ -693,8 +693,8 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase {
|
|||
|
||||
List<Role> roles = response.getRoles();
|
||||
assertNotNull(response);
|
||||
// 29 system roles plus the three we created
|
||||
assertThat(roles.size(), equalTo(33));
|
||||
// 28 system roles plus the three we created
|
||||
assertThat(roles.size(), equalTo(28 + 3));
|
||||
}
|
||||
|
||||
{
|
||||
|
|
|
|||
|
|
@ -122,9 +122,6 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
|
|||
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
|
||||
RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(".management-beats").privileges("create_index", "read", "write").build(),
|
||||
// .code_internal-* is for Code's internal worker queue index creation.
|
||||
RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(".code-*", ".code_internal-*").privileges("all").build(),
|
||||
// .apm-* is for APM's agent configuration index creation
|
||||
RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(".apm-agent-configuration").privileges("all").build(),
|
||||
|
|
@ -253,16 +250,6 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
|
|||
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" },
|
||||
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("code_admin", new RoleDescriptor("code_admin", new String[] {},
|
||||
new RoleDescriptor.IndicesPrivileges[] {
|
||||
RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(".code-*").privileges("all").build()
|
||||
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("code_user", new RoleDescriptor("code_user", new String[] {},
|
||||
new RoleDescriptor.IndicesPrivileges[] {
|
||||
RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(".code-*").privileges("read").build()
|
||||
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
|
||||
new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices("*")
|
||||
|
|
|
|||
|
|
@ -200,8 +200,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
|
|||
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true));
|
||||
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true));
|
||||
assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true));
|
||||
assertThat(ReservedRolesStore.isReserved("code_admin"), is(true));
|
||||
assertThat(ReservedRolesStore.isReserved("code_user"), is(true));
|
||||
assertThat(ReservedRolesStore.isReserved("code_admin"), is(false));
|
||||
assertThat(ReservedRolesStore.isReserved("code_user"), is(false));
|
||||
}
|
||||
|
||||
public void testSnapshotUserRole() {
|
||||
|
|
@ -1383,60 +1383,4 @@ public class ReservedRolesStoreTests extends ESTestCase {
|
|||
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
|
||||
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
|
||||
}
|
||||
|
||||
public void testCodeAdminRole() {
|
||||
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_admin");
|
||||
assertNotNull(roleDescriptor);
|
||||
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
|
||||
|
||||
Role codeAdminRole = Role.builder(roleDescriptor, null).build();
|
||||
|
||||
assertThat(codeAdminRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
|
||||
mock(Authentication.class)), is(false));
|
||||
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".code-"), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
|
||||
is(false));
|
||||
|
||||
final String index = ".code-" + randomIntBetween(0, 5);
|
||||
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
|
||||
assertThat(codeAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
|
||||
}
|
||||
|
||||
public void testCodeUserRole() {
|
||||
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_user");
|
||||
assertNotNull(roleDescriptor);
|
||||
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
|
||||
|
||||
Role codeUserRole = Role.builder(roleDescriptor, null).build();
|
||||
|
||||
assertThat(codeUserRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
|
||||
mock(Authentication.class)), is(false));
|
||||
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test("foo"), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".reporting"), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".code-"), is(true));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
|
||||
is(false));
|
||||
|
||||
final String index = ".code-" + randomIntBetween(0, 5);
|
||||
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
|
||||
assertThat(codeUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue