honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-08 22:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove reserved roles for code search (#50115)

Browse Source 
The "code_user" and "code_admin" reserved roles existed to support
code search which is no longer included in Kibana.

The "kibana_system" role included privileges to read/write from the
code search indices, but no longer needs that access.

Backport of: #50068
This commit is contained in:
Tim Vernum 2019-12-13 10:22:55 +11:00 committed by GitHub
parent e287427a03
commit 2811b97b76
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java
View File

@ -693,8 +693,8 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase {
List<Role> roles = response.getRoles(); List<Role> roles = response.getRoles();
assertNotNull(response); assertNotNull(response);
// 29 system roles plus the three we created // 28 system roles plus the three we created
assertThat(roles.size(), equalTo(33)); assertThat(roles.size(), equalTo(28 + 3));
} }
{ {

13
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File

@ -122,9 +122,6 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build(), .indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
RoleDescriptor.IndicesPrivileges.builder() RoleDescriptor.IndicesPrivileges.builder()
.indices(".management-beats").privileges("create_index", "read", "write").build(), .indices(".management-beats").privileges("create_index", "read", "write").build(),
// .code_internal-* is for Code's internal worker queue index creation.
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*", ".code_internal-*").privileges("all").build(),
// .apm-* is for APM's agent configuration index creation // .apm-* is for APM's agent configuration index creation
RoleDescriptor.IndicesPrivileges.builder() RoleDescriptor.IndicesPrivileges.builder()
.indices(".apm-agent-configuration").privileges("all").build(), .indices(".apm-agent-configuration").privileges("all").build(),
@ -253,16 +250,6 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" }, .put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" },
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("code_admin", new RoleDescriptor("code_admin", new String[] {},
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*").privileges("all").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("code_user", new RoleDescriptor("code_user", new String[] {},
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*").privileges("read").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME }, .put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder()
.indices("*") .indices("*")

60
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File

@ -200,8 +200,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true)); assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true));
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true)); assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true));
assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true)); assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true));
assertThat(ReservedRolesStore.isReserved("code_admin"), is(true)); assertThat(ReservedRolesStore.isReserved("code_admin"), is(false));
assertThat(ReservedRolesStore.isReserved("code_user"), is(true)); assertThat(ReservedRolesStore.isReserved("code_user"), is(false));
} }
public void testSnapshotUserRole() { public void testSnapshotUserRole() {
@ -1383,60 +1383,4 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true)); assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true)); assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
} }
public void testCodeAdminRole() {
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_admin");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
Role codeAdminRole = Role.builder(roleDescriptor, null).build();
assertThat(codeAdminRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
mock(Authentication.class)), is(false));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".code-"), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
is(false));
final String index = ".code-" + randomIntBetween(0, 5);
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
}
public void testCodeUserRole() {
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_user");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
Role codeUserRole = Role.builder(roleDescriptor, null).build();
assertThat(codeUserRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
mock(Authentication.class)), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test("foo"), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".reporting"), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".code-"), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
is(false));
final String index = ".code-" + randomIntBetween(0, 5);
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
}
} }