remove watcher and graph privileges. manage does not include security

Original commit: elastic/x-pack-elasticsearch@da250ed842

elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml

@@ -4,12 +4,12 @@ admin:
     '*': all
 
 watcher_manager:
-  cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health
+  cluster: manage
   indices:
     '.watcher-history-*': all
 
 watcher_monitor:
-  cluster: monitor_watcher
+  cluster: monitor
   indices:
     '.watcher-history-*': read
 

elasticsearch/qa/smoke-test-graph-with-shield/roles.yml

@@ -12,8 +12,8 @@ graph_explorer:
   indices:
     - names: '*'
       privileges:
-        - graph
-        - indices:data/write/index
+        - read
+        - write
         - indices:admin/refresh
         - indices:admin/create
     

elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml

@@ -8,9 +8,7 @@ admin:
 
 watcher_manager:
   cluster:
-    - manage_watcher
-    - cluster:monitor/nodes/info
-    - cluster:monitor/health
+    - manage
   indices:
     - names: '.watcher-history-*'
       privileges:
@@ -21,7 +19,7 @@ watcher_manager:
 
 watcher_monitor:
   cluster:
-    - monitor_watcher
+    - monitor
   indices:
     - names: '.watcher-history-*'
       privileges:

elasticsearch/x-pack/shield/config/xpack/roles.yml

@@ -69,8 +69,3 @@ remote_monitoring_agent:
         - '.marvel-es-*'
         - '.monitoring-*'
       privileges: [ "all" ]
-
-# Allows all operations required to manage ingest pipelines
-ingest_admin:
-  cluster:
-    - manage_pipeline

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java

@@ -7,9 +7,6 @@ package org.elasticsearch.shield.authz.privilege;
 
 import dk.brics.automaton.Automaton;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.license.plugin.action.get.GetLicenseAction;
-import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
-import org.elasticsearch.shield.action.role.ClearRolesCacheAction;
 import org.elasticsearch.shield.support.Automatons;
 
 import java.util.Locale;
@@ -18,6 +15,7 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CopyOnWriteArraySet;
 import java.util.function.Predicate;
 
+import static org.elasticsearch.shield.support.Automatons.minusAndDeterminize;
 import static org.elasticsearch.shield.support.Automatons.patterns;
 
 /**
@@ -26,29 +24,21 @@ import static org.elasticsearch.shield.support.Automatons.patterns;
 public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivilege> {
 
     // shared automatons
-    private static final Automaton MANAGE_USER_AUTOMATON = patterns("cluster:admin/xpack/security/user/*", ClearRealmCacheAction.NAME);
-    private static final Automaton MANAGE_ROLE_AUTOMATON = patterns("cluster:admin/xpack/security/role/*", ClearRolesCacheAction.NAME);
     private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
-    private static final Automaton MANAGE_WATCHER_AUTOMATON = patterns("cluster:admin/xpack/watcher/*", "cluster:monitor/xpack/watcher/*");
-    private static final Automaton MONITOR_WATCHER_AUTOMATON = patterns("cluster:monitor/xpack/watcher/*");
     private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
     private static final Automaton ALL_CLUSTER_AUTOMATON = patterns("cluster:*", "indices:admin/template/*");
+    private static final Automaton MANAGE_AUTOMATON = minusAndDeterminize(ALL_CLUSTER_AUTOMATON, MANAGE_SECURITY_AUTOMATON);
     private static final Automaton TRANSPORT_CLIENT_AUTOMATON = patterns("cluster:monitor/nodes/liveness", "cluster:monitor/state");
     private static final Automaton MANAGE_IDX_TEMPLATE_AUTOMATON = patterns("indices:admin/template/*");
 
     public static final ClusterPrivilege NONE =                  new ClusterPrivilege(Name.NONE,                Automatons.EMPTY);
     public static final ClusterPrivilege ALL =                   new ClusterPrivilege(Name.ALL,                 ALL_CLUSTER_AUTOMATON);
     public static final ClusterPrivilege MONITOR =               new ClusterPrivilege("monitor",                MONITOR_AUTOMATON);
-    public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",                 ALL_CLUSTER_AUTOMATON);
+    public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",                 MANAGE_AUTOMATON);
     public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
             new ClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_AUTOMATON);
     public static final ClusterPrivilege TRANSPORT_CLIENT =      new ClusterPrivilege("transport_client",       TRANSPORT_CLIENT_AUTOMATON);
-    public static final ClusterPrivilege MANAGE_USERS =          new ClusterPrivilege("manage_users",           MANAGE_USER_AUTOMATON);
-    public static final ClusterPrivilege MANAGE_ROLES =          new ClusterPrivilege("manage_roles",           MANAGE_ROLE_AUTOMATON);
     public static final ClusterPrivilege MANAGE_SECURITY =       new ClusterPrivilege("manage_security",        MANAGE_SECURITY_AUTOMATON);
-    public static final ClusterPrivilege MANAGE_PIPELINE =       new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*");
-    public static final ClusterPrivilege MONITOR_WATCHER =       new ClusterPrivilege("monitor_watcher",        MONITOR_WATCHER_AUTOMATON);
-    public static final ClusterPrivilege MANAGE_WATCHER =        new ClusterPrivilege("manage_watcher",         MANAGE_WATCHER_AUTOMATON);
 
     public final static Predicate<String> ACTION_MATCHER = ClusterPrivilege.ALL.predicate();
 
@@ -61,12 +51,7 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
         values.add(MANAGE);
         values.add(MANAGE_IDX_TEMPLATES);
         values.add(TRANSPORT_CLIENT);
-        values.add(MANAGE_USERS);
-        values.add(MANAGE_ROLES);
         values.add(MANAGE_SECURITY);
-        values.add(MANAGE_PIPELINE);
-        values.add(MONITOR_WATCHER);
-        values.add(MANAGE_WATCHER);
     }
 
     static Set<ClusterPrivilege> values() {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java

@@ -19,10 +19,7 @@ import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsAction;
 import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
 import org.elasticsearch.action.admin.indices.settings.get.GetSettingsAction;
 import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction;
-import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.graph.action.GraphExploreAction;
-import org.elasticsearch.search.action.SearchTransportService;
 import org.elasticsearch.shield.support.Automatons;
 
 import java.util.Locale;
@@ -53,8 +50,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
     private static final Automaton VIEW_METADATA_AUTOMATON = patterns(GetAliasesAction.NAME, AliasesExistAction.NAME,
             GetIndexAction.NAME, IndicesExistsAction.NAME, GetFieldMappingsAction.NAME, GetMappingsAction.NAME,
             ClusterSearchShardsAction.NAME, TypesExistsAction.NAME, ValidateQueryAction.NAME, GetSettingsAction.NAME);
-    private static final Automaton GRAPH_AUTOMATON = patterns(GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME,
-            SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME);
 
     public static final IndexPrivilege NONE =                new IndexPrivilege(Name.NONE,             Automatons.EMPTY);
     public static final IndexPrivilege ALL =                 new IndexPrivilege(Name.ALL,              ALL_AUTOMATON);
@@ -68,7 +63,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
     public static final IndexPrivilege DELETE_INDEX =        new IndexPrivilege("delete_index",        DELETE_INDEX_AUTOMATON);
     public static final IndexPrivilege CREATE_INDEX =        new IndexPrivilege("create_index",        CREATE_INDEX_AUTOMATON);
     public static final IndexPrivilege VIEW_METADATA =       new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
-    public static final IndexPrivilege GRAPH =               new IndexPrivilege("graph",               GRAPH_AUTOMATON);
 
     private static final Set<IndexPrivilege> values = new CopyOnWriteArraySet<>();
 
@@ -85,7 +79,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
         values.add(CREATE);
         values.add(DELETE_INDEX);
         values.add(VIEW_METADATA);
-        values.add(GRAPH);
     }
 
     public static final Predicate<String> ACTION_MATCHER = ALL.predicate();

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java

@@ -72,16 +72,6 @@ public class PrivilegeTests extends ESTestCase {
         assertThat(cluster, is(cluster2));
     }
 
-    public void testIngestPrivilege() throws Exception {
-        Privilege.Name name = new Privilege.Name("manage_pipeline");
-        ClusterPrivilege cluster = ClusterPrivilege.get(name);
-        assertThat(cluster, is(ClusterPrivilege.MANAGE_PIPELINE));
-        assertThat(cluster.predicate().test(PutPipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(DeletePipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(GetPipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(SimulatePipelineAction.NAME), is(true));
-    }
-
     public void testClusterTemplateActions() throws Exception {
         Privilege.Name name = new Privilege.Name("indices:admin/template/delete");
         ClusterPrivilege cluster = ClusterPrivilege.get(name);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java

@@ -233,7 +233,7 @@ public class FileRolesStoreTests extends ESTestCase {
         Path path = getDataPath("default_roles.yml");
         Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY);
         assertThat(roles, notNullValue());
-        assertThat(roles.size(), is(9));
+        assertThat(roles.size(), is(8));
 
         assertThat(roles, hasKey("admin"));
         assertThat(roles, hasKey("power_user"));
@@ -243,7 +243,6 @@ public class FileRolesStoreTests extends ESTestCase {
         assertThat(roles, hasKey("logstash"));
         assertThat(roles, hasKey("monitoring_user"));
         assertThat(roles, hasKey("remote_monitoring_agent"));
-        assertThat(roles, hasKey("ingest_admin"));
     }
 
     public void testAutoReload() throws Exception {

elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml

@@ -69,8 +69,3 @@ remote_monitoring_agent:
         - '.marvel-es-*'
         - '.monitoring-*'
       privileges: [ "all" ]
-
-# Allows all operations required to manage ingest pipelines
-ingest_admin:
-  cluster:
-    - manage_pipeline

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java

@@ -691,12 +691,12 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
                 "      privileges: [ all ]\n" +
                 "\n" +
                 "admin:\n" +
-                "  cluster: [ 'manage_watcher', 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n" +
+                "  cluster: [ 'manage' ]\n" +
                 "transport_client:\n" +
-                "  cluster: [ 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n" +
+                "  cluster: [ 'transport_client' ]\n" +
                 "\n" +
                 "monitor:\n" +
-                "  cluster: [ 'monitor_watcher', 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n"
+                "  cluster: [ 'monitor' ]\n"
                 ;