From 2872acd742f00d11d998eb40487e53e534501ae6 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 17 Mar 2016 12:51:03 -0400 Subject: [PATCH] remove watcher and graph privileges. manage does not include security Original commit: elastic/x-pack-elasticsearch@da250ed84224653f6fd8e0035ba6f4edeaf82d54 --- .../watcher-with-shield-roles.yml | 4 ++-- .../qa/smoke-test-graph-with-shield/roles.yml | 4 ++-- .../smoke-test-watcher-with-shield/roles.yml | 6 ++---- .../x-pack/shield/config/xpack/roles.yml | 5 ----- .../authz/privilege/ClusterPrivilege.java | 21 +++---------------- .../authz/privilege/IndexPrivilege.java | 7 ------- .../authz/privilege/PrivilegeTests.java | 10 --------- .../authz/store/FileRolesStoreTests.java | 3 +-- .../shield/authz/store/default_roles.yml | 5 ----- .../AbstractWatcherIntegrationTestCase.java | 6 +++--- 10 files changed, 13 insertions(+), 58 deletions(-) diff --git a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml index a0c1878f919..74a86b35eb5 100644 --- a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml +++ b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml @@ -4,12 +4,12 @@ admin: '*': all watcher_manager: - cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health + cluster: manage indices: '.watcher-history-*': all watcher_monitor: - cluster: monitor_watcher + cluster: monitor indices: '.watcher-history-*': read diff --git a/elasticsearch/qa/smoke-test-graph-with-shield/roles.yml b/elasticsearch/qa/smoke-test-graph-with-shield/roles.yml index 69b72aaddd5..6a5b4183287 100644 --- a/elasticsearch/qa/smoke-test-graph-with-shield/roles.yml +++ b/elasticsearch/qa/smoke-test-graph-with-shield/roles.yml @@ -12,8 +12,8 @@ graph_explorer: indices: - names: '*' privileges: - - graph - - indices:data/write/index + - read + - write - indices:admin/refresh - indices:admin/create diff --git a/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml b/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml index ced242d9d3b..ba29cd6d7ae 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml +++ b/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml @@ -8,9 +8,7 @@ admin: watcher_manager: cluster: - - manage_watcher - - cluster:monitor/nodes/info - - cluster:monitor/health + - manage indices: - names: '.watcher-history-*' privileges: @@ -21,7 +19,7 @@ watcher_manager: watcher_monitor: cluster: - - monitor_watcher + - monitor indices: - names: '.watcher-history-*' privileges: diff --git a/elasticsearch/x-pack/shield/config/xpack/roles.yml b/elasticsearch/x-pack/shield/config/xpack/roles.yml index 1c36fd5ab07..f998b18b427 100644 --- a/elasticsearch/x-pack/shield/config/xpack/roles.yml +++ b/elasticsearch/x-pack/shield/config/xpack/roles.yml @@ -69,8 +69,3 @@ remote_monitoring_agent: - '.marvel-es-*' - '.monitoring-*' privileges: [ "all" ] - -# Allows all operations required to manage ingest pipelines -ingest_admin: - cluster: - - manage_pipeline diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java index f683ca76d20..1df9151bb43 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java @@ -7,9 +7,6 @@ package org.elasticsearch.shield.authz.privilege; import dk.brics.automaton.Automaton; import org.elasticsearch.common.Strings; -import org.elasticsearch.license.plugin.action.get.GetLicenseAction; -import org.elasticsearch.shield.action.realm.ClearRealmCacheAction; -import org.elasticsearch.shield.action.role.ClearRolesCacheAction; import org.elasticsearch.shield.support.Automatons; import java.util.Locale; @@ -18,6 +15,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.CopyOnWriteArraySet; import java.util.function.Predicate; +import static org.elasticsearch.shield.support.Automatons.minusAndDeterminize; import static org.elasticsearch.shield.support.Automatons.patterns; /** @@ -26,29 +24,21 @@ import static org.elasticsearch.shield.support.Automatons.patterns; public class ClusterPrivilege extends AbstractAutomatonPrivilege { // shared automatons - private static final Automaton MANAGE_USER_AUTOMATON = patterns("cluster:admin/xpack/security/user/*", ClearRealmCacheAction.NAME); - private static final Automaton MANAGE_ROLE_AUTOMATON = patterns("cluster:admin/xpack/security/role/*", ClearRolesCacheAction.NAME); private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*"); - private static final Automaton MANAGE_WATCHER_AUTOMATON = patterns("cluster:admin/xpack/watcher/*", "cluster:monitor/xpack/watcher/*"); - private static final Automaton MONITOR_WATCHER_AUTOMATON = patterns("cluster:monitor/xpack/watcher/*"); private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*"); private static final Automaton ALL_CLUSTER_AUTOMATON = patterns("cluster:*", "indices:admin/template/*"); + private static final Automaton MANAGE_AUTOMATON = minusAndDeterminize(ALL_CLUSTER_AUTOMATON, MANAGE_SECURITY_AUTOMATON); private static final Automaton TRANSPORT_CLIENT_AUTOMATON = patterns("cluster:monitor/nodes/liveness", "cluster:monitor/state"); private static final Automaton MANAGE_IDX_TEMPLATE_AUTOMATON = patterns("indices:admin/template/*"); public static final ClusterPrivilege NONE = new ClusterPrivilege(Name.NONE, Automatons.EMPTY); public static final ClusterPrivilege ALL = new ClusterPrivilege(Name.ALL, ALL_CLUSTER_AUTOMATON); public static final ClusterPrivilege MONITOR = new ClusterPrivilege("monitor", MONITOR_AUTOMATON); - public static final ClusterPrivilege MANAGE = new ClusterPrivilege("manage", ALL_CLUSTER_AUTOMATON); + public static final ClusterPrivilege MANAGE = new ClusterPrivilege("manage", MANAGE_AUTOMATON); public static final ClusterPrivilege MANAGE_IDX_TEMPLATES = new ClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_AUTOMATON); public static final ClusterPrivilege TRANSPORT_CLIENT = new ClusterPrivilege("transport_client", TRANSPORT_CLIENT_AUTOMATON); - public static final ClusterPrivilege MANAGE_USERS = new ClusterPrivilege("manage_users", MANAGE_USER_AUTOMATON); - public static final ClusterPrivilege MANAGE_ROLES = new ClusterPrivilege("manage_roles", MANAGE_ROLE_AUTOMATON); public static final ClusterPrivilege MANAGE_SECURITY = new ClusterPrivilege("manage_security", MANAGE_SECURITY_AUTOMATON); - public static final ClusterPrivilege MANAGE_PIPELINE = new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*"); - public static final ClusterPrivilege MONITOR_WATCHER = new ClusterPrivilege("monitor_watcher", MONITOR_WATCHER_AUTOMATON); - public static final ClusterPrivilege MANAGE_WATCHER = new ClusterPrivilege("manage_watcher", MANAGE_WATCHER_AUTOMATON); public final static Predicate ACTION_MATCHER = ClusterPrivilege.ALL.predicate(); @@ -61,12 +51,7 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege values() { diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java index 96ebbb95478..603be891a4e 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java @@ -19,10 +19,7 @@ import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsAction; import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction; import org.elasticsearch.action.admin.indices.settings.get.GetSettingsAction; import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction; -import org.elasticsearch.action.search.SearchAction; import org.elasticsearch.common.Strings; -import org.elasticsearch.graph.action.GraphExploreAction; -import org.elasticsearch.search.action.SearchTransportService; import org.elasticsearch.shield.support.Automatons; import java.util.Locale; @@ -53,8 +50,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege { private static final Automaton VIEW_METADATA_AUTOMATON = patterns(GetAliasesAction.NAME, AliasesExistAction.NAME, GetIndexAction.NAME, IndicesExistsAction.NAME, GetFieldMappingsAction.NAME, GetMappingsAction.NAME, ClusterSearchShardsAction.NAME, TypesExistsAction.NAME, ValidateQueryAction.NAME, GetSettingsAction.NAME); - private static final Automaton GRAPH_AUTOMATON = patterns(GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME, - SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME); public static final IndexPrivilege NONE = new IndexPrivilege(Name.NONE, Automatons.EMPTY); public static final IndexPrivilege ALL = new IndexPrivilege(Name.ALL, ALL_AUTOMATON); @@ -68,7 +63,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege { public static final IndexPrivilege DELETE_INDEX = new IndexPrivilege("delete_index", DELETE_INDEX_AUTOMATON); public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CREATE_INDEX_AUTOMATON); public static final IndexPrivilege VIEW_METADATA = new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON); - public static final IndexPrivilege GRAPH = new IndexPrivilege("graph", GRAPH_AUTOMATON); private static final Set values = new CopyOnWriteArraySet<>(); @@ -85,7 +79,6 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege { values.add(CREATE); values.add(DELETE_INDEX); values.add(VIEW_METADATA); - values.add(GRAPH); } public static final Predicate ACTION_MATCHER = ALL.predicate(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java index 11fb580ea5b..65f5a4e796f 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java @@ -72,16 +72,6 @@ public class PrivilegeTests extends ESTestCase { assertThat(cluster, is(cluster2)); } - public void testIngestPrivilege() throws Exception { - Privilege.Name name = new Privilege.Name("manage_pipeline"); - ClusterPrivilege cluster = ClusterPrivilege.get(name); - assertThat(cluster, is(ClusterPrivilege.MANAGE_PIPELINE)); - assertThat(cluster.predicate().test(PutPipelineAction.NAME), is(true)); - assertThat(cluster.predicate().test(DeletePipelineAction.NAME), is(true)); - assertThat(cluster.predicate().test(GetPipelineAction.NAME), is(true)); - assertThat(cluster.predicate().test(SimulatePipelineAction.NAME), is(true)); - } - public void testClusterTemplateActions() throws Exception { Privilege.Name name = new Privilege.Name("indices:admin/template/delete"); ClusterPrivilege cluster = ClusterPrivilege.get(name); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java index ff724398c63..7a3e498b624 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java @@ -233,7 +233,7 @@ public class FileRolesStoreTests extends ESTestCase { Path path = getDataPath("default_roles.yml"); Map roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY); assertThat(roles, notNullValue()); - assertThat(roles.size(), is(9)); + assertThat(roles.size(), is(8)); assertThat(roles, hasKey("admin")); assertThat(roles, hasKey("power_user")); @@ -243,7 +243,6 @@ public class FileRolesStoreTests extends ESTestCase { assertThat(roles, hasKey("logstash")); assertThat(roles, hasKey("monitoring_user")); assertThat(roles, hasKey("remote_monitoring_agent")); - assertThat(roles, hasKey("ingest_admin")); } public void testAutoReload() throws Exception { diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml index 1c36fd5ab07..f998b18b427 100644 --- a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml +++ b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml @@ -69,8 +69,3 @@ remote_monitoring_agent: - '.marvel-es-*' - '.monitoring-*' privileges: [ "all" ] - -# Allows all operations required to manage ingest pipelines -ingest_admin: - cluster: - - manage_pipeline diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java index 2859e9ad664..0c958f27ec8 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java @@ -691,12 +691,12 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase " privileges: [ all ]\n" + "\n" + "admin:\n" + - " cluster: [ 'manage_watcher', 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n" + + " cluster: [ 'manage' ]\n" + "transport_client:\n" + - " cluster: [ 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n" + + " cluster: [ 'transport_client' ]\n" + "\n" + "monitor:\n" + - " cluster: [ 'monitor_watcher', 'cluster:monitor/nodes/info', 'cluster:monitor/nodes/liveness' ]\n" + " cluster: [ 'monitor' ]\n" ;