Add "grant_api_key" cluster privilege (#54042)

This change adds a new cluster privilege "grant_api_key" that allows the use of the new /_security/api_key/grant endpoint Backport of: #53527
2020-03-24 13:17:45 +11:00 · 2020-03-24 13:17:45 +11:00 · 4bd853a6f2
parent 9e3f7f4575
commit 4bd853a6f2
4 changed files with 7 additions and 2 deletions
--- a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
+++ b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
@ -64,6 +64,7 @@ A successful call returns an object with "cluster" and "index" fields.
    "all",
    "create_snapshot",
    "delegate_pki",
+    "grant_api_key",
    "manage",
    "manage_api_key",
    "manage_autoscaling",
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@ -22,6 +22,7 @@ import org.elasticsearch.xpack.core.ilm.action.GetStatusAction;
 import org.elasticsearch.xpack.core.ilm.action.StartILMAction;
 import org.elasticsearch.xpack.core.ilm.action.StopILMAction;
 import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
+import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
@ -49,6 +50,7 @@ public class ClusterPrivilegeResolver {
    private static final Set<String> MANAGE_OIDC_PATTERN = Collections.singleton("cluster:admin/xpack/security/oidc/*");
    private static final Set<String> MANAGE_TOKEN_PATTERN = Collections.singleton("cluster:admin/xpack/security/token/*");
    private static final Set<String> MANAGE_API_KEY_PATTERN = Collections.singleton("cluster:admin/xpack/security/api_key/*");
+    private static final Set<String> GRANT_API_KEY_PATTERN = Collections.singleton(GrantApiKeyAction.NAME + "*");
    private static final Set<String> MONITOR_PATTERN = Collections.singleton("cluster:monitor/*");
    private static final Set<String> MONITOR_TRANSFORM_PATTERN = Collections.unmodifiableSet(
        Sets.newHashSet("cluster:monitor/data_frame/*", "cluster:monitor/transform/*"));
@ -118,6 +120,7 @@ public class ClusterPrivilegeResolver {
    public static final NamedClusterPrivilege MANAGE_SAML = new ActionClusterPrivilege("manage_saml", MANAGE_SAML_PATTERN);
    public static final NamedClusterPrivilege MANAGE_OIDC = new ActionClusterPrivilege("manage_oidc", MANAGE_OIDC_PATTERN);
    public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN);
+    public static final NamedClusterPrivilege GRANT_API_KEY = new ActionClusterPrivilege("grant_api_key", GRANT_API_KEY_PATTERN);
    public static final NamedClusterPrivilege MANAGE_PIPELINE = new ActionClusterPrivilege("manage_pipeline",
        Collections.singleton("cluster:admin/ingest/pipeline/*"));
    public static final NamedClusterPrivilege MANAGE_AUTOSCALING = new ActionClusterPrivilege(
@ -160,6 +163,7 @@ public class ClusterPrivilegeResolver {
        MANAGE_SAML,
        MANAGE_OIDC,
        MANAGE_API_KEY,
+        GRANT_API_KEY,
        MANAGE_PIPELINE,
        MANAGE_ROLLUP,
        MANAGE_AUTOSCALING,
--- a/x-pack/plugin/security/qa/security-trial/src/test/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
+++ b/x-pack/plugin/security/qa/security-trial/src/test/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
@ -47,7 +47,7 @@ public class ApiKeyRestIT extends SecurityOnTrialLicenseRestTestCase {
    @Before
    public void createUsers() throws IOException {
        createUser(SYSTEM_USER, SYSTEM_USER_PASSWORD, Collections.singletonList("system_role"));
-        createRole("system_role", Collections.singleton("manage_api_key"));
+        createRole("system_role", Collections.singleton("grant_api_key"));
        createUser(END_USER, END_USER_PASSWORD, Collections.singletonList("user_role"));
        createRole("user_role", Collections.singleton("monitor"));
    }
--- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml
+++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml
@ -15,5 +15,5 @@ setup:
  # This is fragile - it needs to be updated every time we add a new cluster/index privilege
  # I would much prefer we could just check that specific entries are in the array, but we don't have
  # an assertion for that
-  - length: { "cluster" : 35 }
+  - length: { "cluster" : 36 }
  - length: { "index" : 18 }