`manage_token` privilege for `kibana_system`

Creates the manage_token cluster privilege and adds it to the
kibana_system role. This is required if kibana were to use the token
service for its authenticator process.
Because kibana_system already has manage_saml this effectively
only adds the privilege to create tokens.
This commit is contained in:
Albert Zaharovits 2018-11-21 17:15:14 +02:00 committed by GitHub
parent 3c466d29d9
commit 592a909ba7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 3 deletions

View File

@ -31,6 +31,7 @@ public final class ClusterPrivilege extends Privilege {
private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
private static final Automaton MANAGE_SAML_AUTOMATON = patterns("cluster:admin/xpack/security/saml/*",
InvalidateTokenAction.NAME, RefreshTokenAction.NAME);
private static final Automaton MANAGE_TOKEN_AUTOMATON = patterns("cluster:admin/xpack/security/token/*");
private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
private static final Automaton MONITOR_ML_AUTOMATON = patterns("cluster:monitor/xpack/ml/*");
private static final Automaton MONITOR_WATCHER_AUTOMATON = patterns("cluster:monitor/xpack/watcher/*");
@ -55,6 +56,7 @@ public final class ClusterPrivilege extends Privilege {
public static final ClusterPrivilege MONITOR_ROLLUP = new ClusterPrivilege("monitor_rollup", MONITOR_ROLLUP_AUTOMATON);
public static final ClusterPrivilege MANAGE = new ClusterPrivilege("manage", MANAGE_AUTOMATON);
public static final ClusterPrivilege MANAGE_ML = new ClusterPrivilege("manage_ml", MANAGE_ML_AUTOMATON);
public static final ClusterPrivilege MANAGE_TOKEN = new ClusterPrivilege("manage_token", MANAGE_TOKEN_AUTOMATON);
public static final ClusterPrivilege MANAGE_WATCHER = new ClusterPrivilege("manage_watcher", MANAGE_WATCHER_AUTOMATON);
public static final ClusterPrivilege MANAGE_ROLLUP = new ClusterPrivilege("manage_rollup", MANAGE_ROLLUP_AUTOMATON);
public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
@ -79,6 +81,7 @@ public final class ClusterPrivilege extends Privilege {
.put("monitor_rollup", MONITOR_ROLLUP)
.put("manage", MANAGE)
.put("manage_ml", MANAGE_ML)
.put("manage_token", MANAGE_TOKEN)
.put("manage_watcher", MANAGE_WATCHER)
.put("manage_index_templates", MANAGE_IDX_TEMPLATES)
.put("manage_ingest_pipelines", MANAGE_INGEST_PIPELINES)

View File

@ -111,7 +111,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
null))
.put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
new String[] {
"monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml",
"monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token"
},
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(),

View File

@ -199,11 +199,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(kibanaRole.cluster().check(ClusterUpdateSettingsAction.NAME, request), is(false));
assertThat(kibanaRole.cluster().check(MonitoringBulkAction.NAME, request), is(true));
// SAML
// SAML and token
assertThat(kibanaRole.cluster().check(SamlPrepareAuthenticationAction.NAME, request), is(true));
assertThat(kibanaRole.cluster().check(SamlAuthenticateAction.NAME, request), is(true));
assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME, request), is(true));
assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request), is(false));
assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request), is(true));
// Application Privileges
DeletePrivilegesRequest deleteKibanaPrivileges = new DeletePrivilegesRequest("kibana-.kibana", new String[]{ "all", "read" });