From 59f639a279f619e86f809813f8fa3a506039d9d4 Mon Sep 17 00:00:00 2001 From: Dan Hermann Date: Tue, 14 Jul 2020 08:23:49 -0500 Subject: [PATCH] Add auto_configure privilege --- .../client/security/user/privileges/Role.java | 4 +- .../security/get-builtin-privileges.asciidoc | 1 + .../authorization/privileges.asciidoc | 11 +++ .../authz/privilege/IndexPrivilege.java | 7 +- .../test/privileges/11_builtin.yml | 2 +- .../test/security/authz/50_data_streams.yml | 63 ++++++++++++++ .../test/security/authz/55_auto_configure.yml | 82 +++++++++++++++++++ 7 files changed, 166 insertions(+), 4 deletions(-) create mode 100644 x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/55_auto_configure.yml diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java index 9627a98ab6c..bd1b6a50cad 100644 --- a/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java +++ b/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java @@ -352,8 +352,10 @@ public final class Role { public static final String MANAGE_ILM = "manage_ilm"; public static final String CREATE_DOC = "create_doc"; public static final String MAINTENANCE = "maintenance"; + public static final String AUTO_CONFIGURE = "auto_configure"; public static final String[] ALL_ARRAY = new String[] { NONE, ALL, READ, READ_CROSS, CREATE, INDEX, DELETE, WRITE, MONITOR, MANAGE, - DELETE_INDEX, CREATE_INDEX, VIEW_INDEX_METADATA, MANAGE_FOLLOW_INDEX, MANAGE_ILM, CREATE_DOC, MAINTENANCE }; + DELETE_INDEX, CREATE_INDEX, VIEW_INDEX_METADATA, MANAGE_FOLLOW_INDEX, MANAGE_ILM, CREATE_DOC, MAINTENANCE, + AUTO_CONFIGURE}; } } diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc index fea1b35f534..c93bb546e40 100644 --- a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc +++ b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc @@ -100,6 +100,7 @@ A successful call returns an object with "cluster" and "index" fields. ], "index" : [ "all", + "auto_configure", "create", "create_doc", "create_index", diff --git a/x-pack/docs/en/security/authorization/privileges.asciidoc b/x-pack/docs/en/security/authorization/privileges.asciidoc index f85e81f1820..4a98ea0ff4e 100644 --- a/x-pack/docs/en/security/authorization/privileges.asciidoc +++ b/x-pack/docs/en/security/authorization/privileges.asciidoc @@ -150,6 +150,17 @@ cluster to enable <>. `all`:: Any action on an index +`auto_configure`:: +Permits auto-creation of indices and data streams. An auto-create action is the +result of an <> or <> request that targets a +non-existent index or data stream rather than an explicit +<> or +<> request. Also permits +auto-update of mappings on indices and data streams if they do not contradict +existing mappings. An auto-update mapping action is the result of an index or +bulk request on an index or data stream that contains new fields that may +be mapped rather than an explicit <> request. + `create`:: Privilege to index documents. Also grants access to the update mapping action. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java index 2400a46d735..9d06979fce2 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java @@ -79,6 +79,7 @@ public final class IndexPrivilege extends Privilege { private static final Automaton MANAGE_ILM_AUTOMATON = patterns("indices:admin/ilm/*"); private static final Automaton MAINTENANCE_AUTOMATON = patterns("indices:admin/refresh*", "indices:admin/flush*", "indices:admin/synced_flush", "indices:admin/forcemerge*"); + private static final Automaton AUTO_CONFIGURE_AUTOMATON = patterns(AutoPutMappingAction.NAME, AutoCreateAction.NAME); public static final IndexPrivilege NONE = new IndexPrivilege("none", Automatons.EMPTY); public static final IndexPrivilege ALL = new IndexPrivilege("all", ALL_AUTOMATON); @@ -96,8 +97,9 @@ public final class IndexPrivilege extends Privilege { public static final IndexPrivilege VIEW_METADATA = new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON); public static final IndexPrivilege MANAGE_FOLLOW_INDEX = new IndexPrivilege("manage_follow_index", MANAGE_FOLLOW_INDEX_AUTOMATON); public static final IndexPrivilege MANAGE_LEADER_INDEX = new IndexPrivilege("manage_leader_index", MANAGE_LEADER_INDEX_AUTOMATON); - public static final IndexPrivilege MANAGE_ILM = new IndexPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON); - public static final IndexPrivilege MAINTENANCE = new IndexPrivilege("maintenance", MAINTENANCE_AUTOMATON); + public static final IndexPrivilege MANAGE_ILM = new IndexPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON); + public static final IndexPrivilege MAINTENANCE = new IndexPrivilege("maintenance", MAINTENANCE_AUTOMATON); + public static final IndexPrivilege AUTO_CONFIGURE = new IndexPrivilege("auto_configure", AUTO_CONFIGURE_AUTOMATON); private static final Map VALUES = MapBuilder.newMapBuilder() .put("none", NONE) @@ -118,6 +120,7 @@ public final class IndexPrivilege extends Privilege { .put("manage_leader_index", MANAGE_LEADER_INDEX) .put("manage_ilm", MANAGE_ILM) .put("maintenance", MAINTENANCE) + .put("auto_configure", AUTO_CONFIGURE) .immutableMap(); public static final Predicate ACTION_MATCHER = ALL.predicate(); diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml index 2dca2483aaf..a4dc3ceecca 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml @@ -16,4 +16,4 @@ setup: # I would much prefer we could just check that specific entries are in the array, but we don't have # an assertion for that - length: { "cluster" : 36 } - - length: { "index" : 18 } + - length: { "index" : 19 } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/50_data_streams.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/50_data_streams.yml index ebeb19baf17..21773a5ec59 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/50_data_streams.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/50_data_streams.yml @@ -90,6 +90,7 @@ teardown: - skip: version: " - 7.99.99" reason: "change to 7.8.99 after backport" + features: ["headers"] - do: # superuser indices.create_data_stream: @@ -151,6 +152,7 @@ teardown: - skip: version: " - 7.99.99" reason: "change to 7.8.99 after backport" + features: ["headers"] - do: # superuser indices.create_data_stream: @@ -303,3 +305,64 @@ teardown: indices.delete_data_stream: name: s-outside-of-authed-namespace - is_true: acknowledged + +--- +"auto_configure privilege permits auto-create of data streams": + - skip: + version: " - 7.99.99" + reason: "change to 7.8.99 after backport" + features: ["headers", "allowed_warnings"] + + - do: + allowed_warnings: + - "index template [my-template1] has index patterns [simple*] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation" + indices.put_index_template: + name: my-template1 + body: + index_patterns: [simple*] + template: + mappings: + properties: + '@timestamp': + type: date + data_stream: + timestamp_field: '@timestamp' + + - do: + security.put_role: + name: "data_stream_role" + body: > + { + "indices": [ + { "names": ["simple-allows-auto-configure"], "privileges": ["create_doc", "auto_configure"] }, + { "names": ["simple-data-stream1"], "privileges": ["create_doc"] } + ] + } + + - do: + security.clear_cached_roles: + name: "data_stream_role" + + # should succeed because test_user is authorized for auto_configure on simple-allows-auto-configure + - do: + headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user + index: + index: simple-allows-auto-configure + id: 1 + op_type: create + body: { foo: bar, "@timestamp": "2020-12-12" } + + # should fail because test_user is not authorized for auto_configure on simple-data-stream1 + - do: + catch: forbidden + headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user + index: + index: simple-data-stream1 + id: 1 + op_type: create + body: { foo: bar, "@timestamp": "2020-12-12" } + + - do: # superuser + indices.delete_data_stream: + name: simple-allows-auto-configure + - is_true: acknowledged diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/55_auto_configure.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/55_auto_configure.yml new file mode 100644 index 00000000000..4ee0e661923 --- /dev/null +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/55_auto_configure.yml @@ -0,0 +1,82 @@ +--- +setup: + - skip: + features: ["headers", "allowed_warnings"] + version: " - 7.99.99" + reason: "change to 7.8.99 after backport" + + - do: + cluster.health: + wait_for_status: yellow + + - do: + security.put_role: + name: "ingest_role" + body: > + { + "indices": [ + { "names": ["index-auto-configure"], "privileges": ["create_doc", "auto_configure"] }, + { "names": ["index-limited"], "privileges": ["create_doc"] } + ] + } + + - do: + security.put_user: + username: "test_user" + body: > + { + "password" : "x-pack-test-password", + "roles" : [ "ingest_role" ], + "full_name" : "user with privileges on data streams but not backing indices" + } + + - do: + allowed_warnings: + - "index template [my-template1] has index patterns [index*] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation" + indices.put_index_template: + name: my-template1 + body: + index_patterns: [index*] + template: + mappings: + properties: + '@timestamp': + type: date + +--- +teardown: + - do: + security.delete_user: + username: "test_user" + ignore: 404 + + - do: + security.delete_role: + name: "ingest_role" + ignore: 404 + +--- +"auto_configure privilege permits auto-create of indices": + - skip: + version: " - 7.99.99" + reason: "change to 7.8.99 after backport" + features: ["headers", "allowed_warnings"] + + # should succeed because test_user is authorized for auto_configure on index-auto-configure + - do: + headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user + index: + index: index-auto-configure + id: 1 + op_type: create + body: { foo: bar, "@timestamp": "2020-12-12" } + + # should fail because test_user is not authorized for auto_configure on index-limited + - do: + catch: forbidden + headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user + index: + index: index-limited + id: 1 + op_type: create + body: { "@timestamp": "2020-12-12" }