x-pack changes for elasticsearchelastic/elasticsearch#21964

In https://github.com/elastic/elasticsearch/pull/21964, index and delete operations are executed as single item bulk requests internally. This means index and delete operations use the bulk transport endpoints (indices:data/write/bulk[s][p] and indices:data/write/bulk[s][r]). This PR adds bulk transport endpoint to 'write' and 'delete' index privilages and adds index and delete action as composite actions to delay the authentication to the shard level. Original commit: elastic/x-pack-elasticsearch@2305fc9ca0
2016-12-22 02:23:38 -05:00 · 2016-12-22 02:23:38 -05:00 · 84db1b8731
parent 880808c428
commit 84db1b8731
5 changed files with 19 additions and 15 deletions
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@ -13,7 +13,9 @@ import org.elasticsearch.action.admin.indices.alias.Alias;
 import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
 import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
 import org.elasticsearch.action.bulk.BulkAction;
+import org.elasticsearch.action.delete.DeleteAction;
 import org.elasticsearch.action.get.MultiGetAction;
+import org.elasticsearch.action.index.IndexAction;
 import org.elasticsearch.action.search.ClearScrollAction;
 import org.elasticsearch.action.search.MultiSearchAction;
 import org.elasticsearch.action.search.SearchScrollAction;
@ -335,6 +337,8 @@ public class AuthorizationService extends AbstractComponent {

    private static boolean isCompositeAction(String action) {
        return action.equals(BulkAction.NAME) ||
+                action.equals(IndexAction.NAME) ||
+                action.equals(DeleteAction.NAME) ||
                action.equals(MultiGetAction.NAME) ||
                action.equals(MultiTermVectorsAction.NAME) ||
                action.equals(MultiSearchAction.NAME) ||
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java
@ -35,10 +35,11 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {

    private static final Automaton ALL_AUTOMATON = patterns("indices:*");
    private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*");
-    private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", PutMappingAction.NAME);
+    private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
+            PutMappingAction.NAME);
    private static final Automaton INDEX_AUTOMATON =
-            patterns("indices:data/write/index*", "indices:data/write/update*", PutMappingAction.NAME);
-    private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*");
+            patterns("indices:data/write/index*", "indices:data/write/bulk*", "indices:data/write/update*", PutMappingAction.NAME);
+    private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*");
    private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME);
    private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*");
    private static final Automaton MANAGE_AUTOMATON = unionAndDeterminize(MONITOR_AUTOMATON, patterns("indices:admin/*"));
--- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
+++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@ -38,7 +38,6 @@ import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusAction;
 import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusRequest;
 import org.elasticsearch.action.bulk.BulkAction;
 import org.elasticsearch.action.bulk.BulkRequest;
-import org.elasticsearch.action.delete.DeleteAction;
 import org.elasticsearch.action.delete.DeleteRequest;
 import org.elasticsearch.action.get.GetAction;
 import org.elasticsearch.action.get.GetRequest;
@ -535,9 +534,9 @@ public class AuthorizationServiceTests extends ESTestCase {
                .build());

        List<Tuple<String, TransportRequest>> requests = new ArrayList<>();
-        requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
+        requests.add(new Tuple<>(BulkAction.NAME + "[s]", new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
        requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
-        requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
+        requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
        requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME)));
        requests.add(new Tuple<>(TermVectorsAction.NAME,
                new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
@ -621,9 +620,10 @@ public class AuthorizationServiceTests extends ESTestCase {

        for (User user : Arrays.asList(XPackUser.INSTANCE, superuser)) {
            List<Tuple<String, TransportRequest>> requests = new ArrayList<>();
-            requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
+            requests.add(new Tuple<>(BulkAction.NAME + "[s]",
+                    new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
            requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
-            requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
+            requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
            requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME)));
            requests.add(new Tuple<>(TermVectorsAction.NAME,
                    new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
--- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java
+++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java
@ -9,9 +9,7 @@ import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.DocWriteRequest;
 import org.elasticsearch.action.bulk.BulkAction;
 import org.elasticsearch.action.bulk.BulkResponse;
-import org.elasticsearch.action.delete.DeleteAction;
 import org.elasticsearch.action.delete.DeleteRequest;
-import org.elasticsearch.action.index.IndexAction;
 import org.elasticsearch.action.index.IndexRequest;
 import org.elasticsearch.action.update.UpdateAction;
 import org.elasticsearch.action.update.UpdateRequest;
@ -47,12 +45,12 @@ public class WriteActionsTests extends SecurityIntegTestCase {
        client().prepareIndex("test1", "type", "id").setSource("field", "value").get();

        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get,
-                IndexAction.NAME);
+                BulkAction.NAME + "[s]");

        client().prepareIndex("test4", "type", "id").setSource("field", "value").get();
        //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get,
-                IndexAction.NAME);
+                BulkAction.NAME + "[s]");
    }

    public void testDelete() {
@ -60,11 +58,11 @@ public class WriteActionsTests extends SecurityIntegTestCase {
        client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
        assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status());

-        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME);
+        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, BulkAction.NAME + "[s]");

        assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status());

-        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME);
+        assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, BulkAction.NAME + "[s]");
    }

    public void testUpdate() {
--- a/qa/smoke-test-graph-with-security/roles.yml
+++ b/qa/smoke-test-graph-with-security/roles.yml
@ -17,7 +17,7 @@ graph_explorer:
        - write
        - indices:admin/refresh
        - indices:admin/create
-    
+

 no_graph_explorer:
  cluster:
@ -28,5 +28,6 @@ no_graph_explorer:
      privileges:
        - indices:data/read/search
        - indices:data/write/index
+        - indices:data/write/bulk
        - indices:admin/refresh
        - indices:admin/create