From 84db1b8731f79099dd6c04e8a50b4d780db11866 Mon Sep 17 00:00:00 2001 From: Areek Zillur Date: Thu, 22 Dec 2016 02:23:38 -0500 Subject: [PATCH] x-pack changes for elasticsearchelastic/elasticsearch#21964 In https://github.com/elastic/elasticsearch/pull/21964, index and delete operations are executed as single item bulk requests internally. This means index and delete operations use the bulk transport endpoints (indices:data/write/bulk[s][p] and indices:data/write/bulk[s][r]). This PR adds bulk transport endpoint to 'write' and 'delete' index privilages and adds index and delete action as composite actions to delay the authentication to the shard level. Original commit: elastic/x-pack-elasticsearch@2305fc9ca043abf52402f8ebdbd23c7e54549fab --- .../xpack/security/authz/AuthorizationService.java | 4 ++++ .../xpack/security/authz/privilege/IndexPrivilege.java | 7 ++++--- .../security/authz/AuthorizationServiceTests.java | 10 +++++----- .../xpack/security/authz/WriteActionsTests.java | 10 ++++------ qa/smoke-test-graph-with-security/roles.yml | 3 ++- 5 files changed, 19 insertions(+), 15 deletions(-) diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index bff2c1e9369..2abf304213c 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -13,7 +13,9 @@ import org.elasticsearch.action.admin.indices.alias.Alias; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.action.admin.indices.create.CreateIndexRequest; import org.elasticsearch.action.bulk.BulkAction; +import org.elasticsearch.action.delete.DeleteAction; import org.elasticsearch.action.get.MultiGetAction; +import org.elasticsearch.action.index.IndexAction; import org.elasticsearch.action.search.ClearScrollAction; import org.elasticsearch.action.search.MultiSearchAction; import org.elasticsearch.action.search.SearchScrollAction; @@ -335,6 +337,8 @@ public class AuthorizationService extends AbstractComponent { private static boolean isCompositeAction(String action) { return action.equals(BulkAction.NAME) || + action.equals(IndexAction.NAME) || + action.equals(DeleteAction.NAME) || action.equals(MultiGetAction.NAME) || action.equals(MultiTermVectorsAction.NAME) || action.equals(MultiSearchAction.NAME) || diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java index 6bf2a392ab7..cb0ecda9830 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java @@ -35,10 +35,11 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege { private static final Automaton ALL_AUTOMATON = patterns("indices:*"); private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*"); - private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", PutMappingAction.NAME); + private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*", + PutMappingAction.NAME); private static final Automaton INDEX_AUTOMATON = - patterns("indices:data/write/index*", "indices:data/write/update*", PutMappingAction.NAME); - private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*"); + patterns("indices:data/write/index*", "indices:data/write/bulk*", "indices:data/write/update*", PutMappingAction.NAME); + private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*"); private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME); private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*"); private static final Automaton MANAGE_AUTOMATON = unionAndDeterminize(MONITOR_AUTOMATON, patterns("indices:admin/*")); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index d8b96b28efd..867ee1609a8 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -38,7 +38,6 @@ import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusAction; import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusRequest; import org.elasticsearch.action.bulk.BulkAction; import org.elasticsearch.action.bulk.BulkRequest; -import org.elasticsearch.action.delete.DeleteAction; import org.elasticsearch.action.delete.DeleteRequest; import org.elasticsearch.action.get.GetAction; import org.elasticsearch.action.get.GetRequest; @@ -535,9 +534,9 @@ public class AuthorizationServiceTests extends ESTestCase { .build()); List> requests = new ArrayList<>(); - requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); + requests.add(new Tuple<>(BulkAction.NAME + "[s]", new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); - requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); + requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME))); requests.add(new Tuple<>(TermVectorsAction.NAME, new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); @@ -621,9 +620,10 @@ public class AuthorizationServiceTests extends ESTestCase { for (User user : Arrays.asList(XPackUser.INSTANCE, superuser)) { List> requests = new ArrayList<>(); - requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); + requests.add(new Tuple<>(BulkAction.NAME + "[s]", + new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); - requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); + requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME))); requests.add(new Tuple<>(TermVectorsAction.NAME, new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id"))); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java index a30e5be7f9b..d10d86ec72f 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/WriteActionsTests.java @@ -9,9 +9,7 @@ import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.DocWriteRequest; import org.elasticsearch.action.bulk.BulkAction; import org.elasticsearch.action.bulk.BulkResponse; -import org.elasticsearch.action.delete.DeleteAction; import org.elasticsearch.action.delete.DeleteRequest; -import org.elasticsearch.action.index.IndexAction; import org.elasticsearch.action.index.IndexRequest; import org.elasticsearch.action.update.UpdateAction; import org.elasticsearch.action.update.UpdateRequest; @@ -47,12 +45,12 @@ public class WriteActionsTests extends SecurityIntegTestCase { client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get, - IndexAction.NAME); + BulkAction.NAME + "[s]"); client().prepareIndex("test4", "type", "id").setSource("field", "value").get(); //the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get, - IndexAction.NAME); + BulkAction.NAME + "[s]"); } public void testDelete() { @@ -60,11 +58,11 @@ public class WriteActionsTests extends SecurityIntegTestCase { client().prepareIndex("test1", "type", "id").setSource("field", "value").get(); assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status()); - assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, BulkAction.NAME + "[s]"); assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status()); - assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME); + assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, BulkAction.NAME + "[s]"); } public void testUpdate() { diff --git a/qa/smoke-test-graph-with-security/roles.yml b/qa/smoke-test-graph-with-security/roles.yml index cce1a736441..5551ce4e0bb 100644 --- a/qa/smoke-test-graph-with-security/roles.yml +++ b/qa/smoke-test-graph-with-security/roles.yml @@ -17,7 +17,7 @@ graph_explorer: - write - indices:admin/refresh - indices:admin/create - + no_graph_explorer: cluster: @@ -28,5 +28,6 @@ no_graph_explorer: privileges: - indices:data/read/search - indices:data/write/index + - indices:data/write/bulk - indices:admin/refresh - indices:admin/create