x-pack changes for elasticsearchelastic/elasticsearch#21964
In https://github.com/elastic/elasticsearch/pull/21964, index and delete operations are executed as single item bulk requests internally. This means index and delete operations use the bulk transport endpoints (indices:data/write/bulk[s][p] and indices:data/write/bulk[s][r]). This PR adds bulk transport endpoint to 'write' and 'delete' index privilages and adds index and delete action as composite actions to delay the authentication to the shard level. Original commit: elastic/x-pack-elasticsearch@2305fc9ca0
This commit is contained in:
parent
880808c428
commit
84db1b8731
|
@ -13,7 +13,9 @@ import org.elasticsearch.action.admin.indices.alias.Alias;
|
|||
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
||||
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
|
||||
import org.elasticsearch.action.bulk.BulkAction;
|
||||
import org.elasticsearch.action.delete.DeleteAction;
|
||||
import org.elasticsearch.action.get.MultiGetAction;
|
||||
import org.elasticsearch.action.index.IndexAction;
|
||||
import org.elasticsearch.action.search.ClearScrollAction;
|
||||
import org.elasticsearch.action.search.MultiSearchAction;
|
||||
import org.elasticsearch.action.search.SearchScrollAction;
|
||||
|
@ -335,6 +337,8 @@ public class AuthorizationService extends AbstractComponent {
|
|||
|
||||
private static boolean isCompositeAction(String action) {
|
||||
return action.equals(BulkAction.NAME) ||
|
||||
action.equals(IndexAction.NAME) ||
|
||||
action.equals(DeleteAction.NAME) ||
|
||||
action.equals(MultiGetAction.NAME) ||
|
||||
action.equals(MultiTermVectorsAction.NAME) ||
|
||||
action.equals(MultiSearchAction.NAME) ||
|
||||
|
|
|
@ -35,10 +35,11 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
|
|||
|
||||
private static final Automaton ALL_AUTOMATON = patterns("indices:*");
|
||||
private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*");
|
||||
private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", PutMappingAction.NAME);
|
||||
private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
|
||||
PutMappingAction.NAME);
|
||||
private static final Automaton INDEX_AUTOMATON =
|
||||
patterns("indices:data/write/index*", "indices:data/write/update*", PutMappingAction.NAME);
|
||||
private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*");
|
||||
patterns("indices:data/write/index*", "indices:data/write/bulk*", "indices:data/write/update*", PutMappingAction.NAME);
|
||||
private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*");
|
||||
private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME);
|
||||
private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*");
|
||||
private static final Automaton MANAGE_AUTOMATON = unionAndDeterminize(MONITOR_AUTOMATON, patterns("indices:admin/*"));
|
||||
|
|
|
@ -38,7 +38,6 @@ import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusAction;
|
|||
import org.elasticsearch.action.admin.indices.upgrade.get.UpgradeStatusRequest;
|
||||
import org.elasticsearch.action.bulk.BulkAction;
|
||||
import org.elasticsearch.action.bulk.BulkRequest;
|
||||
import org.elasticsearch.action.delete.DeleteAction;
|
||||
import org.elasticsearch.action.delete.DeleteRequest;
|
||||
import org.elasticsearch.action.get.GetAction;
|
||||
import org.elasticsearch.action.get.GetRequest;
|
||||
|
@ -535,9 +534,9 @@ public class AuthorizationServiceTests extends ESTestCase {
|
|||
.build());
|
||||
|
||||
List<Tuple<String, TransportRequest>> requests = new ArrayList<>();
|
||||
requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(BulkAction.NAME + "[s]", new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME)));
|
||||
requests.add(new Tuple<>(TermVectorsAction.NAME,
|
||||
new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
|
@ -621,9 +620,10 @@ public class AuthorizationServiceTests extends ESTestCase {
|
|||
|
||||
for (User user : Arrays.asList(XPackUser.INSTANCE, superuser)) {
|
||||
List<Tuple<String, TransportRequest>> requests = new ArrayList<>();
|
||||
requests.add(new Tuple<>(DeleteAction.NAME, new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(BulkAction.NAME + "[s]",
|
||||
new DeleteRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(UpdateAction.NAME, new UpdateRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(IndexAction.NAME, new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(BulkAction.NAME + "[s]", new IndexRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
requests.add(new Tuple<>(SearchAction.NAME, new SearchRequest(SecurityTemplateService.SECURITY_INDEX_NAME)));
|
||||
requests.add(new Tuple<>(TermVectorsAction.NAME,
|
||||
new TermVectorsRequest(SecurityTemplateService.SECURITY_INDEX_NAME, "type", "id")));
|
||||
|
|
|
@ -9,9 +9,7 @@ import org.elasticsearch.ElasticsearchSecurityException;
|
|||
import org.elasticsearch.action.DocWriteRequest;
|
||||
import org.elasticsearch.action.bulk.BulkAction;
|
||||
import org.elasticsearch.action.bulk.BulkResponse;
|
||||
import org.elasticsearch.action.delete.DeleteAction;
|
||||
import org.elasticsearch.action.delete.DeleteRequest;
|
||||
import org.elasticsearch.action.index.IndexAction;
|
||||
import org.elasticsearch.action.index.IndexRequest;
|
||||
import org.elasticsearch.action.update.UpdateAction;
|
||||
import org.elasticsearch.action.update.UpdateRequest;
|
||||
|
@ -47,12 +45,12 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
|||
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
||||
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("index1", "type", "id").setSource("field", "value")::get,
|
||||
IndexAction.NAME);
|
||||
BulkAction.NAME + "[s]");
|
||||
|
||||
client().prepareIndex("test4", "type", "id").setSource("field", "value").get();
|
||||
//the missing index gets automatically created (user has permissions for that), but indexing fails due to missing authorization
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareIndex("missing", "type", "id").setSource("field", "value")::get,
|
||||
IndexAction.NAME);
|
||||
BulkAction.NAME + "[s]");
|
||||
}
|
||||
|
||||
public void testDelete() {
|
||||
|
@ -60,11 +58,11 @@ public class WriteActionsTests extends SecurityIntegTestCase {
|
|||
client().prepareIndex("test1", "type", "id").setSource("field", "value").get();
|
||||
assertEquals(RestStatus.OK, client().prepareDelete("test1", "type", "id").get().status());
|
||||
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, DeleteAction.NAME);
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("index1", "type", "id")::get, BulkAction.NAME + "[s]");
|
||||
|
||||
assertEquals(RestStatus.NOT_FOUND, client().prepareDelete("test4", "type", "id").get().status());
|
||||
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, DeleteAction.NAME);
|
||||
assertThrowsAuthorizationExceptionDefaultUsers(client().prepareDelete("missing", "type", "id")::get, BulkAction.NAME + "[s]");
|
||||
}
|
||||
|
||||
public void testUpdate() {
|
||||
|
|
|
@ -28,5 +28,6 @@ no_graph_explorer:
|
|||
privileges:
|
||||
- indices:data/read/search
|
||||
- indices:data/write/index
|
||||
- indices:data/write/bulk
|
||||
- indices:admin/refresh
|
||||
- indices:admin/create
|
||||
|
|
Loading…
Reference in New Issue