mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-17 10:25:15 +00:00
[ML] When putting a datafeed use runas user for index privilege check (elastic/x-pack-elasticsearch#1245)
When a user creates a datafeed, as well as checking they have permission to create a datafeed we also check that they have permission to search the indices they've configured the datafeed to search. Previously this second check was erroneously done for the user who issued the put_datafeed request, whereas it should be done as the runas user for that request. Original commit: elastic/x-pack-elasticsearch@4c35204c66
This commit is contained in:
parent
e61224778f
commit
892d803a6a
@ -28,7 +28,6 @@ import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.io.stream.StreamInput;
|
||||
import org.elasticsearch.common.io.stream.StreamOutput;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.common.xcontent.ToXContent;
|
||||
import org.elasticsearch.common.xcontent.ToXContentObject;
|
||||
import org.elasticsearch.common.xcontent.XContentBuilder;
|
||||
@ -43,10 +42,10 @@ import org.elasticsearch.xpack.XPackPlugin;
|
||||
import org.elasticsearch.xpack.XPackSettings;
|
||||
import org.elasticsearch.xpack.ml.MlMetadata;
|
||||
import org.elasticsearch.xpack.ml.datafeed.DatafeedConfig;
|
||||
import org.elasticsearch.xpack.security.SecurityContext;
|
||||
import org.elasticsearch.xpack.security.action.user.HasPrivilegesAction;
|
||||
import org.elasticsearch.xpack.security.action.user.HasPrivilegesRequest;
|
||||
import org.elasticsearch.xpack.security.action.user.HasPrivilegesResponse;
|
||||
import org.elasticsearch.xpack.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
|
||||
import org.elasticsearch.xpack.security.support.Exceptions;
|
||||
|
||||
@ -223,14 +222,13 @@ public class PutDatafeedAction extends Action<PutDatafeedAction.Request, PutData
|
||||
// If security is enabled only create the datafeed if the user requesting creation has
|
||||
// permission to read the indices the datafeed is going to read from
|
||||
if (securityEnabled) {
|
||||
String username = new SecurityContext(settings,
|
||||
threadPool.getThreadContext()).getUser().principal();
|
||||
final String runAsUser = Authentication.getAuthentication(threadPool.getThreadContext()).getRunAsUser().principal();
|
||||
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
|
||||
r -> handlePrivsResponse(username, request, r, listener),
|
||||
r -> handlePrivsResponse(runAsUser, request, r, listener),
|
||||
listener::onFailure);
|
||||
|
||||
HasPrivilegesRequest privRequest = new HasPrivilegesRequest();
|
||||
privRequest.username(username);
|
||||
privRequest.username(runAsUser);
|
||||
privRequest.clusterPrivileges(Strings.EMPTY_ARRAY);
|
||||
// We just check for permission to use the search action. In reality we'll also
|
||||
// use the scroll action, but that's considered an implementation detail.
|
||||
|
Loading…
x
Reference in New Issue
Block a user