From 8c8baa10f4ea8d1b891ebe60588a239cfd0fe99a Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 7 Apr 2020 11:42:11 -0400 Subject: [PATCH] =?UTF-8?q?[Backport]=20Add=20reserved=5Fml=5Fuser=20and?= =?UTF-8?q?=20reserved=5Fml=5Fadmin=20kibana=20p=E2=80=A6=20(#54837)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add reserved_ml_user and reserved_ml_admin kibana privileges * address feedback, update dataframe roles * fix checkstyle failure --- .../authz/store/ReservedRolesStore.java | 8 ++++---- .../authz/store/ReservedRolesStoreTests.java | 18 +++++++++--------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index da45dd96dea..f886bd1a206 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -178,7 +178,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("machine_learning_admin", new RoleDescriptor("machine_learning_admin", new String[] { "manage_ml" }, @@ -191,7 +191,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_admin").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) // DEPRECATED: to be removed in 9.0.0 @@ -206,7 +206,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) // DEPRECATED: to be removed in 9.0.0 .put("data_frame_transforms_user", new RoleDescriptor("data_frame_transforms_user", @@ -220,7 +220,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("transform_admin", new RoleDescriptor("transform_admin", new String[] { "manage_transform" }, diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 1eec8349b88..803bc234b5a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1168,13 +1168,13 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_admin"), "*"), is(true)); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_admin"), "*"), is(false)); } public void testMachineLearningUserRole() { @@ -1256,13 +1256,13 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } public void testTransformAdminRole() { @@ -1304,8 +1304,8 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat(role.application() - .grants(new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); } final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); @@ -1313,7 +1313,7 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } } } @@ -1358,7 +1358,7 @@ public class ReservedRolesStoreTests extends ESTestCase { if (roleDescriptor.getName().equals("data_frame_transforms_user")) { assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); } final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); @@ -1366,7 +1366,7 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_user")) { assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } } }