honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[Backport] Add reserved_ml_user and reserved_ml_admin kibana p… (#54837) 

* add reserved_ml_user and reserved_ml_admin kibana privileges

* address feedback, update dataframe roles

* fix checkstyle failure
This commit is contained in:
Larry Gregory 2020-04-07 11:42:11 -04:00 committed by GitHub
parent 9b4ac60b53
commit 8c8baa10f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File

@ -178,7 +178,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
}, },
new RoleDescriptor.ApplicationResourcePrivileges[] { new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder() RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*").resources("*").privileges("reserved_ml").build() .application("kibana-*").resources("*").privileges("reserved_ml_user").build()
}, },
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
.put("machine_learning_admin", new RoleDescriptor("machine_learning_admin", new String[] { "manage_ml" }, .put("machine_learning_admin", new RoleDescriptor("machine_learning_admin", new String[] { "manage_ml" },
@ -191,7 +191,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
}, },
new RoleDescriptor.ApplicationResourcePrivileges[] { new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder() RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*").resources("*").privileges("reserved_ml").build() .application("kibana-*").resources("*").privileges("reserved_ml_admin").build()
}, },
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
// DEPRECATED: to be removed in 9.0.0 // DEPRECATED: to be removed in 9.0.0
@ -206,7 +206,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
}, },
new RoleDescriptor.ApplicationResourcePrivileges[] { new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder() RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*").resources("*").privileges("reserved_ml").build() .application("kibana-*").resources("*").privileges("reserved_ml_user").build()
}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
// DEPRECATED: to be removed in 9.0.0 // DEPRECATED: to be removed in 9.0.0
.put("data_frame_transforms_user", new RoleDescriptor("data_frame_transforms_user", .put("data_frame_transforms_user", new RoleDescriptor("data_frame_transforms_user",
@ -220,7 +220,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
}, },
new RoleDescriptor.ApplicationResourcePrivileges[] { new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder() RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*").resources("*").privileges("reserved_ml").build() .application("kibana-*").resources("*").privileges("reserved_ml_user").build()
}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
.put("transform_admin", new RoleDescriptor("transform_admin", .put("transform_admin", new RoleDescriptor("transform_admin",
new String[] { "manage_transform" }, new String[] { "manage_transform" },

18
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File

@ -1168,13 +1168,13 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_admin"), "*"), is(true));
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_admin"), "*"), is(false));
} }
public void testMachineLearningUserRole() { public void testMachineLearningUserRole() {
@ -1256,13 +1256,13 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true));
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false));
} }
public void testTransformAdminRole() { public void testTransformAdminRole() {
@ -1304,8 +1304,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { if (roleDescriptor.getName().equals("data_frame_transforms_admin")) {
assertThat(role.application() assertThat(role.application().grants(
.grants(new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true));
} }
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
@ -1313,7 +1313,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { if (roleDescriptor.getName().equals("data_frame_transforms_admin")) {
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false));
} }
} }
} }
@ -1358,7 +1358,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
if (roleDescriptor.getName().equals("data_frame_transforms_user")) { if (roleDescriptor.getName().equals("data_frame_transforms_user")) {
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true));
} }
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
@ -1366,7 +1366,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
if (roleDescriptor.getName().equals("data_frame_transforms_user")) { if (roleDescriptor.getName().equals("data_frame_transforms_user")) {
assertThat(role.application().grants( assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false));
} }
} }
} }