Allow kibana_system to create and invalidate API keys on behalf of other users
This commit is contained in:
parent
be20bb5755
commit
92acb2859b
|
@ -12,6 +12,7 @@ import org.elasticsearch.common.collect.MapBuilder;
|
|||
import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction;
|
||||
import org.elasticsearch.xpack.core.ilm.action.PutLifecycleAction;
|
||||
import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
|
||||
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction;
|
||||
import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction;
|
||||
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
|
||||
import org.elasticsearch.xpack.core.security.authz.permission.Role;
|
||||
|
@ -113,6 +114,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
|
|||
.put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
|
||||
new String[] {
|
||||
"monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token", "manage_oidc",
|
||||
InvalidateApiKeyAction.NAME, "grant_api_key",
|
||||
GetBuiltinPrivilegesAction.NAME, "delegate_pki", GetLifecycleAction.NAME, PutLifecycleAction.NAME,
|
||||
// The symbolic constant for this one is in SecurityActionMapper, so not accessible from X-Pack core
|
||||
"cluster:admin/analyze"
|
||||
|
|
|
@ -111,6 +111,8 @@ import org.elasticsearch.xpack.core.ml.job.persistence.AnomalyDetectorsIndexFiel
|
|||
import org.elasticsearch.xpack.core.ml.notifications.NotificationsIndex;
|
||||
import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
|
||||
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
|
||||
import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction;
|
||||
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction;
|
||||
import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction;
|
||||
import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesRequest;
|
||||
import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction;
|
||||
|
@ -326,6 +328,10 @@ public class ReservedRolesStoreTests extends ESTestCase {
|
|||
assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME, request, authentication), is(true));
|
||||
assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request, authentication), is(true));
|
||||
|
||||
// API keys
|
||||
assertThat(kibanaRole.cluster().check(InvalidateApiKeyAction.NAME, request, authentication), is(true));
|
||||
assertThat(kibanaRole.cluster().check(GrantApiKeyAction.NAME, request, authentication), is(true));
|
||||
|
||||
// Application Privileges
|
||||
DeletePrivilegesRequest deleteKibanaPrivileges = new DeletePrivilegesRequest("kibana-.kibana", new String[]{ "all", "read" });
|
||||
DeletePrivilegesRequest deleteLogstashPrivileges = new DeletePrivilegesRequest("logstash", new String[]{ "all", "read" });
|
||||
|
|
Loading…
Reference in New Issue