From 92acb2859b2ec36019fb24a46537d57b78c9cb60 Mon Sep 17 00:00:00 2001 From: Peter Schretlen Date: Tue, 24 Mar 2020 08:38:12 -0400 Subject: [PATCH] Allow kibana_system to create and invalidate API keys on behalf of other users --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 2 ++ .../core/security/authz/store/ReservedRolesStoreTests.java | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index f2413ea93d5..0de81ccf150 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -12,6 +12,7 @@ import org.elasticsearch.common.collect.MapBuilder; import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction; import org.elasticsearch.xpack.core.ilm.action.PutLifecycleAction; import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction; +import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction; import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; import org.elasticsearch.xpack.core.security.authz.permission.Role; @@ -113,6 +114,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME, new String[] { "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token", "manage_oidc", + InvalidateApiKeyAction.NAME, "grant_api_key", GetBuiltinPrivilegesAction.NAME, "delegate_pki", GetLifecycleAction.NAME, PutLifecycleAction.NAME, // The symbolic constant for this one is in SecurityActionMapper, so not accessible from X-Pack core "cluster:admin/analyze" diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 0f933dab443..d2cdabd3eb2 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -111,6 +111,8 @@ import org.elasticsearch.xpack.core.ml.job.persistence.AnomalyDetectorsIndexFiel import org.elasticsearch.xpack.core.ml.notifications.NotificationsIndex; import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction; import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction; +import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction; +import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction; import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction; import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesRequest; import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction; @@ -326,6 +328,10 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME, request, authentication), is(true)); assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request, authentication), is(true)); + // API keys + assertThat(kibanaRole.cluster().check(InvalidateApiKeyAction.NAME, request, authentication), is(true)); + assertThat(kibanaRole.cluster().check(GrantApiKeyAction.NAME, request, authentication), is(true)); + // Application Privileges DeletePrivilegesRequest deleteKibanaPrivileges = new DeletePrivilegesRequest("kibana-.kibana", new String[]{ "all", "read" }); DeletePrivilegesRequest deleteLogstashPrivileges = new DeletePrivilegesRequest("logstash", new String[]{ "all", "read" });