security: add delete permissions to kibana_user role
Closes elastic/elasticsearch#2393 Original commit: elastic/x-pack-elasticsearch@4a096befd0
This commit is contained in:
parent
a2f3f304d3
commit
9d1ed22def
|
@ -13,7 +13,7 @@ public class KibanaUserRole extends Role {
|
|||
|
||||
private static final String[] CLUSTER_PRIVILEGES = new String[] { "monitor" };
|
||||
private static final RoleDescriptor.IndicesPrivileges[] INDICES_PRIVILEGES = new RoleDescriptor.IndicesPrivileges[] {
|
||||
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index").build() };
|
||||
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete").build() };
|
||||
|
||||
public static final String NAME = "kibana_user";
|
||||
public static final RoleDescriptor DESCRIPTOR = new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null);
|
||||
|
|
|
@ -5,12 +5,15 @@
|
|||
*/
|
||||
package org.elasticsearch.integration;
|
||||
|
||||
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
|
||||
import org.elasticsearch.action.admin.indices.get.GetIndexResponse;
|
||||
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse;
|
||||
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse.FieldMappingMetaData;
|
||||
import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryResponse;
|
||||
import org.elasticsearch.action.delete.DeleteResponse;
|
||||
import org.elasticsearch.action.fieldstats.FieldStats;
|
||||
import org.elasticsearch.action.fieldstats.FieldStatsResponse;
|
||||
import org.elasticsearch.action.index.IndexResponse;
|
||||
import org.elasticsearch.action.search.MultiSearchResponse;
|
||||
import org.elasticsearch.action.search.SearchResponse;
|
||||
import org.elasticsearch.index.query.QueryBuilders;
|
||||
|
@ -162,6 +165,33 @@ public class KibanaUserRoleIntegTests extends ShieldIntegTestCase {
|
|||
assertThat(response.getIndices(), arrayContaining(index));
|
||||
}
|
||||
|
||||
public void testCreateIndexDeleteInKibanaIndex() throws Exception {
|
||||
final String index = randomBoolean()? ".kibana" : ".kibana-" + randomAsciiOfLengthBetween(1, 10);
|
||||
|
||||
if (randomBoolean()) {
|
||||
CreateIndexResponse createIndexResponse = client().filterWithHeader(singletonMap("Authorization",
|
||||
UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
|
||||
.admin().indices().prepareCreate(index).get();
|
||||
assertThat(createIndexResponse.isAcknowledged(), is(true));
|
||||
}
|
||||
|
||||
IndexResponse response = client()
|
||||
.filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
|
||||
.prepareIndex()
|
||||
.setIndex(index)
|
||||
.setType("dashboard")
|
||||
.setSource("foo", "bar")
|
||||
.setRefresh(true)
|
||||
.get();
|
||||
assertThat(response.isCreated(), is(true));
|
||||
|
||||
DeleteResponse deleteResponse = client()
|
||||
.filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
|
||||
.prepareDelete(index, "dashboard", response.getId())
|
||||
.get();
|
||||
assertThat(deleteResponse.isFound(), is(true));
|
||||
}
|
||||
|
||||
// TODO: When we have an XPackIntegTestCase, this should test that we can send MonitoringBulkActions
|
||||
|
||||
}
|
||||
|
|
|
@ -60,8 +60,8 @@ public class KibanaUserRoleTests extends ESTestCase {
|
|||
private void testIndexAccess(String index) {
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(index), is(false));
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(index), is(false));
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
|
||||
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
|
||||
assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
|
||||
|
|
Loading…
Reference in New Issue