honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added cluster & indices monitoring privileges to System 

This is required for marvel agent to collect its data.

Closes elastic/elasticsearch#137

Original commit: elastic/x-pack-elasticsearch@c1ed58aafb
This commit is contained in:
uboness 2014-10-21 18:55:22 +02:00
parent b7dac66c8a
commit a287863ab0
5 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/main/java/org/elasticsearch/shield/SecurityFilter.java
View File

@ -59,6 +59,7 @@ public class SecurityFilter extends AbstractComponent {
AuthenticationToken token = authcService.token(action, request, defaultToken);
User user = authcService.authenticate(action, request, token);
authzService.authorize(user, action, request);
return user;
}

5
src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
View File

@ -62,6 +62,11 @@ public class InternalAuthenticationService extends AbstractComponent implements
for (Realm realm : realms) {
token = realm.token(message);
if (token != null) {
if (logger.isTraceEnabled()) {
logger.trace("Realm [{}] resolved auth token [{}] from transport request with action [{}]", realm.type(), token.principal(), action);
}
message.putInContext(TOKEN_CTX_KEY, token);
return token;
}

4
src/main/java/org/elasticsearch/shield/authz/Privilege.java
View File

@ -76,7 +76,9 @@ public abstract class Privilege<P extends Privilege<P>> {
public static class System extends Privilege<System> {
protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
"internal:*"
"internal:*",
"indices:monitor/*", // added for marvel
"cluster:monitor/*" // added for marvel
));
private System() {

11
src/test/java/org/elasticsearch/shield/authz/PrivilegeTests.java
View File

@ -7,6 +7,7 @@ package org.elasticsearch.shield.authz;
import com.carrotsearch.randomizedtesting.annotations.Repeat;
import org.elasticsearch.ElasticsearchIllegalArgumentException;
import org.elasticsearch.common.base.Predicate;
import org.elasticsearch.shield.support.AutomatonPredicate;
import org.elasticsearch.shield.support.Automatons;
import org.elasticsearch.test.ElasticsearchTestCase;
@ -147,4 +148,14 @@ public class PrivilegeTests extends ElasticsearchTestCase {
}
}
@Test
public void testSystem() throws Exception {
Predicate<String> predicate = Privilege.SYSTEM.predicate();
assertThat(predicate.apply("indices:monitor/whatever"), is(true));
assertThat(predicate.apply("cluster:monitor/whatever"), is(true));
assertThat(predicate.apply("internal:whatever"), is(true));
assertThat(predicate.apply("indices:whatever"), is(false));
assertThat(predicate.apply("cluster:whatever"), is(false));
assertThat(predicate.apply("whatever"), is(false));
}
}

27
src/test/java/org/elasticsearch/shield/authz/SystemRoleTests.java Normal file
View File

@ -0,0 +1,27 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.authz;
import org.elasticsearch.test.ElasticsearchTestCase;
import org.junit.Test;
import static org.hamcrest.Matchers.*;
/**
*
*/
public class SystemRoleTests extends ElasticsearchTestCase {
@Test
public void testCheck() throws Exception {
assertThat(SystemRole.INSTANCE.check("indices:monitor/whatever"), is(true));
assertThat(SystemRole.INSTANCE.check("cluster:monitor/whatever"), is(true));
assertThat(SystemRole.INSTANCE.check("internal:whatever"), is(true));
assertThat(SystemRole.INSTANCE.check("indices:whatever"), is(false));
assertThat(SystemRole.INSTANCE.check("cluster:whatever"), is(false));
assertThat(SystemRole.INSTANCE.check("whatever"), is(false));
}
}