honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-09 14:34:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Backport][7.x] Introduce reserved_ml_apm_user kibana privilege (#59854) (#60047)

Browse Source
This commit is contained in:
Larry Gregory 2020-07-22 11:06:10 -04:00 committed by GitHub
parent c8ef2e18f7
commit a686ccc9b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File

@ -183,7 +183,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
.privileges("read", "view_index_metadata").build(), .privileges("read", "view_index_metadata").build(),
RoleDescriptor.IndicesPrivileges.builder().indices("observability-annotations") RoleDescriptor.IndicesPrivileges.builder().indices("observability-annotations")
.privileges("read", "view_index_metadata").build() .privileges("read", "view_index_metadata").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) }, new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*").resources("*").privileges("reserved_ml_apm_user").build()
}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
.put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" }, .put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" },
new RoleDescriptor.IndicesPrivileges[] { new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-notifications*") RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-notifications*")

12
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File

@ -1205,6 +1205,18 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT); assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
assertOnlyReadAllowed(role, "observability-annotations"); assertOnlyReadAllowed(role, "observability-annotations");
final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants(
new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml_apm_user", "reserved_ml_apm_user"), "*"), is(true));
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
assertThat(role.application().grants(
new ApplicationPrivilege(otherApplication, "app-reserved_ml_apm_user", "reserved_ml_apm_user"), "*"), is(false));
} }
public void testMachineLearningAdminRole() { public void testMachineLearningAdminRole() {