honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ML][Data Frame] add the src priv check for view_index_metadata (#43118) (#43161)

This commit is contained in:
Benjamin Trent 2019-06-12 13:22:46 -05:00 committed by GitHub
parent f13f55ede3
commit b110164bf4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
x-pack/plugin/data-frame/src/main/java/org/elasticsearch/xpack/dataframe/action/TransportPutDataFrameTransformAction.java
View File

@ -173,10 +173,9 @@ public class TransportPutDataFrameTransformAction
// Early check to verify that the user can create the destination index and can read from the source // Early check to verify that the user can create the destination index and can read from the source
if (licenseState.isAuthAllowed()) { if (licenseState.isAuthAllowed()) {
final String username = securityContext.getUser().principal(); final String username = securityContext.getUser().principal();
RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder() List<String> srcPrivileges = new ArrayList<>(2);
.indices(config.getSource().getIndex()) srcPrivileges.add("read");
.privileges("read")
.build();
List<String> destPrivileges = new ArrayList<>(3); List<String> destPrivileges = new ArrayList<>(3);
destPrivileges.add("read"); destPrivileges.add("read");
destPrivileges.add("index"); destPrivileges.add("index");
@ -184,12 +183,19 @@ public class TransportPutDataFrameTransformAction
// We should check that the creating user has the privileges to create the index. // We should check that the creating user has the privileges to create the index.
if (concreteDest.length == 0) { if (concreteDest.length == 0) {
destPrivileges.add("create_index"); destPrivileges.add("create_index");
// We need to read the source indices mapping to deduce the destination mapping
srcPrivileges.add("view_index_metadata");
} }
RoleDescriptor.IndicesPrivileges destIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder() RoleDescriptor.IndicesPrivileges destIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
.indices(destIndex) .indices(destIndex)
.privileges(destPrivileges) .privileges(destPrivileges)
.build(); .build();
RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
.indices(config.getSource().getIndex())
.privileges(srcPrivileges)
.build();
HasPrivilegesRequest privRequest = new HasPrivilegesRequest(); HasPrivilegesRequest privRequest = new HasPrivilegesRequest();
privRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]); privRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]);
privRequest.username(username); privRequest.username(username);