Whitelist global checkpoint sync actions
This commit whitelists the global checkpoint sync actions as otherwise these actions do not have privileges to run as the system user and will be denied as unauthorized. Relates elastic/x-pack-elasticsearch#2604 Original commit: elastic/x-pack-elasticsearch@598ae1ff50
This commit is contained in:
parent
6b2e7fbed8
commit
b4f7d56c35
|
@ -22,7 +22,8 @@ public final class SystemPrivilege extends Privilege {
|
||||||
"cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
|
"cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
|
||||||
"indices:admin/mapping/put", // needed for recovery and shrink api
|
"indices:admin/mapping/put", // needed for recovery and shrink api
|
||||||
"indices:admin/template/put", // needed for the TemplateUpgradeService
|
"indices:admin/template/put", // needed for the TemplateUpgradeService
|
||||||
"indices:admin/template/delete" // needed for the TemplateUpgradeService
|
"indices:admin/template/delete", // needed for the TemplateUpgradeService
|
||||||
|
"indices:admin/seq_no/global_checkpoint_sync*" // needed for global checkpoint syncs
|
||||||
), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
|
), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
|
||||||
|
|
||||||
private SystemPrivilege() {
|
private SystemPrivilege() {
|
||||||
|
|
|
@ -123,5 +123,8 @@ public class PrivilegeTests extends ESTestCase {
|
||||||
assertThat(predicate.test("indices:admin/mapping/put"), is(true));
|
assertThat(predicate.test("indices:admin/mapping/put"), is(true));
|
||||||
assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
|
assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
|
||||||
assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false));
|
assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false));
|
||||||
|
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true));
|
||||||
|
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true));
|
||||||
|
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue