Whitelist global checkpoint sync actions

This commit whitelists the global checkpoint sync actions as otherwise
these actions do not have privileges to run as the system user and will
be denied as unauthorized.

Relates elastic/x-pack-elasticsearch#2604

Original commit: elastic/x-pack-elasticsearch@598ae1ff50
This commit is contained in:
Jason Tedor 2017-09-22 16:27:51 -04:00 committed by GitHub
parent 6b2e7fbed8
commit b4f7d56c35
2 changed files with 5 additions and 1 deletions

View File

@ -22,7 +22,8 @@ public final class SystemPrivilege extends Privilege {
"cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
"indices:admin/mapping/put", // needed for recovery and shrink api "indices:admin/mapping/put", // needed for recovery and shrink api
"indices:admin/template/put", // needed for the TemplateUpgradeService "indices:admin/template/put", // needed for the TemplateUpgradeService
"indices:admin/template/delete" // needed for the TemplateUpgradeService "indices:admin/template/delete", // needed for the TemplateUpgradeService
"indices:admin/seq_no/global_checkpoint_sync*" // needed for global checkpoint syncs
), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user! ), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
private SystemPrivilege() { private SystemPrivilege() {

View File

@ -123,5 +123,8 @@ public class PrivilegeTests extends ESTestCase {
assertThat(predicate.test("indices:admin/mapping/put"), is(true)); assertThat(predicate.test("indices:admin/mapping/put"), is(true));
assertThat(predicate.test("indices:admin/mapping/whatever"), is(false)); assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false)); assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false));
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true));
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true));
assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));
} }
} }