honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow built-in monitoring_user role to call GET _xpack API (#38060) 

This PR adds the `monitor/xpack/info` cluster-level privilege to the built-in `monitoring_user` role.

This privilege is required for the Monitoring UI to call the `GET _xpack API` on the Monitoring Cluster. It needs to do this in order to determine the license of the Monitoring Cluster, which further determines whether Cluster Alerts are shown to the user or not.

Resolves #37970.
This commit is contained in:
Shaunak Kashyap 2019-02-01 08:56:34 -08:00 committed by GitHub
parent 603cdf40f1
commit cc7c42d7e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File

@ -53,7 +53,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
null, null,
MetadataUtils.DEFAULT_RESERVED_METADATA, null))
.put("monitoring_user", new RoleDescriptor("monitoring_user",
new String[] { "cluster:monitor/main" },
new String[] { "cluster:monitor/main", "cluster:monitor/xpack/info" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build()

2
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File

@ -47,6 +47,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.action.XPackInfoAction;
import org.elasticsearch.xpack.core.ml.MlMetaIndex;
import org.elasticsearch.xpack.core.ml.action.CloseJobAction;
import org.elasticsearch.xpack.core.ml.action.DeleteCalendarAction;
@ -405,6 +406,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
Role monitoringUserRole = Role.builder(roleDescriptor, null).build();
assertThat(monitoringUserRole.cluster().check(MainAction.NAME, request), is(true));
assertThat(monitoringUserRole.cluster().check(XPackInfoAction.NAME, request), is(true));
assertThat(monitoringUserRole.cluster().check(ClusterHealthAction.NAME, request), is(false));
assertThat(monitoringUserRole.cluster().check(ClusterStateAction.NAME, request), is(false));
assertThat(monitoringUserRole.cluster().check(ClusterStatsAction.NAME, request), is(false));