Add ClusterSearchShardsAction to "read_cross_cluster" privilege (elastic/x-pack-elasticsearch#1231)

Cross cluster search uses ClusterSearchShardsAction under the covers. Without this change, you would need both "read_cross_cluster" and "view_index_metadata" privilegs in order to have permission to execute searches from a remote cluster. Original commit: elastic/x-pack-elasticsearch@65a6aff329
2017-04-27 22:39:13 +10:00 · 2017-04-27 22:39:13 +10:00 · ddf5fd68c2
parent 7e62eb6255
commit ddf5fd68c2
3 changed files with 4 additions and 3 deletions
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java
@ -39,7 +39,8 @@ public final class IndexPrivilege extends Privilege {

    private static final Automaton ALL_AUTOMATON = patterns("indices:*", "internal:transport/proxy/indices:*");
    private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*");
-    private static final Automaton READ_CROSS_CLUSTER_AUTOMATON = patterns("internal:transport/proxy/indices:data/read/*");
+    private static final Automaton READ_CROSS_CLUSTER_AUTOMATON = patterns("internal:transport/proxy/indices:data/read/*",
+            ClusterSearchShardsAction.NAME);
    private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
            PutMappingAction.NAME);
    private static final Automaton INDEX_AUTOMATON =
--- a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml
+++ b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml
@ -23,7 +23,7 @@ setup:
              "indices": [
                {
                  "names": ["test_index", "my_remote_cluster:test_index", "my_remote_cluster:aliased_test_index", "test_remote_cluster:test_index"],
-                  "privileges": ["read", "read_cross_cluster", "view_index_metadata"]
+                  "privileges": ["read"]
                }
              ]
            }
--- a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml
+++ b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml
@ -23,7 +23,7 @@ setup:
              "indices": [
                {
                  "names": ["test_index", "aliased_test_index"],
-                  "privileges": ["read", "read_cross_cluster", "view_index_metadata"]
+                  "privileges": ["read", "read_cross_cluster"]
                }
              ]
            }