From ddf5fd68c26909f6658c431657f86a9fac075a44 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Thu, 27 Apr 2017 22:39:13 +1000 Subject: [PATCH] Add ClusterSearchShardsAction to "read_cross_cluster" privilege (elastic/x-pack-elasticsearch#1231) Cross cluster search uses ClusterSearchShardsAction under the covers. Without this change, you would need both "read_cross_cluster" and "view_index_metadata" privilegs in order to have permission to execute searches from a remote cluster. Original commit: elastic/x-pack-elasticsearch@65a6aff3297d493d539baad1cbb57862dc783c45 --- .../xpack/security/authz/privilege/IndexPrivilege.java | 3 ++- .../resources/rest-api-spec/test/multi_cluster/10_basic.yaml | 2 +- .../resources/rest-api-spec/test/remote_cluster/10_basic.yaml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java index 1e412a255c7..3d679f75e68 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/IndexPrivilege.java @@ -39,7 +39,8 @@ public final class IndexPrivilege extends Privilege { private static final Automaton ALL_AUTOMATON = patterns("indices:*", "internal:transport/proxy/indices:*"); private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*"); - private static final Automaton READ_CROSS_CLUSTER_AUTOMATON = patterns("internal:transport/proxy/indices:data/read/*"); + private static final Automaton READ_CROSS_CLUSTER_AUTOMATON = patterns("internal:transport/proxy/indices:data/read/*", + ClusterSearchShardsAction.NAME); private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*", PutMappingAction.NAME); private static final Automaton INDEX_AUTOMATON = diff --git a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml index 30171d05e7d..c5e38b8f6f2 100644 --- a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml +++ b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yaml @@ -23,7 +23,7 @@ setup: "indices": [ { "names": ["test_index", "my_remote_cluster:test_index", "my_remote_cluster:aliased_test_index", "test_remote_cluster:test_index"], - "privileges": ["read", "read_cross_cluster", "view_index_metadata"] + "privileges": ["read"] } ] } diff --git a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml index 5095a538973..359f6707fa6 100644 --- a/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml +++ b/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yaml @@ -23,7 +23,7 @@ setup: "indices": [ { "names": ["test_index", "aliased_test_index"], - "privileges": ["read", "read_cross_cluster", "view_index_metadata"] + "privileges": ["read", "read_cross_cluster"] } ] }