[Logstash] Add new reserved role for managing LS configs (elastic/x-pack-elasticsearch#1531)

Adds a new reserved role called `logstash_admin` that provides access
to `.logstash-*` index for managing configurations.

Will add documentation in old x-pack dir

relates elastic/x-pack-elasticsearch#609

Original commit: elastic/x-pack-elasticsearch@48c40e01f8
This commit is contained in:
Suyog Rao 2017-05-30 15:04:16 -07:00 committed by GitHub
parent 503717b915
commit e7b492e450
2 changed files with 35 additions and 0 deletions

View File

@ -90,6 +90,10 @@ public class ReservedRolesStore {
RoleDescriptor.IndicesPrivileges.builder().indices(HistoryStore.INDEX_PREFIX + "*") RoleDescriptor.IndicesPrivileges.builder().indices(HistoryStore.INDEX_PREFIX + "*")
.privileges("read") .privileges("read")
.build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("logstash_admin", new RoleDescriptor("logstash_admin", null, new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices(".logstash*")
.privileges("create", "delete", "index", "manage", "read").build() },
null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.immutableMap(); .immutableMap();
} }

View File

@ -447,4 +447,35 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false)); assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
assertThat(role.indices().allowedIndicesMatcher(BulkAction.NAME).test(index), is(false)); assertThat(role.indices().allowedIndicesMatcher(BulkAction.NAME).test(index), is(false));
} }
public void testLogstashAdminRole() {
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("logstash_admin");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
Role logstashAdminRole = Role.builder(roleDescriptor, null).build();
assertThat(logstashAdminRole.cluster().check(ClusterHealthAction.NAME), is(false));
assertThat(logstashAdminRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
assertThat(logstashAdminRole.cluster().check(ClusterRerouteAction.NAME), is(false));
assertThat(logstashAdminRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));
assertThat(logstashAdminRole.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".logstash"), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
is(false));
final String index = ".logstash-" + randomIntBetween(0, 5);
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
}
} }