[Security] has_privileges.has_all_requested should respect cluster privileges ()

The has_all_requested field in the has_privileges response was not taking the cluster privileges into account

relates 

Original commit: elastic/x-pack-elasticsearch@68d2b98670
This commit is contained in:
Tim Vernum 2017-12-28 08:38:41 +10:00 committed by GitHub
parent 3ecc433f43
commit e8985f4455
2 changed files with 40 additions and 25 deletions
plugin/src
main/java/org/elasticsearch/xpack/security/action/user
test/java/org/elasticsearch/xpack/security/action/user

View File

@ -79,11 +79,11 @@ public class TransportHasPrivilegesAction extends HandledTransportAction<HasPriv
final ClusterPrivilege rolePrivilege = userRole.cluster().privilege(); final ClusterPrivilege rolePrivilege = userRole.cluster().privilege();
cluster.put(checkAction, testPrivilege(checkPrivilege, rolePrivilege.getAutomaton())); cluster.put(checkAction, testPrivilege(checkPrivilege, rolePrivilege.getAutomaton()));
} }
boolean allMatch = cluster.values().stream().allMatch(Boolean::booleanValue);
final Map<IndicesPermission.Group, Automaton> predicateCache = new HashMap<>(); final Map<IndicesPermission.Group, Automaton> predicateCache = new HashMap<>();
final Map<String, HasPrivilegesResponse.IndexPrivileges> indices = new LinkedHashMap<>(); final Map<String, HasPrivilegesResponse.IndexPrivileges> indices = new LinkedHashMap<>();
boolean allMatch = true;
for (RoleDescriptor.IndicesPrivileges check : request.indexPrivileges()) { for (RoleDescriptor.IndicesPrivileges check : request.indexPrivileges()) {
for (String index : check.getIndices()) { for (String index : check.getIndices()) {
final Map<String, Boolean> privileges = new HashMap<>(); final Map<String, Boolean> privileges = new HashMap<>();

View File

@ -170,18 +170,10 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
.cluster(ClusterPrivilege.MONITOR) .cluster(ClusterPrivilege.MONITOR)
.build(); .build();
final HasPrivilegesRequest request = new HasPrivilegesRequest(); final HasPrivilegesResponse response = hasPrivileges(RoleDescriptor.IndicesPrivileges.builder()
request.username(user.principal());
request.clusterPrivileges(Strings.EMPTY_ARRAY);
request.indexPrivileges(RoleDescriptor.IndicesPrivileges.builder()
.indices("academy") .indices("academy")
.privileges("read", "write") .privileges("read", "write")
.build()); .build(), Strings.EMPTY_ARRAY);
final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
action.doExecute(request, future);
final HasPrivilegesResponse response = future.get();
assertThat(response, notNullValue());
assertThat(response.isCompleteMatch(), is(false)); assertThat(response.isCompleteMatch(), is(false));
assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(1)); assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(1));
final IndexPrivileges result = response.getIndexPrivileges().get(0); final IndexPrivileges result = response.getIndexPrivileges().get(0);
@ -262,20 +254,10 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
.add(IndexPrivilege.DELETE, "apache-2016-*") .add(IndexPrivilege.DELETE, "apache-2016-*")
.build(); .build();
final HasPrivilegesRequest request = new HasPrivilegesRequest(); final HasPrivilegesResponse response = hasPrivileges(RoleDescriptor.IndicesPrivileges.builder()
request.username(user.principal());
request.clusterPrivileges(Strings.EMPTY_ARRAY);
request.indexPrivileges(
RoleDescriptor.IndicesPrivileges.builder()
.indices("apache-2016-12", "apache-2017-01") .indices("apache-2016-12", "apache-2017-01")
.privileges("index", "delete") .privileges("index", "delete")
.build() .build(), Strings.EMPTY_ARRAY);
);
final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
action.doExecute(request, future);
final HasPrivilegesResponse response = future.get();
assertThat(response, notNullValue());
assertThat(response.isCompleteMatch(), is(false)); assertThat(response.isCompleteMatch(), is(false));
assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(2)); assertThat(response.getIndexPrivileges(), Matchers.iterableWithSize(2));
assertThat(response.getIndexPrivileges(), containsInAnyOrder( assertThat(response.getIndexPrivileges(), containsInAnyOrder(
@ -289,6 +271,39 @@ public class TransportHasPrivilegesActionTests extends ESTestCase {
)); ));
} }
public void testIsCompleteMatch() throws Exception {
role = Role.builder("test-write")
.cluster(ClusterPrivilege.MONITOR)
.add(IndexPrivilege.READ, "read-*")
.add(IndexPrivilege.ALL, "all-*")
.build();
assertThat(hasPrivileges(indexPrivileges("read", "read-123", "read-456", "all-999"), "monitor").isCompleteMatch(), is(true));
assertThat(hasPrivileges(indexPrivileges("read", "read-123", "read-456", "all-999"), "manage").isCompleteMatch(), is(false));
assertThat(hasPrivileges(indexPrivileges("write", "read-123", "read-456", "all-999"), "monitor").isCompleteMatch(), is(false));
assertThat(hasPrivileges(indexPrivileges("write", "read-123", "read-456", "all-999"), "manage").isCompleteMatch(), is(false));
}
private RoleDescriptor.IndicesPrivileges indexPrivileges(String priv, String... indices) {
return RoleDescriptor.IndicesPrivileges.builder()
.indices(indices)
.privileges(priv)
.build();
}
private HasPrivilegesResponse hasPrivileges(RoleDescriptor.IndicesPrivileges indicesPrivileges, String... clusterPrivileges)
throws Exception {
final HasPrivilegesRequest request = new HasPrivilegesRequest();
request.username(user.principal());
request.clusterPrivileges(clusterPrivileges);
request.indexPrivileges(indicesPrivileges);
final PlainActionFuture<HasPrivilegesResponse> future = new PlainActionFuture();
action.doExecute(request, future);
final HasPrivilegesResponse response = future.get();
assertThat(response, notNullValue());
return response;
}
private static MapBuilder<String, Boolean> mapBuilder() { private static MapBuilder<String, Boolean> mapBuilder() {
return MapBuilder.newMapBuilder(); return MapBuilder.newMapBuilder();
} }