From f9b8c82137d2786d66f19e890e477fe854899673 Mon Sep 17 00:00:00 2001 From: Chris Earle Date: Thu, 20 Apr 2017 12:50:11 -0400 Subject: [PATCH] [Security] Remove cluster:monitor Privilege from kibana_user (elastic/x-pack-elasticsearch#1097) Ordinary Kibana users should not have access to the cluster state of ES, and therefore they should not be able to access ML jobs without explicit permission. Original commit: elastic/x-pack-elasticsearch@77273d561a4a94a5278d8712deddad370ca25482 --- .../xpack/security/authz/store/ReservedRolesStore.java | 2 +- .../xpack/security/authz/store/ReservedRolesStoreTests.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java index c79c96e48b0..d3441947adb 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java @@ -40,7 +40,7 @@ public class ReservedRolesStore { MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) - .put("kibana_user", new RoleDescriptor("kibana_user", new String[] { "monitor" }, new RoleDescriptor.IndicesPrivileges[] { + .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete") .build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] { diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java index cad4de59f25..729f95e4c06 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java @@ -144,9 +144,9 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); Role kibanaUserRole = Role.builder(roleDescriptor, null).build(); - assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(true)); - assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(true)); - assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(true)); + assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(false)); + assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(false)); + assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(PutIndexTemplateAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterRerouteAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));