[Security] Remove cluster:monitor Privilege from kibana_user (elastic/x-pack-elasticsearch#1097)
Ordinary Kibana users should not have access to the cluster state of ES, and therefore they should not be able to access ML jobs without explicit permission. Original commit: elastic/x-pack-elasticsearch@77273d561a
This commit is contained in:
parent
f64c608159
commit
f9b8c82137
|
@ -40,7 +40,7 @@ public class ReservedRolesStore {
|
||||||
MetadataUtils.DEFAULT_RESERVED_METADATA))
|
MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||||
.put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null,
|
.put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null,
|
||||||
MetadataUtils.DEFAULT_RESERVED_METADATA))
|
MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||||
.put("kibana_user", new RoleDescriptor("kibana_user", new String[] { "monitor" }, new RoleDescriptor.IndicesPrivileges[] {
|
.put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] {
|
||||||
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete")
|
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete")
|
||||||
.build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
.build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||||
.put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] {
|
.put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] {
|
||||||
|
|
|
@ -144,9 +144,9 @@ public class ReservedRolesStoreTests extends ESTestCase {
|
||||||
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
|
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
|
||||||
|
|
||||||
Role kibanaUserRole = Role.builder(roleDescriptor, null).build();
|
Role kibanaUserRole = Role.builder(roleDescriptor, null).build();
|
||||||
assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(true));
|
assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(false));
|
||||||
assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(true));
|
assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(false));
|
||||||
assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(true));
|
assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(false));
|
||||||
assertThat(kibanaUserRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
|
assertThat(kibanaUserRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
|
||||||
assertThat(kibanaUserRole.cluster().check(ClusterRerouteAction.NAME), is(false));
|
assertThat(kibanaUserRole.cluster().check(ClusterRerouteAction.NAME), is(false));
|
||||||
assertThat(kibanaUserRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));
|
assertThat(kibanaUserRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));
|
||||||
|
|
Loading…
Reference in New Issue