[Security] Remove cluster:monitor Privilege from kibana_user (elastic/x-pack-elasticsearch#1097)

Ordinary Kibana users should not have access to the cluster state of ES,
and therefore they should not be able to access ML jobs without explicit
permission.

Original commit: elastic/x-pack-elasticsearch@77273d561a
This commit is contained in:
Chris Earle 2017-04-20 12:50:11 -04:00 committed by GitHub
parent f64c608159
commit f9b8c82137
2 changed files with 4 additions and 4 deletions

View File

@ -40,7 +40,7 @@ public class ReservedRolesStore {
MetadataUtils.DEFAULT_RESERVED_METADATA)) MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null, .put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null,
MetadataUtils.DEFAULT_RESERVED_METADATA)) MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("kibana_user", new RoleDescriptor("kibana_user", new String[] { "monitor" }, new RoleDescriptor.IndicesPrivileges[] { .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete") RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete")
.build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] { .put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] {

View File

@ -144,9 +144,9 @@ public class ReservedRolesStoreTests extends ESTestCase {
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
Role kibanaUserRole = Role.builder(roleDescriptor, null).build(); Role kibanaUserRole = Role.builder(roleDescriptor, null).build();
assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(true)); assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME), is(false));
assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(true)); assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME), is(false));
assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(true)); assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME), is(false));
assertThat(kibanaUserRole.cluster().check(PutIndexTemplateAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
assertThat(kibanaUserRole.cluster().check(ClusterRerouteAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterRerouteAction.NAME), is(false));
assertThat(kibanaUserRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));