mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-06 13:08:29 +00:00
500b4ac6b9
The changes made for elastic/x-pack-elasticsearch#2369 showed that the ML security tests were seriously weakened by the decision to grant many "minimal" privileges to all users involved in the tests. A better solution is to override the auth header such that a superuser runs setup actions and assertions that work by querying raw documents in ways that an end user wouldn't. Then the ML endpoints can be called with the privileges provided by the ML roles and nothing else. Original commit: elastic/x-pack-elasticsearch@4de42d9e54
18 lines
655 B
YAML
18 lines
655 B
YAML
minimal:
|
|
cluster:
|
|
# This is always required because the REST client uses it to find the version of
|
|
# Elasticsearch it's talking to
|
|
- cluster:monitor/main
|
|
indices:
|
|
# Give all users involved in these tests access to the indices where the data to
|
|
# be analyzed is stored, because the ML roles alone do not provide access to
|
|
# non-ML indices
|
|
- names: [ 'airline-data', 'index-foo', 'unavailable-data' ]
|
|
privileges:
|
|
- indices:admin/create
|
|
- indices:admin/refresh
|
|
- indices:data/read/field_caps
|
|
- indices:data/read/search
|
|
- indices:data/write/bulk
|
|
- indices:data/write/index
|