mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-09 14:34:43 +00:00
387c3c7f1d
This commit introduces "Application Privileges" to the X-Pack security model. Application Privileges are managed within Elasticsearch, and can be tested with the _has_privileges API, but do not grant access to any actions or resources within Elasticsearch. Their purpose is to allow applications outside of Elasticsearch to represent and store their own privileges model within Elasticsearch roles. Access to manage application privileges is handled in a new way that grants permission to specific application names only. This lays the foundation for more OLS on cluster privileges, which is implemented by allowing a cluster permission to inspect not just the action being executed, but also the request to which the action is applied. To support this, a "conditional cluster privilege" is introduced, which is like the existing cluster privilege, except that it has a Predicate over the request as well as over the action name. Specifically, this adds - GET/PUT/DELETE actions for defining application level privileges - application privileges in role definitions - application privileges in the has_privileges API - changes to the cluster permission class to support checking of request objects - a new "global" element on role definition to provide cluster object level security (only for manage application privileges) - changes to `kibana_user`, `kibana_dashboard_only_user` and `kibana_system` roles to use and manage application privileges Closes #29820 Closes #31559
93 lines
2.1 KiB
Plaintext
93 lines
2.1 KiB
Plaintext
[role="xpack"]
|
|
[[security-api-privileges]]
|
|
=== Privilege APIs
|
|
|
|
[[security-api-has-privilege]]
|
|
|
|
The `has_privileges` API allows you to determine whether the logged in user has
|
|
a specified list of privileges.
|
|
|
|
==== Request
|
|
|
|
`GET _xpack/security/user/_has_privileges`
|
|
|
|
|
|
==== Description
|
|
|
|
For a list of the privileges that you can specify in this API,
|
|
see {xpack-ref}/security-privileges.html[Security Privileges].
|
|
|
|
A successful call returns a JSON structure that shows whether each specified
|
|
privilege is assigned to the user.
|
|
|
|
|
|
==== Request Body
|
|
|
|
`cluster`:: (list) A list of the cluster privileges that you want to check.
|
|
|
|
`index`::
|
|
`names`::: (list) A list of indices.
|
|
`privileges`::: (list) A list of the privileges that you want to check for the
|
|
specified indices.
|
|
|
|
==== Authorization
|
|
|
|
All users can use this API, but only to determine their own privileges.
|
|
To check the privileges of other users, you must use the run as feature. For
|
|
more information, see
|
|
{xpack-ref}/run-as-privilege.html[Submitting Requests on Behalf of Other Users].
|
|
|
|
|
|
==== Examples
|
|
|
|
The following example checks whether the current user has a specific set of
|
|
cluster and indices privileges:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
GET _xpack/security/user/_has_privileges
|
|
{
|
|
"cluster": [ "monitor", "manage" ],
|
|
"index" : [
|
|
{
|
|
"names": [ "suppliers", "products" ],
|
|
"privileges": [ "read" ]
|
|
},
|
|
{
|
|
"names": [ "inventory" ],
|
|
"privileges" : [ "read", "write" ]
|
|
}
|
|
]
|
|
}
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
|
|
The following example output indicates which privileges the "rdeniro" user has:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"username": "rdeniro",
|
|
"has_all_requested" : false,
|
|
"cluster" : {
|
|
"monitor" : true,
|
|
"manage" : false
|
|
},
|
|
"index" : {
|
|
"suppliers" : {
|
|
"read" : true
|
|
},
|
|
"products" : {
|
|
"read" : true
|
|
},
|
|
"inventory" : {
|
|
"read" : true,
|
|
"write" : false
|
|
}
|
|
},
|
|
"application" : {}
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE[s/"rdeniro"/"$body.username"/]
|
|
// TESTRESPONSE[s/: false/: true/]
|