From d9952e242d8fe03959445062f64efda3cc617a13 Mon Sep 17 00:00:00 2001 From: BigPandaToo Date: Mon, 14 Dec 2020 20:46:09 +0100 Subject: [PATCH] Adding "read ingest pipeline" cluster privilege Resolving bwc, renaming the action Resolve #48028 --- .../elasticsearch/action/ingest/GetPipelineAction.java | 2 +- .../action/ingest/SimulatePipelineAction.java | 2 +- .../authz/privilege/ClusterPrivilegeResolver.java | 9 +++++---- .../smoketest/MlWithSecurityUserRoleIT.java | 3 +-- .../elasticsearch/xpack/security/operator/Constants.java | 4 ++-- .../rest-api-spec/test/privileges/11_builtin.yml | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java b/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java index 9c68cc622c341..ebc43dfe663b9 100644 --- a/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java +++ b/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java @@ -24,7 +24,7 @@ public class GetPipelineAction extends ActionType { public static final GetPipelineAction INSTANCE = new GetPipelineAction(); - public static final String NAME = "cluster:monitor/ingest/pipeline/get"; + public static final String NAME = "cluster:admin/ingest/pipeline/get"; public GetPipelineAction() { super(NAME, GetPipelineResponse::new); diff --git a/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java b/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java index 51b19e1ee6ee5..3e76c96834c8a 100644 --- a/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java +++ b/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java @@ -24,7 +24,7 @@ public class SimulatePipelineAction extends ActionType { public static final SimulatePipelineAction INSTANCE = new SimulatePipelineAction(); - public static final String NAME = "cluster:monitor/ingest/pipeline/simulate"; + public static final String NAME = "cluster:admin/ingest/pipeline/simulate"; public SimulatePipelineAction() { super(NAME, SimulatePipelineResponse::new); diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 1433fc4e66313..84a8c894a947d 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -15,6 +15,8 @@ import org.elasticsearch.action.admin.cluster.snapshots.get.GetSnapshotsAction; import org.elasticsearch.action.admin.cluster.snapshots.status.SnapshotsStatusAction; import org.elasticsearch.action.admin.cluster.state.ClusterStateAction; +import org.elasticsearch.action.ingest.GetPipelineAction; +import org.elasticsearch.action.ingest.SimulatePipelineAction; import org.elasticsearch.common.Strings; import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction; import org.elasticsearch.xpack.core.ilm.action.GetStatusAction; @@ -65,9 +67,8 @@ public class ClusterPrivilegeResolver { private static final Set TRANSPORT_CLIENT_PATTERN = Set.of("cluster:monitor/nodes/liveness", "cluster:monitor/state"); private static final Set MANAGE_IDX_TEMPLATE_PATTERN = Set.of("indices:admin/template/*", "indices:admin/index_template/*", "cluster:admin/component_template/*"); - private static final Set MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*", - "cluster:monitor/ingest/pipeline/*"); - private static final Set READ_INGEST_PIPELINE_PATTERN = Set.of("cluster:monitor/ingest/pipeline/*"); + private static final Set MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*"); + private static final Set READ_INGEST_PIPELINE_PATTERN = Set.of(GetPipelineAction.NAME, SimulatePipelineAction.NAME); private static final Set MANAGE_ROLLUP_PATTERN = Set.of("cluster:admin/xpack/rollup/*", "cluster:monitor/xpack/rollup/*"); private static final Set MANAGE_CCR_PATTERN = Set.of("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME); @@ -117,7 +118,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN); public static final NamedClusterPrivilege GRANT_API_KEY = new ActionClusterPrivilege("grant_api_key", GRANT_API_KEY_PATTERN); public static final NamedClusterPrivilege MANAGE_PIPELINE = new ActionClusterPrivilege("manage_pipeline", Set.of("cluster:admin" + - "/ingest/pipeline/*", "cluster:monitor/ingest/pipeline/*")); + "/ingest/pipeline/*")); public static final NamedClusterPrivilege MANAGE_AUTOSCALING = new ActionClusterPrivilege( "manage_autoscaling", Set.of("cluster:admin/autoscaling/*") diff --git a/x-pack/plugin/ml/qa/ml-with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/MlWithSecurityUserRoleIT.java b/x-pack/plugin/ml/qa/ml-with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/MlWithSecurityUserRoleIT.java index 5172ccf42198a..85174f504621c 100644 --- a/x-pack/plugin/ml/qa/ml-with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/MlWithSecurityUserRoleIT.java +++ b/x-pack/plugin/ml/qa/ml-with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/MlWithSecurityUserRoleIT.java @@ -56,8 +56,7 @@ public void test() throws IOException { assertThat(ae.getMessage(), either(containsString("action [cluster:monitor/xpack/ml")) .or(containsString("action [cluster:admin/xpack/ml")) - .or(containsString("action [cluster:admin/ingest")) - .or(containsString("action [cluster:monitor/ingest"))); + .or(containsString("action [cluster:admin/ingest"))); assertThat(ae.getMessage(), containsString("returned [403 Forbidden]")); assertThat(ae.getMessage(), containsString("is unauthorized for user [ml_user]")); } diff --git a/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java b/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java index 0f431076d1046..7a1f63529b1a1 100644 --- a/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java +++ b/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java @@ -36,7 +36,9 @@ public class Constants { "cluster:admin/indices/dangling/import", "cluster:admin/indices/dangling/list", "cluster:admin/ingest/pipeline/delete", + "cluster:admin/ingest/pipeline/get", "cluster:admin/ingest/pipeline/put", + "cluster:admin/ingest/pipeline/simulate", "cluster:admin/ingest/processor/grok/get", "cluster:admin/logstash/pipeline/delete", "cluster:admin/logstash/pipeline/get", @@ -211,8 +213,6 @@ public class Constants { "cluster:monitor/data_frame/get", "cluster:monitor/data_frame/stats/get", "cluster:monitor/health", - "cluster:monitor/ingest/pipeline/get", - "cluster:monitor/ingest/pipeline/simulate", "cluster:monitor/main", "cluster:monitor/nodes/hot_threads", "cluster:monitor/nodes/info", diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml index d341c530bc0ba..ad8ee1e5137f5 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml @@ -15,5 +15,5 @@ setup: # This is fragile - it needs to be updated every time we add a new cluster/index privilege # I would much prefer we could just check that specific entries are in the array, but we don't have # an assertion for that - - length: { "cluster" : 38 } + - length: { "cluster" : 37 } - length: { "index" : 19 }