Allowing the kibana system role to get/put privileges and roles

elastic · Jun 8, 2018 · 5550955 · 5550955
1 parent 03e5e72
commit 5550955
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -79,7 +79,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         null,
                         MetadataUtils.DEFAULT_RESERVED_METADATA))
                 .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
-                        new String[] { "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml" },
+                        new String[] {
+                            "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml",
+                            "cluster:admin/xpack/security/privilege/get",
+                            "cluster:admin/xpack/security/privilege/put",
+                            "cluster:admin/xpack/security/role/get",
+                            "cluster:admin/xpack/security/role/put"
+                        },
                         new RoleDescriptor.IndicesPrivileges[] {
                                 RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(),
                                 RoleDescriptor.IndicesPrivileges.builder()

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -75,6 +75,12 @@
 import org.elasticsearch.xpack.core.ml.job.persistence.AnomalyDetectorsIndexFields;
 import org.elasticsearch.xpack.core.ml.notifications.AuditorField;
 import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
+import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction;
+import org.elasticsearch.xpack.core.security.action.role.DeleteRoleAction;
+import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
 import org.elasticsearch.xpack.core.security.action.role.PutRoleAction;
 import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction;
 import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationAction;
@@ -182,6 +188,16 @@ public void testKibanaSystemRole() {
         assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME), is(true));
         assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME), is(false));
 
+        // Security
+        assertThat(kibanaRole.cluster().check(DeletePrivilegesAction.NAME), is(false));
+        assertThat(kibanaRole.cluster().check(GetPrivilegesAction.NAME), is(true));
+        assertThat(kibanaRole.cluster().check(PutPrivilegesAction.NAME), is(true));
+        assertThat(kibanaRole.cluster().check(ClearRolesCacheAction.NAME), is(false));
+        assertThat(kibanaRole.cluster().check(DeleteRoleAction.NAME), is(false));
+        assertThat(kibanaRole.cluster().check(GetRolesAction.NAME), is(true));
+        assertThat(kibanaRole.cluster().check(PutRoleAction.NAME), is(true));
+
+
         // Everything else
         assertThat(kibanaRole.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));