-
Notifications
You must be signed in to change notification settings - Fork 25k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport] Add more context to index access denied errors (#66878)
Access denied messages for indices were overly brief and missed two pieces of useful information: 1. The names of the indices for which access was denied 2. The privileges that could be used to grant that access This change improves the access denied messages for index based actions by adding the index and privilege names. Privilege names are listed in order from least-privilege to most-privileged so that the first recommended path to resolution is also the lowest privilege change. Backport of: #60357
- Loading branch information
Showing
11 changed files
with
309 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62 changes: 62 additions & 0 deletions
62
.../test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.authz.privilege; | ||
|
||
import org.elasticsearch.action.admin.indices.refresh.RefreshAction; | ||
import org.elasticsearch.action.admin.indices.shrink.ShrinkAction; | ||
import org.elasticsearch.action.admin.indices.stats.IndicesStatsAction; | ||
import org.elasticsearch.action.delete.DeleteAction; | ||
import org.elasticsearch.action.index.IndexAction; | ||
import org.elasticsearch.action.search.SearchAction; | ||
import org.elasticsearch.action.update.UpdateAction; | ||
import org.elasticsearch.common.util.iterable.Iterables; | ||
import org.elasticsearch.test.ESTestCase; | ||
|
||
import org.elasticsearch.common.collect.List; | ||
import java.util.Set; | ||
|
||
import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant; | ||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.hamcrest.Matchers.lessThan; | ||
|
||
public class IndexPrivilegeTests extends ESTestCase { | ||
|
||
/** | ||
* The {@link IndexPrivilege#values()} map is sorted so that privilege names that offer the _least_ access come before those that | ||
* offer _more_ access. There is no guarantee of ordering between privileges that offer non-overlapping privileges. | ||
*/ | ||
public void testOrderingOfPrivilegeNames() throws Exception { | ||
final Set<String> names = IndexPrivilege.values().keySet(); | ||
final int all = Iterables.indexOf(names, "all"::equals); | ||
final int manage = Iterables.indexOf(names, "manage"::equals); | ||
final int monitor = Iterables.indexOf(names, "monitor"::equals); | ||
final int read = Iterables.indexOf(names, "read"::equals); | ||
final int write = Iterables.indexOf(names, "write"::equals); | ||
final int index = Iterables.indexOf(names, "index"::equals); | ||
final int create_doc = Iterables.indexOf(names, "create_doc"::equals); | ||
final int delete = Iterables.indexOf(names, "delete"::equals); | ||
|
||
assertThat(read, lessThan(all)); | ||
assertThat(manage, lessThan(all)); | ||
assertThat(monitor, lessThan(manage)); | ||
assertThat(write, lessThan(all)); | ||
assertThat(index, lessThan(write)); | ||
assertThat(create_doc, lessThan(index)); | ||
assertThat(delete, lessThan(write)); | ||
} | ||
|
||
public void testFindPrivilegesThatGrant() { | ||
assertThat(findPrivilegesThatGrant(SearchAction.NAME), equalTo(List.of("read", "all"))); | ||
assertThat(findPrivilegesThatGrant(IndexAction.NAME), equalTo(List.of("create_doc", "create", "index", "write", "all"))); | ||
assertThat(findPrivilegesThatGrant(UpdateAction.NAME), equalTo(List.of("index", "write", "all"))); | ||
assertThat(findPrivilegesThatGrant(DeleteAction.NAME), equalTo(List.of("delete", "write", "all"))); | ||
assertThat(findPrivilegesThatGrant(IndicesStatsAction.NAME), equalTo(List.of("monitor", "manage", "all"))); | ||
assertThat(findPrivilegesThatGrant(RefreshAction.NAME), equalTo(List.of("maintenance", "manage", "all"))); | ||
assertThat(findPrivilegesThatGrant(ShrinkAction.NAME), equalTo(List.of("manage", "all"))); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.