From 8b14e2cd07eb83e8fe92ae420eb8ba83a582f4d2 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Wed, 25 Jul 2018 00:07:59 +1000 Subject: [PATCH] Rename "policy" to "global" in role definition (#32324) The "global" field stores cluster privileges that have a richer privilege model than the traditional "cluster" privileges. This commit renames the JSON field (in the API and security index) from "policy" to "global" --- .../xpack/core/security/authz/RoleDescriptor.java | 8 ++++---- .../main/resources/security-index-template.json | 2 +- .../security/authz/AuthorizationServiceTests.java | 4 ++-- .../xpack/security/authz/RoleDescriptorTests.java | 4 ++-- ...ivilege_policy.yml => 40_global_privileges.yml} | 14 +++++++------- ...y_checks.yml => 40_condtional_cluster_priv.yml} | 2 +- 6 files changed, 17 insertions(+), 17 deletions(-) rename x-pack/plugin/src/test/resources/rest-api-spec/test/roles/{40_privilege_policy.yml => 40_global_privileges.yml} (75%) rename x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/{40_policy_checks.yml => 40_condtional_cluster_priv.yml} (99%) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java index c1d784af261c8..42bd771103fdd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java @@ -152,7 +152,7 @@ public String toString() { StringBuilder sb = new StringBuilder("Role["); sb.append("name=").append(name); sb.append(", cluster=[").append(Strings.arrayToCommaDelimitedString(clusterPrivileges)); - sb.append("], policy=[").append(Strings.arrayToCommaDelimitedString(conditionalClusterPrivileges)); + sb.append("], global=[").append(Strings.arrayToCommaDelimitedString(conditionalClusterPrivileges)); sb.append("], indicesPrivileges=["); for (IndicesPrivileges group : indicesPrivileges) { sb.append(group.toString()).append(","); @@ -216,7 +216,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params, boolea builder.startObject(); builder.array(Fields.CLUSTER.getPreferredName(), clusterPrivileges); if (conditionalClusterPrivileges.length != 0) { - builder.field(Fields.POLICY.getPreferredName()); + builder.field(Fields.GLOBAL.getPreferredName()); ConditionalClusterPrivileges.toXContent(builder, params, Arrays.asList(conditionalClusterPrivileges)); } builder.array(Fields.INDICES.getPreferredName(), (Object[]) indicesPrivileges); @@ -328,7 +328,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a } else if (Fields.APPLICATIONS.match(currentFieldName, parser.getDeprecationHandler()) || Fields.APPLICATION.match(currentFieldName, parser.getDeprecationHandler())) { applicationPrivileges = parseApplicationPrivileges(name, parser); - } else if (Fields.POLICY.match(currentFieldName, parser.getDeprecationHandler())) { + } else if (Fields.GLOBAL.match(currentFieldName, parser.getDeprecationHandler())) { conditionalClusterPrivileges = ConditionalClusterPrivileges.parse(parser); } else if (Fields.METADATA.match(currentFieldName, parser.getDeprecationHandler())) { if (token != XContentParser.Token.START_OBJECT) { @@ -966,7 +966,7 @@ public ApplicationResourcePrivileges build() { public interface Fields { ParseField CLUSTER = new ParseField("cluster"); - ParseField POLICY = new ParseField("policy"); + ParseField GLOBAL = new ParseField("global"); ParseField INDEX = new ParseField("index"); ParseField INDICES = new ParseField("indices"); ParseField APPLICATIONS = new ParseField("applications"); diff --git a/x-pack/plugin/core/src/main/resources/security-index-template.json b/x-pack/plugin/core/src/main/resources/security-index-template.json index 59935773c2b78..dd17baf04740f 100644 --- a/x-pack/plugin/core/src/main/resources/security-index-template.json +++ b/x-pack/plugin/core/src/main/resources/security-index-template.json @@ -108,7 +108,7 @@ "application" : { "type" : "keyword" }, - "policy": { + "global": { "type": "object", "properties": { "application": { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index b6afe884c9355..7722a9d216632 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -287,7 +287,7 @@ public void testClusterAdminSnapshotStatusActionIsNotAuthorized() { verifyNoMoreInteractions(auditTrail); } - public void testAuthorizeUsingPolicyConditionals() { + public void testAuthorizeUsingConditionalPrivileges() { final DeletePrivilegesRequest request = new DeletePrivilegesRequest(); final Authentication authentication = createAuthentication(new User("user1", "role1")); @@ -306,7 +306,7 @@ public void testAuthorizeUsingPolicyConditionals() { verifyNoMoreInteractions(auditTrail); } - public void testAuthorizationDeniedWhenPolicyConditionalsDoNotMatch() { + public void testAuthorizationDeniedWhenConditionalPrivilegesDoNotMatch() { final DeletePrivilegesRequest request = new DeletePrivilegesRequest(); final Authentication authentication = createAuthentication(new User("user1", "role1")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RoleDescriptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RoleDescriptorTests.java index 2a0b6b86d47c9..07686838ad0e2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RoleDescriptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RoleDescriptorTests.java @@ -77,7 +77,7 @@ public void testToString() throws Exception { conditionalClusterPrivileges, new String[] { "sudo" }, Collections.emptyMap(), Collections.emptyMap()); assertThat(descriptor.toString(), is("Role[name=test, cluster=[all,none]" + - ", policy=[{APPLICATION:manage:applications=app01,app02}]" + + ", global=[{APPLICATION:manage:applications=app01,app02}]" + ", indicesPrivileges=[IndicesPrivileges[indices=[i1,i2], privileges=[read]" + ", field_security=[grant=[body,title], except=null], query={\"query\": {\"match_all\": {}}}],]" + ", applicationPrivileges=[ApplicationResourcePrivileges[application=my_app, privileges=[read,write], resources=[*]],]" + @@ -165,7 +165,7 @@ public void testParse() throws Exception { " {\"resources\": [\"object-123\",\"object-456\"], \"privileges\":[\"read\", \"delete\"], \"application\":\"app1\"}," + " {\"resources\": [\"*\"], \"privileges\":[\"admin\"], \"application\":\"app2\" }" + " ]," + - " \"policy\": { \"application\": { \"manage\": { \"applications\" : [ \"kibana\", \"logstash\" ] } } }" + + " \"global\": { \"application\": { \"manage\": { \"applications\" : [ \"kibana\", \"logstash\" ] } } }" + "}"; rd = RoleDescriptor.parse("test", new BytesArray(q), false, XContentType.JSON); assertThat(rd.getName(), equalTo("test")); diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_privilege_policy.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml similarity index 75% rename from x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_privilege_policy.yml rename to x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml index ad74312a6d316..b89efdfe56c33 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_privilege_policy.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml @@ -12,7 +12,7 @@ setup: body: > { "password": "s3krit", - "roles" : [ "with_policy" ] + "roles" : [ "with_global" ] } --- @@ -23,7 +23,7 @@ teardown: ignore: 404 - do: xpack.security.delete_role: - name: "with_policy" + name: "with_global" ignore: 404 @@ -31,10 +31,10 @@ teardown: "Test put role with conditional security privileges": - do: xpack.security.put_role: - name: "with_policy" + name: "with_global" body: > { - "policy": { + "global": { "application": { "manage": { "applications": [ "app1-*" , "app2-*" ] @@ -46,6 +46,6 @@ teardown: - do: xpack.security.get_role: - name: "with_policy" - - match: { with_policy.policy.application.manage.applications.0: "app1-*" } - - match: { with_policy.policy.application.manage.applications.1: "app2-*" } + name: "with_global" + - match: { with_global.global.application.manage.applications.0: "app1-*" } + - match: { with_global.global.application.manage.applications.1: "app2-*" } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_policy_checks.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_condtional_cluster_priv.yml similarity index 99% rename from x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_policy_checks.yml rename to x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_condtional_cluster_priv.yml index 5effb8a28296b..b3a1e22069083 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_policy_checks.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/40_condtional_cluster_priv.yml @@ -21,7 +21,7 @@ setup: name: "app_manage" body: > { - "policy": { + "global": { "application": { "manage": { "applications": [ "app" , "app-*" ]