[CCR] create_and_follow api and follow api should check if user has sufficient privileges before executing #33553
Assignees
Labels
Comments
martijnvg
added
>bug
:Distributed Indexing/CCR
|
Pinging @elastic/es-distributed |
29 tasks
martijnvg
added a commit
to martijnvg/elasticsearch
that referenced
this issue
Sep 17, 2018
Prior to following an index in the follow API, check whether current user has sufficient privileges in the leader cluster to read and monitor the leader index. Also check this in the create and follow API prior to creating the follow index. Also introduced READ_CCR cluster privilege that include the minimal cluster level actions that are required for ccr in the leader cluster. So a user can follow indices in a cluster, but not use the ccr admin APIs. Closes elastic#33553
martijnvg
added a commit
that referenced
this issue
Sep 28, 2018
Prior to following an index in the follow API, check whether current user has sufficient privileges in the leader cluster to read and monitor the leader index. Also check this in the create and follow API prior to creating the follow index. Also introduced READ_CCR cluster privilege that include the minimal cluster level actions that are required for ccr in the leader cluster. So a user can follow indices in a cluster, but not use the ccr admin APIs. Closes #33553 Co-authored-by: Jason Tedor <[email protected]>
martijnvg
added a commit
that referenced
this issue
Sep 28, 2018
Prior to following an index in the follow API, check whether current user has sufficient privileges in the leader cluster to read and monitor the leader index. Also check this in the create and follow API prior to creating the follow index. Also introduced READ_CCR cluster privilege that include the minimal cluster level actions that are required for ccr in the leader cluster. So a user can follow indices in a cluster, but not use the ccr admin APIs. Closes #33553 Co-authored-by: Jason Tedor <[email protected]>
kcm
pushed a commit
that referenced
this issue
Oct 30, 2018
Prior to following an index in the follow API, check whether current user has sufficient privileges in the leader cluster to read and monitor the leader index. Also check this in the create and follow API prior to creating the follow index. Also introduced READ_CCR cluster privilege that include the minimal cluster level actions that are required for ccr in the leader cluster. So a user can follow indices in a cluster, but not use the ccr admin APIs. Closes #33553 Co-authored-by: Jason Tedor <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Today if a user invokes the create_and_follow api for a leader index it does not have privileges for then the create_and_follow api does not follow the leader index, but the follow index does get created. This an unexpected outcome.
The expected outcome is that the follow index should have been created if the user did not have the privileges to follow the leader index.
Both the create and follow api and follow api should return with a failure if the user does not have sufficient privileges. Both apis can internally use the has_privilege api to determine if the current user has sufficient privileges in the leader cluster before creating follow index or try to follow a leader index.
The text was updated successfully, but these errors were encountered: