Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always enforce strict role validation #111056

Merged
merged 15 commits into from
Aug 9, 2024
Merged

Always enforce strict role validation #111056

merged 15 commits into from
Aug 9, 2024

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 18, 2024
edited
Loading

Updates role and API key related request translation interfaces to remove restriction parameters. These are no longer used downstream.

@n1v0lg n1v0lg added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jul 18, 2024
@n1v0lg n1v0lg self-assigned this Jul 18, 2024
@n1v0lg n1v0lg marked this pull request as ready for review July 23, 2024 19:56
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jul 23, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@n1v0lg n1v0lg requested a review from jakelandis July 23, 2024 20:00
jakelandis
jakelandis approved these changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...ck/plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/40_view_role_descriptors.yml
@@ -21,7 +21,7 @@ setup:
],
"applications": [
{
"application": "myapp",
"application": "apm",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a preference, or did something change ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah this is necessary since we are now enforcing strict role validation on requests made by all users, including operators. in serverless, only a known list of app names is supported (apm being one of them).

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 9, 2024

@elasticmachine update branch

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 9, 2024

@elasticmachine update branch

@n1v0lg n1v0lg added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Aug 9, 2024
@elasticsearchmachine elasticsearchmachine merged commit 4694a44 into elastic:main Aug 9, 2024
20 checks passed
@n1v0lg n1v0lg deleted the remove-strict-operator-validation-setting branch August 9, 2024 13:48
weizijun added a commit to weizijun/elasticsearch that referenced this pull request Aug 9, 2024
@weizijun
Merge branch 'upstream/main' into add-alibabacloud-inference
4528f9e 
* upstream/main: (22 commits)
  Prune changelogs after 8.15.0 release
  Bump versions after 8.15.0 release
  EIS integration (elastic#111154)
  Skip LOOKUP/INLINESTATS cases unless on snapshot (elastic#111755)
  Always enforce strict role validation (elastic#111056)
  Mute org.elasticsearch.xpack.esql.analysis.VerifierTests testUnsupportedAndMultiTypedFields elastic#111753
  [ML] Force time shift integration test (elastic#111620)
  ESQL: Add tests for sort, where with unsupported type (elastic#111737)
  [ML] Force time shift documentation (elastic#111668)
  Fix remote cluster credential secure settings reload   (elastic#111535)
  ESQL: Fix for overzealous validation in case of invalid mapped fields (elastic#111475)
  Pass allow security manager flag in gradle test policy setup plugin (elastic#111725)
  Rename streamContent/Separator to bulkContent/Separator (elastic#111716)
  Mute org.elasticsearch.tdigest.ComparisonTests testSparseGaussianDistribution elastic#111721
  Remove 8.14 from branches.json
  Only emit product origin in deprecation log if present (elastic#111683)
  Forward port release notes for v8.15.0 (elastic#111714)
  [ES|QL] Combine Disjunctive CIDRMatch (elastic#111501)
  ESQL: Remove qualifier from attrs (elastic#110581)
  Force using the last centroid during merging (elastic#111644)
  ...

# Conflicts:
#	server/src/main/java/org/elasticsearch/TransportVersions.java
#	x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/InferenceNamedWriteablesProvider.java
cbuescher pushed a commit to cbuescher/elasticsearch that referenced this pull request Sep 4, 2024
@n1v0lg @cbuescher
Always enforce strict role validation (elastic#111056)
16cacee 
Updates role and API key related request translation interfaces to
remove restriction parameters. These are no longer used downstream.
davidkyle pushed a commit to davidkyle/elasticsearch that referenced this pull request Sep 5, 2024
@n1v0lg @davidkyle
Always enforce strict role validation (elastic#111056)
7510eaa 
Updates role and API key related request translation interfaces to
remove restriction parameters. These are no longer used downstream.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakelandis jakelandis jakelandis approved these changes

Assignees

@n1v0lg n1v0lg

Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@n1v0lg @elasticsearchmachine @jakelandis @elasticmachine