From 5550955a6543ebe52c36f459d0e2ec20a4ad0a13 Mon Sep 17 00:00:00 2001 From: kobelb Date: Fri, 8 Jun 2018 08:20:32 -0400 Subject: [PATCH 1/3] Allowing the kibana system role to get/put privileges and roles --- .../security/authz/store/ReservedRolesStore.java | 8 +++++++- .../authz/store/ReservedRolesStoreTests.java | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index c916b02029b0e..d662f077beb61 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -79,7 +79,13 @@ private static Map initializeReservedRoles() { null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME, - new String[] { "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml" }, + new String[] { + "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", + "cluster:admin/xpack/security/privilege/get", + "cluster:admin/xpack/security/privilege/put", + "cluster:admin/xpack/security/role/get", + "cluster:admin/xpack/security/role/put" + }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(), RoleDescriptor.IndicesPrivileges.builder() diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index b25f3f374b389..0999359a2df1d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -75,6 +75,12 @@ import org.elasticsearch.xpack.core.ml.job.persistence.AnomalyDetectorsIndexFields; import org.elasticsearch.xpack.core.ml.notifications.AuditorField; import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction; +import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction; +import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction; +import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesAction; +import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction; +import org.elasticsearch.xpack.core.security.action.role.DeleteRoleAction; +import org.elasticsearch.xpack.core.security.action.role.GetRolesAction; import org.elasticsearch.xpack.core.security.action.role.PutRoleAction; import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction; import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationAction; @@ -182,6 +188,16 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME), is(true)); assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME), is(false)); + // Security + assertThat(kibanaRole.cluster().check(DeletePrivilegesAction.NAME), is(false)); + assertThat(kibanaRole.cluster().check(GetPrivilegesAction.NAME), is(true)); + assertThat(kibanaRole.cluster().check(PutPrivilegesAction.NAME), is(true)); + assertThat(kibanaRole.cluster().check(ClearRolesCacheAction.NAME), is(false)); + assertThat(kibanaRole.cluster().check(DeleteRoleAction.NAME), is(false)); + assertThat(kibanaRole.cluster().check(GetRolesAction.NAME), is(true)); + assertThat(kibanaRole.cluster().check(PutRoleAction.NAME), is(true)); + + // Everything else assertThat(kibanaRole.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false)); From 5e4c27ed4fd5b4ccb161392a1c0783743dcab1d8 Mon Sep 17 00:00:00 2001 From: kobelb Date: Fri, 8 Jun 2018 12:39:31 -0400 Subject: [PATCH 2/3] Removing the ability to get/put roles --- .../core/security/authz/store/ReservedRolesStore.java | 2 -- .../core/security/authz/store/ReservedRolesStoreTests.java | 7 ------- 2 files changed, 9 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d662f077beb61..c6ffccefccc2b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -83,8 +83,6 @@ private static Map initializeReservedRoles() { "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "cluster:admin/xpack/security/privilege/get", "cluster:admin/xpack/security/privilege/put", - "cluster:admin/xpack/security/role/get", - "cluster:admin/xpack/security/role/put" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 0999359a2df1d..e6efd2e0d43b8 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -78,9 +78,6 @@ import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction; import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction; import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesAction; -import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction; -import org.elasticsearch.xpack.core.security.action.role.DeleteRoleAction; -import org.elasticsearch.xpack.core.security.action.role.GetRolesAction; import org.elasticsearch.xpack.core.security.action.role.PutRoleAction; import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction; import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationAction; @@ -192,10 +189,6 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.cluster().check(DeletePrivilegesAction.NAME), is(false)); assertThat(kibanaRole.cluster().check(GetPrivilegesAction.NAME), is(true)); assertThat(kibanaRole.cluster().check(PutPrivilegesAction.NAME), is(true)); - assertThat(kibanaRole.cluster().check(ClearRolesCacheAction.NAME), is(false)); - assertThat(kibanaRole.cluster().check(DeleteRoleAction.NAME), is(false)); - assertThat(kibanaRole.cluster().check(GetRolesAction.NAME), is(true)); - assertThat(kibanaRole.cluster().check(PutRoleAction.NAME), is(true)); // Everything else From 852497ad18e0310d9d98cdf822c36eadcc431341 Mon Sep 17 00:00:00 2001 From: kobelb Date: Mon, 11 Jun 2018 09:11:49 -0400 Subject: [PATCH 3/3] Removing unnecessary white-space --- .../core/security/authz/store/ReservedRolesStoreTests.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index e6efd2e0d43b8..5afd657ffb7d6 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -189,8 +189,7 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.cluster().check(DeletePrivilegesAction.NAME), is(false)); assertThat(kibanaRole.cluster().check(GetPrivilegesAction.NAME), is(true)); assertThat(kibanaRole.cluster().check(PutPrivilegesAction.NAME), is(true)); - - + // Everything else assertThat(kibanaRole.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));