[7.x] Add include_data_streams flag for authorization #59008
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danhermann
added
>non-issue
backport
:Data Management/Data streams
|
Pinging @elastic/es-core-features (:Core/Features/Data streams) |
|
@elasticmachine run elasticsearch-ci/2 |
|
@elasticmachine run elasticsearch-ci/bwc |
|
@elasticmachine run elasticsearch-ci/default-distro |
|
@elasticmachine run elasticsearch-ci/oss-distro-docs |
|
@elasticmachine update branch |
|
@elasticmachine run elasticsearch-ci/1 |
|
@elasticmachine run elasticsearch-ci/2 |
…mann/elasticsearch into backport_7x_58154_ds_auth
martijnvg
reviewed
Jul 3, 2020
| @@ -207,7 +207,7 @@ public ClusterState execute(ClusterState currentState) { | |||
| throw new ConcurrentSnapshotExecutionException(repositoryName, snapshotName, " a snapshot is already running"); | |||
| } | |||
| // Store newSnapshot here to be processed in clusterStateProcessed | |||
| List<String> indices = Arrays.asList(indexNameExpressionResolver.concreteIndexNames(currentState, request)); | |||
| indices = Arrays.asList(indexNameExpressionResolver.concreteIndexNames(currentState, request)); | |||
There was a problem hiding this comment.
😱 , but luckily assertions tripped!
martijnvg
reviewed
Jul 3, 2020
| assertEquals(1, indices.length); | ||
| assertEquals(backingIndex.getIndex().getName(), indices[0]); | ||
| } | ||
| //{ |
There was a problem hiding this comment.
I missed that in an earlier commit. The backport of #57900 will un-comment it.
|
@elasticmachine run elasticsearch-ci/2 |
1 similar comment
|
@elasticmachine run elasticsearch-ci/2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most of the work around the addition of an
includeDataStreamsflag was done in #58381. The remainder of this PR adds the flag to the appropriate request classes, updatesIndexNameExpressionResolverto rely on the flag rather than a separate boolean flag, and updates tests.This PR adds anincludeDataStreamsflag to theIndicesRequestinterface so that it is available whenAuthorizationEngine::loadAuthorizedIndicesis called. This is necessary to avoid different behaviors when security is enabled and disabled.The disparate behavior is described in the referenced issue. When aGET */_aliasrequest (or any other request that does not operate on data streams) is sent without security enabled, any data streams present are ignored by theIndexNameExpressionResolverclass and the correct HTTP 200 response is returned.When security is enabled, the star inGET */_aliasis first resolved to all authorized indices, aliases, and data streams. Because the_aliasendpoint does not understand data streams, the first data stream it encounters among the list of authorized indices is treated as an alias and an incorrect 404 for "unknown alias" is returned.This PR changesAuthorizationServiceto selectively exclude (in the case of most requests) or include (and the case ofResolveIndexAction.Requestand other requests that opt in) data streams during the authorized index resolution phase.Especially interested in feedback from @elastic/es-security.Fixes #57712
Relates to #53100
Backport of #58154