Skip to content

Commit

Permalink
move .search-acl-filter-* permissions to the right api key creation f…
Browse files Browse the repository at this point in the history
…unction
  • Loading branch information
seanstory committed Jun 23, 2023
1 parent 0a7ee08 commit 1685480
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 30 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,7 @@ describe('createApiKey lib function', () => {
cluster: [],
index: [
{
names: [indexName, `.search-acl-filter-my-index`],
privileges: ['all'],
},
],
},
},
});
});

it('works with search-* prefixed indices', async () => {
await createApiKey(request, security, 'search-test', keyName);
expect(security.authc.apiKeys.create).toHaveBeenCalledWith(request, {
name: keyName,
role_descriptors: {
['search-test-key-role']: {
cluster: [],
index: [
{
names: ['search-test', `.search-acl-filter-test`],
names: [indexName],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,14 @@ export const createApiKey = async (
indexName: string,
keyName: string
) => {
// removes the "search-" prefix if present, and applies the new prefix
const aclIndexName = indexName.replace(/^(?:search-)?(.*)$/, '.search-acl-filter-$1');

return await security.authc.apiKeys.create(request, {
name: keyName,
role_descriptors: {
[`${toAlphanumeric(indexName)}-key-role`]: {
cluster: [],
index: [
{
names: [indexName, aclIndexName],
names: [indexName],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ describe('generateApiKey lib function', () => {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['index_name', '.search-acl-filter-index_name', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand All @@ -85,16 +85,16 @@ describe('generateApiKey lib function', () => {
}));

await expect(
generateApiKey(mockClient as unknown as IScopedClusterClient, 'index_name')
generateApiKey(mockClient as unknown as IScopedClusterClient, 'search-test')
).resolves.toEqual({ encoded: 'encoded', id: 'apiKeyId' });
expect(mockClient.asCurrentUser.security.createApiKey).toHaveBeenCalledWith({
name: 'index_name-connector',
name: 'search-test-connector',
role_descriptors: {
['index-name-connector-role']: {
['search-test-connector-role']: {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['search-test', '.search-acl-filter-test', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down Expand Up @@ -141,7 +141,7 @@ describe('generateApiKey lib function', () => {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['index_name', '.search-acl-filter-index_name', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,17 @@ import { ConnectorDocument } from '../../../common/types/connectors';
import { toAlphanumeric } from '../../../common/utils/to_alphanumeric';

export const generateApiKey = async (client: IScopedClusterClient, indexName: string) => {
// removes the "search-" prefix if present, and applies the new prefix
const aclIndexName = indexName.replace(/^(?:search-)?(.*)$/, '.search-acl-filter-$1');

const apiKeyResult = await client.asCurrentUser.security.createApiKey({
name: `${indexName}-connector`,
role_descriptors: {
[`${toAlphanumeric(indexName)}-connector-role`]: {
cluster: ['monitor'],
index: [
{
names: [indexName, `${CONNECTORS_INDEX}*`],
names: [indexName, aclIndexName, `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down

0 comments on commit 1685480

Please sign in to comment.