Skip to content

Commit

Permalink
Allow read template with cluster monitor privilege (elastic#82046)
Browse files Browse the repository at this point in the history
All three template types (legacy templates, composable index templates
and component templates) are stored in cluster state metadata (in fields
"templates", "index_template" and "component_template"). This cluster
state is readable (via GET /_cluster/state) for users who have the
monitor privilege at the cluster level. However, calling the explicit
read endpoints for these templates required the manage_index_templates
privilege. This change grants access to the template specific retrieval
APIs for all users (or API Keys) with the cluster monitor privilege so
that they can make use of these fit-for-purpose APIs instead of parsing
data directly from cluster metadata Relates:
elastic/beats#29554 Relates: elastic#78832
  • Loading branch information
tvernum committed Jan 5, 2022
1 parent 820cb50 commit e25053e
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
import org.elasticsearch.action.admin.cluster.snapshots.get.GetSnapshotsAction;
import org.elasticsearch.action.admin.cluster.snapshots.status.SnapshotsStatusAction;
import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
import org.elasticsearch.action.admin.indices.template.get.GetComponentTemplateAction;
import org.elasticsearch.action.admin.indices.template.get.GetComposableIndexTemplateAction;
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesAction;
import org.elasticsearch.action.ingest.GetPipelineAction;
import org.elasticsearch.action.ingest.SimulatePipelineAction;
import org.elasticsearch.common.Strings;
Expand Down Expand Up @@ -64,7 +67,12 @@ public class ClusterPrivilegeResolver {
private static final Set<String> MANAGE_API_KEY_PATTERN = Set.of("cluster:admin/xpack/security/api_key/*");
private static final Set<String> MANAGE_SERVICE_ACCOUNT_PATTERN = Set.of("cluster:admin/xpack/security/service_account/*");
private static final Set<String> GRANT_API_KEY_PATTERN = Set.of(GrantApiKeyAction.NAME + "*");
private static final Set<String> MONITOR_PATTERN = Set.of("cluster:monitor/*");
private static final Set<String> MONITOR_PATTERN = Set.of(
"cluster:monitor/*",
GetIndexTemplatesAction.NAME,
GetComponentTemplateAction.NAME,
GetComposableIndexTemplateAction.NAME
);
private static final Set<String> MONITOR_ML_PATTERN = Set.of("cluster:monitor/xpack/ml/*");
private static final Set<String> MONITOR_TEXT_STRUCTURE_PATTERN = Set.of("cluster:monitor/text_structure/*");
private static final Set<String> MONITOR_TRANSFORM_PATTERN = Set.of("cluster:monitor/data_frame/*", "cluster:monitor/transform/*");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,31 @@
package org.elasticsearch.xpack.core.security.authz.privilege;

import org.elasticsearch.action.ActionType;
import org.elasticsearch.action.admin.indices.template.get.GetComponentTemplateAction;
import org.elasticsearch.action.admin.indices.template.get.GetComposableIndexTemplateAction;
import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesAction;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.enrich.action.EnrichStatsAction;
import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;

import java.util.List;

public class ClusterPrivilegeTests extends ESTestCase {

public void testMonitorPrivilegeWillGrantActions() {
assertGranted(ClusterPrivilegeResolver.MONITOR, EnrichStatsAction.INSTANCE);
}

public void testMonitorPrivilegeGrantsGetTemplateActions() {
for (var action : List.of(
GetComponentTemplateAction.INSTANCE,
GetComposableIndexTemplateAction.INSTANCE,
GetIndexTemplatesAction.INSTANCE
)) {
assertGranted(ClusterPrivilegeResolver.MONITOR, action);
}
}

public static void assertGranted(ClusterPrivilege clusterPrivilege, ActionType<?> actionType) {
assertTrue(clusterPrivilege.buildPermission(ClusterPermission.builder()).build().check(actionType.name(), null, null));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1220,7 +1220,7 @@ public void testRemoteMonitoringCollectorRole() {
assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
assertThat(remoteMonitoringCollectorRole.cluster().check(GetIndexTemplatesAction.NAME, request, authentication), is(false));
assertThat(remoteMonitoringCollectorRole.cluster().check(GetIndexTemplatesAction.NAME, request, authentication), is(true));
assertThat(remoteMonitoringCollectorRole.cluster().check(PutIndexTemplateAction.NAME, request, authentication), is(false));
assertThat(remoteMonitoringCollectorRole.cluster().check(DeleteIndexTemplateAction.NAME, request, authentication), is(false));
assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterRerouteAction.NAME, request, authentication), is(false));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,9 +127,17 @@ public void testThatClusterPrivilegesWorkAsExpectedViaHttp() throws Exception {
assertAccessIsAllowed("user_b", "GET", "/_nodes/stats");
assertAccessIsAllowed("user_b", "GET", "/_nodes/hot_threads");
assertAccessIsAllowed("user_b", "GET", "/_nodes/infos");
// monitoring allows template retrieval (because it's implied by having read access to cluster state
assertAccessIsAllowed("user_b", "GET", "/_cat/templates/" + (randomBoolean() ? "" : randomAlphaOfLengthBetween(2, 8)));
assertAccessIsAllowed("user_b", "GET", "/_template/");
assertAccessIsAllowed("user_b", "GET", "/_index_template/");
assertAccessIsAllowed("user_b", "GET", "/_component_template/");
// but no admin stuff
assertAccessIsDenied("user_b", "POST", "/_cluster/reroute");
assertAccessIsDenied("user_b", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }");
assertAccessIsDenied("user_b", "DELETE", "/_template/" + randomAlphaOfLengthBetween(2, 8));
assertAccessIsDenied("user_b", "DELETE", "/_index_template/" + randomAlphaOfLengthBetween(2, 8));
assertAccessIsDenied("user_b", "DELETE", "/_component_template/" + randomAlphaOfLengthBetween(2, 8));

// sorry user_c, you are not allowed anything
assertAccessIsDenied("user_c", "GET", "/_cluster/state");
Expand Down

0 comments on commit e25053e

Please sign in to comment.