Ensure view_index_metadata is fully covered by manage

In elastic#80984, a new action is added to the "view_index_privilege" index privilege. This PR adds it under "manage" as well and also adds test to ensure "view_index_metadata" is always a subset of "manage".
ywangd · Mar 1, 2022 · a22a1ff · a22a1ff
1 parent e1202dd
commit a22a1ff
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -79,7 +79,12 @@ public final class IndexPrivilege extends Privilege {
     private static final Automaton MANAGE_AUTOMATON = unionAndMinimize(
         Arrays.asList(
             MONITOR_AUTOMATON,
-            patterns("indices:admin/*", FieldCapabilitiesAction.NAME + "*", GetRollupIndexCapsAction.NAME + "*")
+            patterns(
+                "indices:admin/*",
+                FieldCapabilitiesAction.NAME + "*",
+                GetRollupIndexCapsAction.NAME + "*",
+                GetCheckpointAction.NAME + "*" // transform internal action
+            )
         )
     );
     private static final Automaton CREATE_INDEX_AUTOMATON = patterns(

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
@@ -7,6 +7,7 @@
 
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
+import org.apache.lucene.util.automaton.Operations;
 import org.elasticsearch.action.admin.indices.refresh.RefreshAction;
 import org.elasticsearch.action.admin.indices.shrink.ShrinkAction;
 import org.elasticsearch.action.admin.indices.stats.IndicesStatsAction;
@@ -24,6 +25,7 @@
 
 import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.lessThan;
 
 public class IndexPrivilegeTests extends ESTestCase {
@@ -40,16 +42,18 @@ public void testOrderingOfPrivilegeNames() throws Exception {
         final int read = Iterables.indexOf(names, "read"::equals);
         final int write = Iterables.indexOf(names, "write"::equals);
         final int index = Iterables.indexOf(names, "index"::equals);
-        final int create_doc = Iterables.indexOf(names, "create_doc"::equals);
+        final int createDoc = Iterables.indexOf(names, "create_doc"::equals);
         final int delete = Iterables.indexOf(names, "delete"::equals);
+        final int viewIndexMetadata = Iterables.indexOf(names, "view_index_metadata"::equals);
 
         assertThat(read, lessThan(all));
         assertThat(manage, lessThan(all));
         assertThat(monitor, lessThan(manage));
         assertThat(write, lessThan(all));
         assertThat(index, lessThan(write));
-        assertThat(create_doc, lessThan(index));
+        assertThat(createDoc, lessThan(index));
         assertThat(delete, lessThan(write));
+        assertThat(viewIndexMetadata, lessThan(manage));
     }
 
     public void testFindPrivilegesThatGrant() {
@@ -67,4 +71,13 @@ public void testPrivilegesForRollupFieldCapsAction() {
         assertThat(Set.copyOf(privileges), equalTo(Set.of("read", "view_index_metadata", "manage", "all")));
     }
 
+    public void testViewIndexMetadataIsCoveredByManage() {
+        assertThat(
+            Operations.subsetOf(
+                IndexPrivilege.get(Set.of("view_index_metadata")).automaton,
+                IndexPrivilege.get(Set.of("manage")).automaton
+            ),
+            is(true)
+        );
+    }
 }