Skip to content

Commit 125e808

Browse files
n1v0lgn1v0lg
committed
Test fixes
1 parent 79d15eb commit 125e808

File tree

6 files changed

+52
-35
lines changed

6 files changed

+52
-35
lines changed

docs/reference/rest-api/security/get-builtin-privileges.asciidoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,13 +148,15 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
148148
"maintenance",
149149
"manage",
150150
"manage_data_stream_lifecycle",
151+
"manage_failure_store_internal",
151152
"manage_follow_index",
152153
"manage_ilm",
153154
"manage_leader_index",
154155
"monitor",
155156
"none",
156157
"read",
157158
"read_cross_cluster",
159+
"read_failure_store",
158160
"view_index_metadata",
159161
"write"
160162
],

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -76,17 +76,6 @@ public Builder(RestrictedIndices restrictedIndices) {
7676
this.restrictedIndices = restrictedIndices;
7777
}
7878

79-
// TODO remove me
80-
public Builder addGroup(
81-
IndexPrivilege privilege,
82-
FieldPermissions fieldPermissions,
83-
@Nullable Set<BytesReference> query,
84-
boolean allowRestrictedIndices,
85-
String... indices
86-
) {
87-
return addGroup(privilege, fieldPermissions, query, allowRestrictedIndices, IndexComponentSelectorPrivilege.DATA, indices);
88-
}
89-
9079
public Builder addGroup(
9180
IndexPrivilege privilege,
9281
FieldPermissions fieldPermissions,
@@ -95,6 +84,7 @@ public Builder addGroup(
9584
IndexComponentSelectorPrivilege selectorPrivilege,
9685
String... indices
9786
) {
87+
assert privilege != IndexPrivilege.ALL || selectorPrivilege.isTotal() : "all privilege must be associated with all selector";
9888
groups.add(
9989
new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, selectorPrivilege, indices)
10090
);
@@ -917,7 +907,7 @@ boolean isTotal() {
917907
&& privilege == IndexPrivilege.ALL
918908
&& query == null
919909
&& false == fieldPermissions.hasFieldLevelSecurity()
920-
// TODO add selectorPrivilege here in a follow PR handling authorization
910+
// TODO ensure we want this now, not in a follow up instead
921911
&& selectorPrivilege.isTotal();
922912
}
923913

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@
3030
import org.elasticsearch.index.reindex.ReindexAction;
3131
import org.elasticsearch.xpack.core.XPackPlugin;
3232
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
33-
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
3433
import org.elasticsearch.xpack.core.security.support.MetadataUtils;
3534

3635
import java.util.Collection;
@@ -162,8 +161,7 @@ public class InternalUsers {
162161
IndicesStatsAction.NAME + "*",
163162
TransportUpdateSettingsAction.TYPE.name(),
164163
DownsampleAction.NAME,
165-
TransportAddIndexBlockAction.TYPE.name(),
166-
IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName()
164+
TransportAddIndexBlockAction.TYPE.name()
167165
)
168166
.allowRestrictedIndices(false)
169167
.build(),
@@ -182,8 +180,7 @@ public class InternalUsers {
182180
IndicesStatsAction.NAME + "*",
183181
TransportUpdateSettingsAction.TYPE.name(),
184182
DownsampleAction.NAME,
185-
TransportAddIndexBlockAction.TYPE.name(),
186-
IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName()
183+
TransportAddIndexBlockAction.TYPE.name()
187184
)
188185
.allowRestrictedIndices(true)
189186
.build() },
@@ -223,8 +220,7 @@ public class InternalUsers {
223220
TransportBulkAction.NAME,
224221
TransportIndexAction.NAME,
225222
TransportSearchScrollAction.TYPE.name(),
226-
ModifyDataStreamsAction.NAME,
227-
IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName()
223+
ModifyDataStreamsAction.NAME
228224
)
229225
.allowRestrictedIndices(false)
230226
.build() },
@@ -248,7 +244,7 @@ public class InternalUsers {
248244
new RoleDescriptor.IndicesPrivileges[] {
249245
RoleDescriptor.IndicesPrivileges.builder()
250246
.indices("*")
251-
.privileges(LazyRolloverAction.NAME, IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName())
247+
.privileges(LazyRolloverAction.NAME)
252248
.allowRestrictedIndices(true)
253249
.build() },
254250
null,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -987,7 +987,10 @@ public void testUnknownRoleCausesDenial() {
987987
)
988988
)
989989
);
990-
assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
990+
assertThat(
991+
securityException,
992+
throwableWithMessage(containsString("this action is granted by the index privileges [read,read_failure_store,all]"))
993+
);
991994

992995
verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request), authzInfoRoles(Role.EMPTY.names()));
993996
verifyNoMoreInteractions(auditTrail);
@@ -1033,7 +1036,10 @@ public void testServiceAccountDenial() {
10331036
throwableWithMessage(containsString("[" + action + "] is unauthorized for service account [" + serviceUser.principal() + "]"))
10341037
);
10351038
verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request), authzInfoRoles(role.names()));
1036-
assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
1039+
assertThat(
1040+
securityException,
1041+
throwableWithMessage(containsString("this action is granted by the index privileges [read,read_failure_store,all]"))
1042+
);
10371043
verifyNoMoreInteractions(auditTrail);
10381044
}
10391045

@@ -1083,7 +1089,10 @@ public void testThatRoleWithNoIndicesIsDenied() {
10831089
containsString("[" + action + "] is unauthorized" + " for user [test user]" + " with effective roles [no_indices]")
10841090
)
10851091
);
1086-
assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
1092+
assertThat(
1093+
securityException,
1094+
throwableWithMessage(containsString("this action is granted by the index privileges [read,read_failure_store,all]"))
1095+
);
10871096

10881097
verify(auditTrail).accessDenied(
10891098
eq(requestId),
@@ -1536,7 +1545,10 @@ public void testDenialErrorMessagesForSearchAction() {
15361545
assertThat(securityException, throwableWithMessage(containsString("other-4")));
15371546
assertThat(securityException, throwableWithMessage(not(containsString("all-1"))));
15381547
assertThat(securityException, throwableWithMessage(not(containsString("read-2"))));
1539-
assertThat(securityException, throwableWithMessage(containsString(", this action is granted by the index privileges [read,all]")));
1548+
assertThat(
1549+
securityException,
1550+
throwableWithMessage(containsString(", this action is granted by the index privileges [read,read_failure_store,all]"))
1551+
);
15401552
}
15411553

15421554
public void testDenialErrorMessagesForBulkIngest() throws Exception {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1809,7 +1809,7 @@ public void testGetRoleDescriptorsForRemoteClusterForReservedRoles() {
18091809
IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(false).build(),
18101810
IndicesPrivileges.builder()
18111811
.indices("*")
1812-
.privileges("monitor", "read", "read_cross_cluster", "view_index_metadata")
1812+
.privileges("monitor", "read", "read_cross_cluster", "read_failure_store", "view_index_metadata")
18131813
.allowRestrictedIndices(true)
18141814
.build() },
18151815
null,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java

Lines changed: 27 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ public void testAuthorize() {
7878
query,
7979
IndexPrivilege.ALL,
8080
allowRestrictedIndices6,
81-
IndexComponentSelectorPrivilege.DATA,
81+
IndexComponentSelectorPrivilege.ALL,
8282
"_index"
8383
).build();
8484
IndicesAccessControl permissions = role.authorize(
@@ -103,7 +103,7 @@ public void testAuthorize() {
103103
null,
104104
IndexPrivilege.ALL,
105105
allowRestrictedIndices5,
106-
IndexComponentSelectorPrivilege.DATA,
106+
IndexComponentSelectorPrivilege.ALL,
107107
"_index"
108108
).build();
109109
permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_index"), md, fieldPermissionsCache);
@@ -121,7 +121,7 @@ public void testAuthorize() {
121121
query,
122122
IndexPrivilege.ALL,
123123
allowRestrictedIndices4,
124-
IndexComponentSelectorPrivilege.DATA,
124+
IndexComponentSelectorPrivilege.ALL,
125125
"_index"
126126
).build();
127127
permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_index"), md, fieldPermissionsCache);
@@ -140,7 +140,7 @@ public void testAuthorize() {
140140
query,
141141
IndexPrivilege.ALL,
142142
allowRestrictedIndices3,
143-
IndexComponentSelectorPrivilege.DATA,
143+
IndexComponentSelectorPrivilege.ALL,
144144
"_alias"
145145
).build();
146146
permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
@@ -172,7 +172,7 @@ public void testAuthorize() {
172172
query,
173173
IndexPrivilege.ALL,
174174
allowRestrictedIndices2,
175-
IndexComponentSelectorPrivilege.DATA,
175+
IndexComponentSelectorPrivilege.ALL,
176176
"_alias"
177177
).build();
178178
permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
@@ -204,7 +204,7 @@ public void testAuthorize() {
204204
fooQuery,
205205
IndexPrivilege.ALL,
206206
allowRestrictedIndices,
207-
IndexComponentSelectorPrivilege.DATA,
207+
IndexComponentSelectorPrivilege.ALL,
208208
"_alias"
209209
);
210210
FieldPermissions fieldPermissions1 = new FieldPermissions(fieldPermissionDef(allFields, null));
@@ -214,7 +214,7 @@ public void testAuthorize() {
214214
query,
215215
IndexPrivilege.ALL,
216216
allowRestrictedIndices1,
217-
IndexComponentSelectorPrivilege.DATA,
217+
IndexComponentSelectorPrivilege.ALL,
218218
"_alias"
219219
).build();
220220
permissions = role.authorize(TransportSearchAction.TYPE.name(), Sets.newHashSet("_alias"), md, fieldPermissionsCache);
@@ -256,7 +256,7 @@ public void testAuthorizeMultipleGroupsMixedDls() {
256256
query,
257257
IndexPrivilege.ALL,
258258
allowRestrictedIndices,
259-
IndexComponentSelectorPrivilege.DATA,
259+
IndexComponentSelectorPrivilege.ALL,
260260
"_index"
261261
);
262262
FieldPermissions fieldPermissions1 = new FieldPermissions(fieldPermissionDef(null, null));
@@ -266,7 +266,7 @@ public void testAuthorizeMultipleGroupsMixedDls() {
266266
null,
267267
IndexPrivilege.ALL,
268268
allowRestrictedIndices1,
269-
IndexComponentSelectorPrivilege.DATA,
269+
IndexComponentSelectorPrivilege.ALL,
270270
"*"
271271
).build();
272272
IndicesAccessControl permissions = role.authorize(
@@ -330,13 +330,15 @@ public void testCorePermissionAuthorize() {
330330
FieldPermissions.DEFAULT,
331331
null,
332332
randomBoolean(),
333+
IndexComponentSelectorPrivilege.ALL,
333334
"a1"
334335
)
335336
.addGroup(
336337
IndexPrivilege.READ,
337338
new FieldPermissions(fieldPermissionDef(null, new String[] { "denied_field" })),
338339
null,
339340
randomBoolean(),
341+
IndexComponentSelectorPrivilege.DATA,
340342
"a1"
341343
)
342344
.build();
@@ -362,27 +364,31 @@ public void testCorePermissionAuthorize() {
362364
FieldPermissions.DEFAULT,
363365
null,
364366
randomBoolean(),
367+
IndexComponentSelectorPrivilege.ALL,
365368
"a1"
366369
)
367370
.addGroup(
368371
IndexPrivilege.ALL,
369372
new FieldPermissions(fieldPermissionDef(null, new String[] { "denied_field" })),
370373
null,
371374
randomBoolean(),
375+
IndexComponentSelectorPrivilege.ALL,
372376
"a1"
373377
)
374378
.addGroup(
375379
IndexPrivilege.ALL,
376380
new FieldPermissions(fieldPermissionDef(new String[] { "*_field" }, new String[] { "denied_field" })),
377381
null,
378382
randomBoolean(),
383+
IndexComponentSelectorPrivilege.ALL,
379384
"a2"
380385
)
381386
.addGroup(
382387
IndexPrivilege.ALL,
383388
new FieldPermissions(fieldPermissionDef(new String[] { "*_field2" }, new String[] { "denied_field2" })),
384389
null,
385390
randomBoolean(),
391+
IndexComponentSelectorPrivilege.ALL,
386392
"a2"
387393
)
388394
.build();
@@ -444,6 +450,7 @@ public void testSecurityIndicesPermissions() {
444450
FieldPermissions.DEFAULT,
445451
null,
446452
false,
453+
IndexComponentSelectorPrivilege.ALL,
447454
"*"
448455
).build();
449456
IndicesAccessControl iac = indicesPermission.authorize(
@@ -464,6 +471,7 @@ public void testSecurityIndicesPermissions() {
464471
FieldPermissions.DEFAULT,
465472
null,
466473
true,
474+
IndexComponentSelectorPrivilege.ALL,
467475
"*"
468476
).build();
469477
iac = indicesPermission.authorize(
@@ -494,6 +502,7 @@ public void testAsyncSearchIndicesPermissions() {
494502
FieldPermissions.DEFAULT,
495503
null,
496504
false,
505+
IndexComponentSelectorPrivilege.ALL,
497506
"*"
498507
).build();
499508
IndicesAccessControl iac = indicesPermission.authorize(
@@ -512,6 +521,7 @@ public void testAsyncSearchIndicesPermissions() {
512521
FieldPermissions.DEFAULT,
513522
null,
514523
true,
524+
IndexComponentSelectorPrivilege.ALL,
515525
"*"
516526
).build();
517527
iac = indicesPermission.authorize(
@@ -549,6 +559,7 @@ public void testAuthorizationForBackingIndices() {
549559
FieldPermissions.DEFAULT,
550560
null,
551561
false,
562+
IndexComponentSelectorPrivilege.DATA,
552563
dataStreamName
553564
).build();
554565
IndicesAccessControl iac = indicesPermission.authorize(
@@ -569,6 +580,7 @@ public void testAuthorizationForBackingIndices() {
569580
FieldPermissions.DEFAULT,
570581
null,
571582
false,
583+
IndexComponentSelectorPrivilege.DATA,
572584
dataStreamName
573585
).build();
574586
iac = indicesPermission.authorize(
@@ -614,13 +626,15 @@ public void testAuthorizationForMappingUpdates() {
614626
FieldPermissions.DEFAULT,
615627
null,
616628
randomBoolean(),
629+
IndexComponentSelectorPrivilege.DATA,
617630
"test*"
618631
)
619632
.addGroup(
620633
IndexPrivilege.WRITE,
621634
new FieldPermissions(fieldPermissionDef(null, new String[] { "denied_field" })),
622635
null,
623636
randomBoolean(),
637+
IndexComponentSelectorPrivilege.DATA,
624638
"test_write*"
625639
)
626640
.build();
@@ -719,6 +733,7 @@ public void testIndicesPermissionHasFieldOrDocumentLevelSecurity() {
719733
fieldPermissions,
720734
queries,
721735
randomBoolean(),
736+
IndexComponentSelectorPrivilege.ALL,
722737
"*"
723738
).build();
724739
assertThat(indicesPermission1.hasFieldOrDocumentLevelSecurity(), is(true));
@@ -729,6 +744,7 @@ public void testIndicesPermissionHasFieldOrDocumentLevelSecurity() {
729744
FieldPermissions.DEFAULT,
730745
null,
731746
true,
747+
IndexComponentSelectorPrivilege.ALL,
732748
"*"
733749
).build();
734750
assertThat(indicesPermission2.hasFieldOrDocumentLevelSecurity(), is(false));
@@ -739,8 +755,9 @@ public void testIndicesPermissionHasFieldOrDocumentLevelSecurity() {
739755
FieldPermissions.DEFAULT,
740756
null,
741757
true,
758+
IndexComponentSelectorPrivilege.ALL,
742759
"*"
743-
).addGroup(IndexPrivilege.NONE, fieldPermissions, queries, randomBoolean(), "*").build();
760+
).addGroup(IndexPrivilege.NONE, fieldPermissions, queries, randomBoolean(), IndexComponentSelectorPrivilege.DATA, "*").build();
744761
assertThat(indicesPermission3.hasFieldOrDocumentLevelSecurity(), is(false));
745762
}
746763

0 commit comments

Comments
 (0)