Superuser etc

n1v0lg · n1v0lg · commit 444112b0fb29 · 2025-02-17T10:31:03.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
@@ -428,7 +428,7 @@ static SimpleRole buildFromRoleDescriptor(
             );
             Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
             boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelector(
                 indexPrivilege.getPrivileges()
             );
             for (var entry : split.entrySet()) {
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java
@@ -8,6 +8,7 @@
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
 import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.core.Predicates;
 
 import java.util.HashSet;
 import java.util.Map;
@@ -16,7 +17,7 @@
 import java.util.stream.Collectors;
 
 public record IndexComponentSelectorPrivilege(String name, Predicate<IndexComponentSelector> predicate) {
-    public static final IndexComponentSelectorPrivilege ALL = new IndexComponentSelectorPrivilege("all", (selector) -> true);
+    public static final IndexComponentSelectorPrivilege ALL = new IndexComponentSelectorPrivilege("all", Predicates.always());
     public static final IndexComponentSelectorPrivilege DATA = new IndexComponentSelectorPrivilege(
         "data",
         IndexComponentSelector.DATA::equals
@@ -43,30 +44,29 @@ public static Set<IndexComponentSelectorPrivilege> get(Set<String> indexPrivileg
         return indexPrivileges.stream().map(IndexComponentSelectorPrivilege::get).collect(Collectors.toSet());
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelectors(String... indexPrivileges) {
-        return groupBySelectors(Set.of(indexPrivileges));
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelector(String... indexPrivileges) {
+        return groupBySelector(Set.of(indexPrivileges));
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelectors(Set<String> indexPrivileges) {
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelector(Set<String> indexPrivileges) {
         final Set<String> dataAccessPrivileges = new HashSet<>();
         final Set<String> failuresAccessPrivileges = new HashSet<>();
 
         for (String indexPrivilege : indexPrivileges) {
             final IndexComponentSelectorPrivilege selectorPrivilege = get(indexPrivilege);
             // If we ever hit `all`, the entire group can be treated as granting "all" access and we can return early
-            if (selectorPrivilege.equals(ALL)) {
+            if (selectorPrivilege == ALL) {
                 return Map.of(ALL, indexPrivileges);
             }
 
-            if (selectorPrivilege.equals(DATA)) {
+            if (selectorPrivilege == DATA) {
                 dataAccessPrivileges.add(indexPrivilege);
-            } else if (selectorPrivilege.equals(FAILURES)) {
+            } else if (selectorPrivilege == FAILURES) {
                 failuresAccessPrivileges.add(indexPrivilege);
             } else {
-                assert false : "index privilege [" + indexPrivilege + "] mapped to an unexpected selector [" + selectorPrivilege + "]";
-                throw new IllegalStateException(
-                    "index privilege [" + indexPrivilege + "] mapped to an unexpected selector [" + selectorPrivilege + "]"
-                );
+                final var message = "index privilege [" + indexPrivilege + "] mapped to an unexpected selector [" + selectorPrivilege + "]";
+                assert false : message;
+                throw new IllegalStateException(message);
             }
         }
 
@@ -81,6 +81,7 @@ public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelectors
 
     private static IndexComponentSelectorPrivilege get(String indexPrivilegeName) {
         final IndexPrivilege indexPrivilege = IndexPrivilege.getNamedOrNull(indexPrivilegeName);
+        // `null` means we got a raw action instead of a named privilege; all raw actions are treated as data access
         if (indexPrivilege == null) {
             return DATA;
         } else if (indexPrivilege == IndexPrivilege.ALL) {
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -78,7 +78,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(false).build(),
             RoleDescriptor.IndicesPrivileges.builder()
                 .indices("*")
-                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
+                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store")
                 .allowRestrictedIndices(true)
                 .build() },
         new RoleDescriptor.ApplicationResourcePrivileges[] {
@@ -95,7 +95,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             new RoleDescriptor.RemoteIndicesPrivileges(
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
+                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store")
                     .allowRestrictedIndices(true)
                     .build(),
                 "*"
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
@@ -543,7 +543,7 @@ public static void buildRoleFromDescriptors(
 
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : indicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelector(
                 indicesPrivilege.privileges
             );
             FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
@@ -561,7 +561,7 @@ public static void buildRoleFromDescriptors(
         }
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : restrictedIndicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelector(
                 indicesPrivilege.privileges
             );
             FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
