Skip to content

Commit f881a48

Browse files
n1v0lgn1v0lg
committed
Test
1 parent 7f195f1 commit f881a48

File tree

1 file changed

+22
-0
lines changed

1 file changed

+22
-0
lines changed

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ protected Settings restAdminSettings() {
9191
private static final String WRITE_ACCESS = "write_access";
9292
private static final String MANAGE_ACCESS = "manage_access";
9393
private static final String MANAGE_FAILURE_STORE_ACCESS = "manage_failure_store_access";
94+
private static final String MANAGE_DATA_STREAM_LIFECYCLE = "manage_data_stream_lifecycle";
9495
private static final SecureString PASSWORD = new SecureString("admin-password");
9596

9697
@Before
@@ -1836,12 +1837,32 @@ public void testWriteAndManageOperations() throws IOException {
18361837
}
18371838
""");
18381839

1840+
createUser(MANAGE_DATA_STREAM_LIFECYCLE, PASSWORD, MANAGE_DATA_STREAM_LIFECYCLE);
1841+
upsertRole(Strings.format("""
1842+
{
1843+
"cluster": ["all"],
1844+
"indices": [{"names": ["test*"], "privileges": ["manage_data_stream_lifecycle"]}]
1845+
}"""), MANAGE_DATA_STREAM_LIFECYCLE);
1846+
createAndStoreApiKey(MANAGE_DATA_STREAM_LIFECYCLE, randomBoolean() ? null : """
1847+
{
1848+
"role": {
1849+
"cluster": ["all"],
1850+
"indices": [{"names": ["test*"], "privileges": ["manage_data_stream_lifecycle"]}]
1851+
}
1852+
}
1853+
""");
1854+
18391855
// explain lifecycle API with and without failures selector is granted by manage
18401856
assertOK(performRequest(MANAGE_ACCESS, new Request("GET", "test1/_lifecycle/explain")));
18411857
assertOK(performRequest(MANAGE_ACCESS, new Request("GET", "test1::failures/_lifecycle/explain")));
18421858
assertOK(performRequest(MANAGE_ACCESS, new Request("GET", failureIndexName + "/_lifecycle/explain")));
18431859
assertOK(performRequest(MANAGE_ACCESS, new Request("GET", dataIndexName + "/_lifecycle/explain")));
18441860

1861+
assertOK(performRequest(MANAGE_DATA_STREAM_LIFECYCLE, new Request("GET", "test1/_lifecycle/explain")));
1862+
assertOK(performRequest(MANAGE_DATA_STREAM_LIFECYCLE, new Request("GET", "test1::failures/_lifecycle/explain")));
1863+
assertOK(performRequest(MANAGE_DATA_STREAM_LIFECYCLE, new Request("GET", failureIndexName + "/_lifecycle/explain")));
1864+
assertOK(performRequest(MANAGE_DATA_STREAM_LIFECYCLE, new Request("GET", dataIndexName + "/_lifecycle/explain")));
1865+
18451866
// explain lifecycle API is granted by manage_failure_store only for failures selector
18461867
expectThrows(() -> performRequest(MANAGE_FAILURE_STORE_ACCESS, new Request("GET", "test1/_lifecycle/explain")), 403);
18471868
assertOK(performRequest(MANAGE_FAILURE_STORE_ACCESS, new Request("GET", "test1::failures/_lifecycle/explain")));
@@ -1851,6 +1872,7 @@ public void testWriteAndManageOperations() throws IOException {
18511872
// user with manage access to data stream can delete failure index because manage grants access to both data and failures
18521873
expectThrows(() -> deleteIndex(MANAGE_ACCESS, failureIndexName), 400);
18531874
expectThrows(() -> deleteIndex(MANAGE_ACCESS, dataIndexName), 400);
1875+
18541876
// manage_failure_store user COULD delete failure index (not valid because it's a write index, but allowed security-wise)
18551877
expectThrows(() -> deleteIndex(MANAGE_FAILURE_STORE_ACCESS, failureIndexName), 400);
18561878
expectThrows(() -> deleteIndex(MANAGE_FAILURE_STORE_ACCESS, dataIndexName), 403);

0 commit comments

Comments
 (0)