diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml new file mode 100644 index 0000000000000..f228278983785 --- /dev/null +++ b/docs/changelog/117519.yaml @@ -0,0 +1,20 @@ +pr: 117519 +summary: Remove `data_frame_transforms` roles +area: Transform +type: breaking +issues: [] +breaking: + title: Remove `data_frame_transforms` roles + area: Transform + details: >- + `data_frame_transforms_admin` and `data_frame_transforms_user` were deprecated in + Elasticsearch 7 and are being removed in Elasticsearch 9. + `data_frame_transforms_admin` is now `transform_admin`. + `data_frame_transforms_user` is now `transform_user`. + Users must call the `_update` API to replace the permissions on the Transform before the + Transform can be started. + impact: >- + Transforms created with either the `data_frame_transforms_admin` or the + `data_frame_transforms_user` role will fail to start. The Transform will remain + in a `stopped` state, and its health will be red while displaying permission failures. + notable: false diff --git a/docs/reference/security/authorization/built-in-roles.asciidoc b/docs/reference/security/authorization/built-in-roles.asciidoc index 13812b915dc5e..846ab3b6f73aa 100644 --- a/docs/reference/security/authorization/built-in-roles.asciidoc +++ b/docs/reference/security/authorization/built-in-roles.asciidoc @@ -33,18 +33,6 @@ suitable for writing beats output to {es}. -- -[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` :: -Grants `manage_data_frame_transforms` cluster privileges, which enable you to -manage {transforms}. This role also includes all -{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. -deprecated:[7.5.0,"Replaced by <>"]. - -[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` :: -Grants `monitor_data_frame_transforms` cluster privileges, which enable you to -use {transforms}. This role also includes all -{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. -deprecated:[7.5.0,"Replaced by <>"]. - [[built-in-roles-editor]] `editor` :: Grants full access to all features in {kib} (including Solutions) and read-only access to data indices. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 3ab9bcc024614..3648d8a0c7daa 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -539,70 +539,6 @@ private static Map initializeReservedRoles() { + "and roles that grant access to Kibana." ) ), - // DEPRECATED: to be removed in 9.0.0 - entry( - "data_frame_transforms_admin", - new RoleDescriptor( - "data_frame_transforms_admin", - new String[] { "manage_data_frame_transforms" }, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices( - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN, - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED, - TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS - ) - .privileges("view_index_metadata", "read") - .build() }, - new RoleDescriptor.ApplicationResourcePrivileges[] { - RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*") - .resources("*") - .privileges("reserved_ml_user") - .build() }, - null, - null, - MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_admin] role instead"), - null, - null, - null, - null, - "Grants manage_data_frame_transforms cluster privileges, which enable you to manage transforms. " - + "This role also includes all Kibana privileges for the machine learning features." - ) - ), - // DEPRECATED: to be removed in 9.0.0 - entry( - "data_frame_transforms_user", - new RoleDescriptor( - "data_frame_transforms_user", - new String[] { "monitor_data_frame_transforms" }, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices( - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN, - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED, - TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS - ) - .privileges("view_index_metadata", "read") - .build() }, - new RoleDescriptor.ApplicationResourcePrivileges[] { - RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*") - .resources("*") - .privileges("reserved_ml_user") - .build() }, - null, - null, - MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_user] role instead"), - null, - null, - null, - null, - "Grants monitor_data_frame_transforms cluster privileges, which enable you to use transforms. " - + "This role also includes all Kibana privileges for the machine learning features. " - ) - ), entry( "transform_admin", new RoleDescriptor( diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java index 1de584d5593f1..79a679441de3a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java @@ -27,12 +27,5 @@ public class TransformDeprecations { public static final String MAX_PAGE_SEARCH_SIZE_BREAKING_CHANGES_URL = "https://ela.st/es-deprecation-7-transform-max-page-search-size"; - public static final String DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL = - "https://ela.st/es-deprecation-9-data-frame-transforms-roles"; - - public static final String DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED = "This transform configuration uses one or more obsolete roles " - + "prefixed with [data_frame_transformers_] which will be unsupported after the next upgrade. Switch to a user with the equivalent " - + "roles prefixed with [transform_] and use [/_transform/_upgrade] to upgrade all transforms to the latest roles.";; - private TransformDeprecations() {} } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java index 745da71539992..d84040aaf7a85 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java @@ -24,13 +24,11 @@ import org.elasticsearch.xcontent.ToXContentObject; import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xcontent.XContentParser; -import org.elasticsearch.xpack.core.ClientHelper; import org.elasticsearch.xpack.core.common.time.TimeUtils; import org.elasticsearch.xpack.core.common.validation.SourceDestValidator; import org.elasticsearch.xpack.core.common.validation.SourceDestValidator.SourceDestValidation; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue.Level; -import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer; import org.elasticsearch.xpack.core.security.xcontent.XContentUtils; import org.elasticsearch.xpack.core.transform.TransformConfigVersion; import org.elasticsearch.xpack.core.transform.TransformDeprecations; @@ -43,7 +41,6 @@ import java.io.IOException; import java.time.Instant; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Locale; @@ -52,7 +49,6 @@ import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg; import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg; -import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY; /** * This class holds the configuration details of a data frame transform @@ -69,10 +65,6 @@ public final class TransformConfig implements SimpleDiffable, W public static final ParseField HEADERS = new ParseField("headers"); /** Version in which {@code FieldCapabilitiesRequest.runtime_fields} field was introduced. */ private static final TransportVersion FIELD_CAPS_RUNTIME_MAPPINGS_INTRODUCED_TRANSPORT_VERSION = TransportVersions.V_7_12_0; - private static final List DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES = List.of( - "data_frame_transforms_admin", - "data_frame_transforms_user" - ); /** Specifies all the possible transform functions. */ public enum Function { @@ -413,37 +405,9 @@ public List checkForDeprecations(NamedXContentRegistry namedXC retentionPolicyConfig.checkForDeprecations(getId(), namedXContentRegistry, deprecations::add); } - var deprecatedTransformRoles = getRolesFromHeaders().stream().filter(DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES::contains).toList(); - if (deprecatedTransformRoles.isEmpty() == false) { - deprecations.add( - new DeprecationIssue( - Level.CRITICAL, - "Transform [" + id + "] uses deprecated transform roles " + deprecatedTransformRoles, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED, - false, - null - ) - ); - } - return deprecations; } - private List getRolesFromHeaders() throws IOException { - if (headers == null) { - return Collections.emptyList(); - } - - var encodedAuthenticationHeader = ClientHelper.filterSecurityHeaders(headers).getOrDefault(AUTHENTICATION_KEY, ""); - if (encodedAuthenticationHeader.isEmpty()) { - return Collections.emptyList(); - } - - var decodedAuthenticationHeader = AuthenticationContextSerializer.decode(encodedAuthenticationHeader); - return Arrays.asList(decodedAuthenticationHeader.getEffectiveSubject().getUser().roles()); - } - @Override public void writeTo(final StreamOutput out) throws IOException { out.writeString(id); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 141b9a7092337..b08dd90ae9065 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -277,8 +277,6 @@ public void testIsReserved() { assertThat(ReservedRolesStore.isReserved("reporting_user"), is(true)); assertThat(ReservedRolesStore.isReserved("machine_learning_user"), is(true)); assertThat(ReservedRolesStore.isReserved("machine_learning_admin"), is(true)); - assertThat(ReservedRolesStore.isReserved("data_frame_transforms_user"), is(true)); - assertThat(ReservedRolesStore.isReserved("data_frame_transforms_admin"), is(true)); assertThat(ReservedRolesStore.isReserved("transform_user"), is(true)); assertThat(ReservedRolesStore.isReserved("transform_admin"), is(true)); assertThat(ReservedRolesStore.isReserved("watcher_user"), is(true)); @@ -3424,185 +3422,99 @@ public void testTransformAdminRole() { final TransportRequest request = mock(TransportRequest.class); final Authentication authentication = AuthenticationTestHelper.builder().build(); - RoleDescriptor[] roleDescriptors = { - ReservedRolesStore.roleDescriptor("data_frame_transforms_admin"), - ReservedRolesStore.roleDescriptor("transform_admin") }; + RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("transform_admin"); - for (RoleDescriptor roleDescriptor : roleDescriptors) { - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - } else { - assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - } + assertNotNull(roleDescriptor); + assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - final String allowedApplicationActionPattern = "example/custom/action/*"; - final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); - List lookup = roleDescriptor.getName().equals("data_frame_transforms_admin") - ? List.of( - new ApplicationPrivilegeDescriptor( - kibanaApplicationWithRandomIndex, - "reserved_ml_user", - Set.of(allowedApplicationActionPattern), - Map.of() - ) - ) - : List.of(); - Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); - assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(SetTransformUpgradeModeAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - - assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); - assertNoAccessAllowed(role, "foo"); - assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); // internal use only - - assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); - assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + final String allowedApplicationActionPattern = "example/custom/action/*"; + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); + List lookup = List.of(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); + assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(SetTransformUpgradeModeAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - assertThat( - role.application() - .grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), - is(false) - ); + assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege( - kibanaApplicationWithRandomIndex, - "app-reserved_ml", - allowedApplicationActionPattern - ), - "*" - ), - is(true) - ); - } + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); + assertNoAccessAllowed(role, "foo"); + assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); // internal use only - final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); - assertThat( - role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), - is(false) - ); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-reserved_ml", allowedApplicationActionPattern), - "*" - ), - is(false) - ); - } - } + assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); + assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), + is(false) + ); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), + is(false) + ); } public void testTransformUserRole() { final TransportRequest request = mock(TransportRequest.class); final Authentication authentication = AuthenticationTestHelper.builder().build(); - RoleDescriptor[] roleDescriptors = { - ReservedRolesStore.roleDescriptor("data_frame_transforms_user"), - ReservedRolesStore.roleDescriptor("transform_user") }; + RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("transform_user"); - for (RoleDescriptor roleDescriptor : roleDescriptors) { - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - } else { - assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - } + assertNotNull(roleDescriptor); + assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - final String allowedApplicationActionPattern = "example/custom/action/*"; - final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); - List lookup = roleDescriptor.getName().equals("data_frame_transforms_user") - ? List.of( - new ApplicationPrivilegeDescriptor( - kibanaApplicationWithRandomIndex, - "reserved_ml_user", - Set.of(allowedApplicationActionPattern), - Map.of() - ) - ) - : List.of(); - Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); - assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(SetTransformUpgradeModeAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(ActivateProfileAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(SuggestProfilesAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(UpdateProfileDataAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(GetProfilesAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(ProfileHasPrivilegesAction.NAME, request, authentication), is(false)); - - assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); - assertNoAccessAllowed(role, "foo"); - assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); - - assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); - assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + final String allowedApplicationActionPattern = "example/custom/action/*"; + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); + List lookup = List.of(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); + assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(SetTransformUpgradeModeAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(ActivateProfileAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(SuggestProfilesAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(UpdateProfileDataAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(GetProfilesAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(ProfileHasPrivilegesAction.NAME, request, authentication), is(false)); - assertThat( - role.application() - .grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), - is(false) - ); + assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege( - kibanaApplicationWithRandomIndex, - "app-reserved_ml", - allowedApplicationActionPattern - ), - "*" - ), - is(true) - ); - } + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); + assertNoAccessAllowed(role, "foo"); + assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); - final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); - assertThat( - role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), - is(false) - ); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-reserved_ml", allowedApplicationActionPattern), - "*" - ), - is(false) - ); - } - } + assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); + assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), + is(false) + ); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), + is(false) + ); } public void testWatcherAdminRole() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java index 2e7e5293c835f..a9b4fa984ea1e 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java @@ -27,8 +27,6 @@ import org.elasticsearch.xpack.core.common.validation.SourceDestValidator.SourceDestValidation; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue.Level; -import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper; -import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.transform.AbstractSerializingTransformTestCase; import org.elasticsearch.xpack.core.transform.TransformConfigVersion; import org.elasticsearch.xpack.core.transform.TransformDeprecations; @@ -46,7 +44,6 @@ import java.util.Map; import static org.elasticsearch.test.TestMatchers.matchesPattern; -import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY; import static org.elasticsearch.xpack.core.transform.transforms.DestConfigTests.randomDestConfig; import static org.elasticsearch.xpack.core.transform.transforms.SourceConfigTests.randomInvalidSourceConfig; import static org.elasticsearch.xpack.core.transform.transforms.SourceConfigTests.randomSourceConfig; @@ -61,8 +58,6 @@ public class TransformConfigTests extends AbstractSerializingTransformTestCase roles) throws IOException { - var authentication = AuthenticationTestHelper.builder() - .realm() - .user(new User(randomAlphaOfLength(10), roles.toArray(String[]::new))) - .build(); - Map headers = Map.of(AUTHENTICATION_KEY, authentication.encode()); - TransformConfig deprecatedConfig = randomTransformConfigWithHeaders(headers); - - // important: checkForDeprecations does _not_ create new deprecation warnings - assertThat( - deprecatedConfig.checkForDeprecations(xContentRegistry()), - equalTo( - List.of( - new DeprecationIssue( - Level.CRITICAL, - "Transform [" + deprecatedConfig.getId() + "] uses deprecated transform roles " + roles, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED, - false, - null - ) - ) - ) - ); - } - public void testSerializingMetadataPreservesOrder() throws IOException { String json = Strings.format(""" {