From 108097560ec246d1632d6aeeafeec4f91750ab39 Mon Sep 17 00:00:00 2001 From: dan-rubinstein Date: Fri, 22 Nov 2024 14:23:37 -0500 Subject: [PATCH 01/13] Deprecating data_frame_transforms roles --- .../security/bulk-create-roles.asciidoc | 2 +- .../security/get-builtin-privileges.asciidoc | 2 - .../authorization/built-in-roles.asciidoc | 12 - .../authorization/privileges.asciidoc | 6 - .../privilege/ClusterPrivilegeResolver.java | 10 - .../authz/store/ReservedRolesStore.java | 64 ----- .../authz/store/ReservedRolesStoreTests.java | 242 ++++++------------ .../TransformInsufficientPermissionsIT.java | 2 +- 8 files changed, 79 insertions(+), 261 deletions(-) diff --git a/docs/reference/rest-api/security/bulk-create-roles.asciidoc b/docs/reference/rest-api/security/bulk-create-roles.asciidoc index 37f49f2445770..bf8680b0c8491 100644 --- a/docs/reference/rest-api/security/bulk-create-roles.asciidoc +++ b/docs/reference/rest-api/security/bulk-create-roles.asciidoc @@ -328,7 +328,7 @@ The result would then have the `errors` field set to `true` and hold the error f "details": { "my_admin_role": { <4> "type": "action_request_validation_exception", - "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_data_frame_transforms,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_data_frame_transforms,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;" + "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;" } } } diff --git a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc index 7f3d75b926780..4c5a95d3246a5 100644 --- a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc +++ b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc @@ -78,7 +78,6 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_behavioral_analytics", "manage_ccr", "manage_connector", - "manage_data_frame_transforms", "manage_data_stream_global_retention", "manage_enrich", "manage_ilm", @@ -104,7 +103,6 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_watcher", "monitor", "monitor_connector", - "monitor_data_frame_transforms", "monitor_data_stream_global_retention", "monitor_enrich", "monitor_inference", diff --git a/docs/reference/security/authorization/built-in-roles.asciidoc b/docs/reference/security/authorization/built-in-roles.asciidoc index d730587e7db17..73f42a7a0ab36 100644 --- a/docs/reference/security/authorization/built-in-roles.asciidoc +++ b/docs/reference/security/authorization/built-in-roles.asciidoc @@ -33,18 +33,6 @@ suitable for writing beats output to {es}. -- -[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` :: -Grants `manage_data_frame_transforms` cluster privileges, which enable you to -manage {transforms}. This role also includes all -{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. -deprecated:[7.5.0,"Replaced by <>"]. - -[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` :: -Grants `monitor_data_frame_transforms` cluster privileges, which enable you to -use {transforms}. This role also includes all -{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. -deprecated:[7.5.0,"Replaced by <>"]. - [[built-in-roles-editor]] `editor` :: Grants full access to all features in {kib} (including Solutions) and read-only access to data indices. diff --git a/docs/reference/security/authorization/privileges.asciidoc b/docs/reference/security/authorization/privileges.asciidoc index 3b69e5c1ba984..aa2341e465998 100644 --- a/docs/reference/security/authorization/privileges.asciidoc +++ b/docs/reference/security/authorization/privileges.asciidoc @@ -95,12 +95,6 @@ only on clusters that contain follower indices. + This privilege is not available in {serverless-full}. -`manage_data_frame_transforms`:: -All operations related to managing {transforms}. -deprecated[7.5] Use `manage_transform` instead. -+ -This privilege is not available in {serverless-full}. - `manage_data_stream_global_retention`:: This privilege has no effect.deprecated[8.16] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 00d45fb135fb2..56e689dbf94b5 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -234,10 +234,6 @@ public class ClusterPrivilegeResolver { MONITOR_INFERENCE_PATTERN ); public static final NamedClusterPrivilege MONITOR_ML = new ActionClusterPrivilege("monitor_ml", MONITOR_ML_PATTERN); - public static final NamedClusterPrivilege MONITOR_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( - "monitor_data_frame_transforms", - MONITOR_TRANSFORM_PATTERN - ); public static final NamedClusterPrivilege MONITOR_TEXT_STRUCTURE = new ActionClusterPrivilege( "monitor_text_structure", MONITOR_TEXT_STRUCTURE_PATTERN @@ -253,10 +249,6 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE = new ActionClusterPrivilege("manage", ALL_CLUSTER_PATTERN, ALL_SECURITY_PATTERN); public static final NamedClusterPrivilege MANAGE_INFERENCE = new ActionClusterPrivilege("manage_inference", MANAGE_INFERENCE_PATTERN); public static final NamedClusterPrivilege MANAGE_ML = new ActionClusterPrivilege("manage_ml", MANAGE_ML_PATTERN); - public static final NamedClusterPrivilege MANAGE_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( - "manage_data_frame_transforms", - MANAGE_TRANSFORM_PATTERN - ); public static final NamedClusterPrivilege MANAGE_TRANSFORM = new ActionClusterPrivilege("manage_transform", MANAGE_TRANSFORM_PATTERN); public static final NamedClusterPrivilege MANAGE_TOKEN = new ActionClusterPrivilege("manage_token", MANAGE_TOKEN_PATTERN); public static final NamedClusterPrivilege MANAGE_WATCHER = new ActionClusterPrivilege("manage_watcher", MANAGE_WATCHER_PATTERN); @@ -426,7 +418,6 @@ public class ClusterPrivilegeResolver { MONITOR_INFERENCE, MONITOR_ML, MONITOR_TEXT_STRUCTURE, - MONITOR_TRANSFORM_DEPRECATED, MONITOR_TRANSFORM, MONITOR_WATCHER, MONITOR_ROLLUP, @@ -436,7 +427,6 @@ public class ClusterPrivilegeResolver { MANAGE_CONNECTOR, MANAGE_INFERENCE, MANAGE_ML, - MANAGE_TRANSFORM_DEPRECATED, MANAGE_TRANSFORM, MANAGE_TOKEN, MANAGE_WATCHER, diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index fc14ec6811014..4dd09c69ff6f3 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -519,70 +519,6 @@ private static Map initializeReservedRoles() { + "and roles that grant access to Kibana." ) ), - // DEPRECATED: to be removed in 9.0.0 - entry( - "data_frame_transforms_admin", - new RoleDescriptor( - "data_frame_transforms_admin", - new String[] { "manage_data_frame_transforms" }, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices( - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN, - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED, - TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS - ) - .privileges("view_index_metadata", "read") - .build() }, - new RoleDescriptor.ApplicationResourcePrivileges[] { - RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*") - .resources("*") - .privileges("reserved_ml_user") - .build() }, - null, - null, - MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_admin] role instead"), - null, - null, - null, - null, - "Grants manage_data_frame_transforms cluster privileges, which enable you to manage transforms. " - + "This role also includes all Kibana privileges for the machine learning features." - ) - ), - // DEPRECATED: to be removed in 9.0.0 - entry( - "data_frame_transforms_user", - new RoleDescriptor( - "data_frame_transforms_user", - new String[] { "monitor_data_frame_transforms" }, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices( - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN, - TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED, - TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS - ) - .privileges("view_index_metadata", "read") - .build() }, - new RoleDescriptor.ApplicationResourcePrivileges[] { - RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*") - .resources("*") - .privileges("reserved_ml_user") - .build() }, - null, - null, - MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_user] role instead"), - null, - null, - null, - null, - "Grants monitor_data_frame_transforms cluster privileges, which enable you to use transforms. " - + "This role also includes all Kibana privileges for the machine learning features. " - ) - ), entry( "transform_admin", new RoleDescriptor( diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 17579fd6368ce..420b5734b9b16 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -276,8 +276,6 @@ public void testIsReserved() { assertThat(ReservedRolesStore.isReserved("reporting_user"), is(true)); assertThat(ReservedRolesStore.isReserved("machine_learning_user"), is(true)); assertThat(ReservedRolesStore.isReserved("machine_learning_admin"), is(true)); - assertThat(ReservedRolesStore.isReserved("data_frame_transforms_user"), is(true)); - assertThat(ReservedRolesStore.isReserved("data_frame_transforms_admin"), is(true)); assertThat(ReservedRolesStore.isReserved("transform_user"), is(true)); assertThat(ReservedRolesStore.isReserved("transform_admin"), is(true)); assertThat(ReservedRolesStore.isReserved("watcher_user"), is(true)); @@ -3348,183 +3346,97 @@ public void testTransformAdminRole() { final TransportRequest request = mock(TransportRequest.class); final Authentication authentication = AuthenticationTestHelper.builder().build(); - RoleDescriptor[] roleDescriptors = { - ReservedRolesStore.roleDescriptor("data_frame_transforms_admin"), - ReservedRolesStore.roleDescriptor("transform_admin") }; + RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("transform_admin"); - for (RoleDescriptor roleDescriptor : roleDescriptors) { - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - } else { - assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - } + assertNotNull(roleDescriptor); + assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - final String allowedApplicationActionPattern = "example/custom/action/*"; - final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); - List lookup = roleDescriptor.getName().equals("data_frame_transforms_admin") - ? List.of( - new ApplicationPrivilegeDescriptor( - kibanaApplicationWithRandomIndex, - "reserved_ml_user", - Set.of(allowedApplicationActionPattern), - Map.of() - ) - ) - : List.of(); - Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); - assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - - assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); - assertNoAccessAllowed(role, "foo"); - assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); // internal use only - - assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); - assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); - - assertThat( - role.application() - .grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), - is(false) - ); + final String allowedApplicationActionPattern = "example/custom/action/*"; + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); + List lookup = List.of(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); + assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege( - kibanaApplicationWithRandomIndex, - "app-reserved_ml", - allowedApplicationActionPattern - ), - "*" - ), - is(true) - ); - } + assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); - assertThat( - role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), - is(false) - ); - if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-reserved_ml", allowedApplicationActionPattern), - "*" - ), - is(false) - ); - } - } + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); + assertNoAccessAllowed(role, "foo"); + assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); // internal use only + + assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); + assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), + is(false) + ); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), + is(false) + ); } public void testTransformUserRole() { final TransportRequest request = mock(TransportRequest.class); final Authentication authentication = AuthenticationTestHelper.builder().build(); - RoleDescriptor[] roleDescriptors = { - ReservedRolesStore.roleDescriptor("data_frame_transforms_user"), - ReservedRolesStore.roleDescriptor("transform_user") }; + RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("transform_user"); - for (RoleDescriptor roleDescriptor : roleDescriptors) { - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - } else { - assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - } + assertNotNull(roleDescriptor); + assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - final String allowedApplicationActionPattern = "example/custom/action/*"; - final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); - List lookup = roleDescriptor.getName().equals("data_frame_transforms_user") - ? List.of( - new ApplicationPrivilegeDescriptor( - kibanaApplicationWithRandomIndex, - "reserved_ml_user", - Set.of(allowedApplicationActionPattern), - Map.of() - ) - ) - : List.of(); - Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); - assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); - assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(ActivateProfileAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(SuggestProfilesAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(UpdateProfileDataAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(GetProfilesAction.NAME, request, authentication), is(false)); - assertThat(role.cluster().check(ProfileHasPrivilegesAction.NAME, request, authentication), is(false)); - - assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); - assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); - assertNoAccessAllowed(role, "foo"); - assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); - - assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); - assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); - - assertThat( - role.application() - .grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), - is(false) - ); + final String allowedApplicationActionPattern = "example/custom/action/*"; + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); + List lookup = List.of(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES, lookup); + assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); + assertThat(role.cluster().check(PreviewTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(PutTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(StartTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(StopTransformAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(ActivateProfileAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(SuggestProfilesAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(UpdateProfileDataAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(GetProfilesAction.NAME, request, authentication), is(false)); + assertThat(role.cluster().check(ProfileHasPrivilegesAction.NAME, request, authentication), is(false)); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege( - kibanaApplicationWithRandomIndex, - "app-reserved_ml", - allowedApplicationActionPattern - ), - "*" - ), - is(true) - ); - } + assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); - assertThat( - role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), - is(false) - ); - if (roleDescriptor.getName().equals("data_frame_transforms_user")) { - assertThat( - role.application() - .grants( - ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-reserved_ml", allowedApplicationActionPattern), - "*" - ), - is(false) - ); - } - } + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN); + assertOnlyReadAllowed(role, TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED); + assertNoAccessAllowed(role, "foo"); + assertNoAccessAllowed(role, TransformInternalIndexConstants.LATEST_INDEX_NAME); + + assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES); + assertNoAccessAllowed(role, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2)); + + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), + is(false) + ); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat( + role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"), + is(false) + ); } public void testWatcherAdminRole() { diff --git a/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java b/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java index d3d86571e002f..872df710fdbcf 100644 --- a/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java +++ b/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java @@ -352,7 +352,7 @@ private void testNoTransformAdminRole(boolean deferValidation, boolean unattende containsString( Strings.format( "action [cluster:admin/transform/put] is unauthorized for user [%s] with effective roles [%s], " - + "this action is granted by the cluster privileges [manage_data_frame_transforms,manage_transform,manage,all]", + + "this action is granted by the cluster privileges [manage_transform,manage,all]", user.username, user.effectiveRoles ) From dafc7dddfa7650aa9f0312d8b5c615902343fdf7 Mon Sep 17 00:00:00 2001 From: Dan Rubinstein Date: Mon, 25 Nov 2024 15:01:10 -0500 Subject: [PATCH 02/13] Update docs/changelog/117519.yaml --- docs/changelog/117519.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/changelog/117519.yaml diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml new file mode 100644 index 0000000000000..fed513fa04418 --- /dev/null +++ b/docs/changelog/117519.yaml @@ -0,0 +1,11 @@ +pr: 117519 +summary: Deprecating `data_frame_transforms` roles +area: Machine Learning +type: deprecation +issues: [] +deprecation: + title: Deprecating `data_frame_transforms` roles + area: Machine Learning + details: Please describe the details of this change for the release notes. You can + use asciidoc. + impact: Please describe the impact of this change to users From a3dc6b01077ce29ac492a49e43badb2de718ab67 Mon Sep 17 00:00:00 2001 From: dan-rubinstein Date: Tue, 26 Nov 2024 15:00:20 -0500 Subject: [PATCH 03/13] Update changelog --- docs/changelog/117519.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml index fed513fa04418..52353085a49a9 100644 --- a/docs/changelog/117519.yaml +++ b/docs/changelog/117519.yaml @@ -5,7 +5,10 @@ type: deprecation issues: [] deprecation: title: Deprecating `data_frame_transforms` roles - area: Machine Learning - details: Please describe the details of this change for the release notes. You can - use asciidoc. - impact: Please describe the impact of this change to users + area: Transform + details: >- + This change removes the `data_frame_transforms_admin`/`data_frame_transforms_user` roles. + These roles have been replaced by the equivalent `transform_admin`/`transform_user` roles. + impact: >- + Usage of the `data_frame_transforms_admin`/`data_frame_transforms_user` roles will no + longer succeed. Users should instead use the equivalent `transform_admin`/`transform_user` roles. From aa4c6e1d7da8d88da49fe3ef85257aa2cc2d2129 Mon Sep 17 00:00:00 2001 From: dan-rubinstein Date: Tue, 10 Dec 2024 14:04:36 -0500 Subject: [PATCH 04/13] Removing deprecation warning --- .../core/transform/TransformDeprecations.java | 7 --- .../transform/transforms/TransformConfig.java | 18 -------- .../transforms/TransformConfigTests.java | 43 ------------------- 3 files changed, 68 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java index 1de584d5593f1..79a679441de3a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java @@ -27,12 +27,5 @@ public class TransformDeprecations { public static final String MAX_PAGE_SEARCH_SIZE_BREAKING_CHANGES_URL = "https://ela.st/es-deprecation-7-transform-max-page-search-size"; - public static final String DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL = - "https://ela.st/es-deprecation-9-data-frame-transforms-roles"; - - public static final String DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED = "This transform configuration uses one or more obsolete roles " - + "prefixed with [data_frame_transformers_] which will be unsupported after the next upgrade. Switch to a user with the equivalent " - + "roles prefixed with [transform_] and use [/_transform/_upgrade] to upgrade all transforms to the latest roles.";; - private TransformDeprecations() {} } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java index 745da71539992..49f7553637045 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java @@ -69,10 +69,6 @@ public final class TransformConfig implements SimpleDiffable, W public static final ParseField HEADERS = new ParseField("headers"); /** Version in which {@code FieldCapabilitiesRequest.runtime_fields} field was introduced. */ private static final TransportVersion FIELD_CAPS_RUNTIME_MAPPINGS_INTRODUCED_TRANSPORT_VERSION = TransportVersions.V_7_12_0; - private static final List DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES = List.of( - "data_frame_transforms_admin", - "data_frame_transforms_user" - ); /** Specifies all the possible transform functions. */ public enum Function { @@ -413,20 +409,6 @@ public List checkForDeprecations(NamedXContentRegistry namedXC retentionPolicyConfig.checkForDeprecations(getId(), namedXContentRegistry, deprecations::add); } - var deprecatedTransformRoles = getRolesFromHeaders().stream().filter(DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES::contains).toList(); - if (deprecatedTransformRoles.isEmpty() == false) { - deprecations.add( - new DeprecationIssue( - Level.CRITICAL, - "Transform [" + id + "] uses deprecated transform roles " + deprecatedTransformRoles, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED, - false, - null - ) - ); - } - return deprecations; } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java index 2e7e5293c835f..a9b4fa984ea1e 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfigTests.java @@ -27,8 +27,6 @@ import org.elasticsearch.xpack.core.common.validation.SourceDestValidator.SourceDestValidation; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue.Level; -import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper; -import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.transform.AbstractSerializingTransformTestCase; import org.elasticsearch.xpack.core.transform.TransformConfigVersion; import org.elasticsearch.xpack.core.transform.TransformDeprecations; @@ -46,7 +44,6 @@ import java.util.Map; import static org.elasticsearch.test.TestMatchers.matchesPattern; -import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY; import static org.elasticsearch.xpack.core.transform.transforms.DestConfigTests.randomDestConfig; import static org.elasticsearch.xpack.core.transform.transforms.SourceConfigTests.randomInvalidSourceConfig; import static org.elasticsearch.xpack.core.transform.transforms.SourceConfigTests.randomSourceConfig; @@ -61,8 +58,6 @@ public class TransformConfigTests extends AbstractSerializingTransformTestCase roles) throws IOException { - var authentication = AuthenticationTestHelper.builder() - .realm() - .user(new User(randomAlphaOfLength(10), roles.toArray(String[]::new))) - .build(); - Map headers = Map.of(AUTHENTICATION_KEY, authentication.encode()); - TransformConfig deprecatedConfig = randomTransformConfigWithHeaders(headers); - - // important: checkForDeprecations does _not_ create new deprecation warnings - assertThat( - deprecatedConfig.checkForDeprecations(xContentRegistry()), - equalTo( - List.of( - new DeprecationIssue( - Level.CRITICAL, - "Transform [" + deprecatedConfig.getId() + "] uses deprecated transform roles " + roles, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL, - TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED, - false, - null - ) - ) - ) - ); - } - public void testSerializingMetadataPreservesOrder() throws IOException { String json = Strings.format(""" { From ffcf7ae90242949be623eff7f2e01562d311648b Mon Sep 17 00:00:00 2001 From: dan-rubinstein Date: Tue, 10 Dec 2024 14:54:35 -0500 Subject: [PATCH 05/13] Cleaning up unused role retrieval function --- .../transform/transforms/TransformConfig.java | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java index 49f7553637045..d84040aaf7a85 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java @@ -24,13 +24,11 @@ import org.elasticsearch.xcontent.ToXContentObject; import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xcontent.XContentParser; -import org.elasticsearch.xpack.core.ClientHelper; import org.elasticsearch.xpack.core.common.time.TimeUtils; import org.elasticsearch.xpack.core.common.validation.SourceDestValidator; import org.elasticsearch.xpack.core.common.validation.SourceDestValidator.SourceDestValidation; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue.Level; -import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer; import org.elasticsearch.xpack.core.security.xcontent.XContentUtils; import org.elasticsearch.xpack.core.transform.TransformConfigVersion; import org.elasticsearch.xpack.core.transform.TransformDeprecations; @@ -43,7 +41,6 @@ import java.io.IOException; import java.time.Instant; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Locale; @@ -52,7 +49,6 @@ import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg; import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg; -import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY; /** * This class holds the configuration details of a data frame transform @@ -412,20 +408,6 @@ public List checkForDeprecations(NamedXContentRegistry namedXC return deprecations; } - private List getRolesFromHeaders() throws IOException { - if (headers == null) { - return Collections.emptyList(); - } - - var encodedAuthenticationHeader = ClientHelper.filterSecurityHeaders(headers).getOrDefault(AUTHENTICATION_KEY, ""); - if (encodedAuthenticationHeader.isEmpty()) { - return Collections.emptyList(); - } - - var decodedAuthenticationHeader = AuthenticationContextSerializer.decode(encodedAuthenticationHeader); - return Arrays.asList(decodedAuthenticationHeader.getEffectiveSubject().getUser().roles()); - } - @Override public void writeTo(final StreamOutput out) throws IOException { out.writeString(id); From 6f30bf2eae84583214acfc098cd08356a5f35c79 Mon Sep 17 00:00:00 2001 From: Dan Rubinstein Date: Mon, 23 Dec 2024 15:56:07 -0500 Subject: [PATCH 06/13] Update docs/changelog/117519.yaml --- docs/changelog/117519.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml index 52353085a49a9..a2cff1eb21e04 100644 --- a/docs/changelog/117519.yaml +++ b/docs/changelog/117519.yaml @@ -1,14 +1,21 @@ pr: 117519 summary: Deprecating `data_frame_transforms` roles area: Machine Learning -type: deprecation +type: breaking issues: [] +breaking: + title: Deprecating `data_frame_transforms` roles + area: Machine Learning + details: Please describe the details of this change for the release notes. You can + use asciidoc. + impact: Please describe the impact of this change to users + notable: false deprecation: title: Deprecating `data_frame_transforms` roles area: Transform - details: >- - This change removes the `data_frame_transforms_admin`/`data_frame_transforms_user` roles. - These roles have been replaced by the equivalent `transform_admin`/`transform_user` roles. - impact: >- - Usage of the `data_frame_transforms_admin`/`data_frame_transforms_user` roles will no - longer succeed. Users should instead use the equivalent `transform_admin`/`transform_user` roles. + details: This change removes the `data_frame_transforms_admin`/`data_frame_transforms_user` + roles. These roles have been replaced by the equivalent `transform_admin`/`transform_user` + roles. + impact: Usage of the `data_frame_transforms_admin`/`data_frame_transforms_user` + roles will no longer succeed. Users should instead use the equivalent `transform_admin`/`transform_user` + roles. From 418c261c701564f90597fde47673e5573b6a5510 Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Mon, 23 Dec 2024 16:36:54 -0500 Subject: [PATCH 07/13] Update changelog with breaking change details --- docs/changelog/117519.yaml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml index a2cff1eb21e04..8faa23c9d9657 100644 --- a/docs/changelog/117519.yaml +++ b/docs/changelog/117519.yaml @@ -1,21 +1,20 @@ pr: 117519 summary: Deprecating `data_frame_transforms` roles -area: Machine Learning +area: Transform type: breaking issues: [] breaking: - title: Deprecating `data_frame_transforms` roles + title: Remove `data_frame_transforms` roles area: Machine Learning - details: Please describe the details of this change for the release notes. You can - use asciidoc. - impact: Please describe the impact of this change to users + details: >- + `data_frame_transforms_admin` and `data_frame_transforms_user` were deprecated in + Elasticsearch 7 and are being removed in Elasticsearch 9. + `data_frame_transforms_admin` is now `transform_admin`. + `data_frame_transforms_user` is now `transform_user`. + Users must call the `_update` API to replace the permissions on the Transform before the + Transform can be started. + impact: >- + Transforms created with either the `data_frame_transforms_admin` or the + `data_frame_transforms_user` role will fail to start. The Transform will remain + in a `stopped` state, and its health will be red while displaying permission failures. notable: false -deprecation: - title: Deprecating `data_frame_transforms` roles - area: Transform - details: This change removes the `data_frame_transforms_admin`/`data_frame_transforms_user` - roles. These roles have been replaced by the equivalent `transform_admin`/`transform_user` - roles. - impact: Usage of the `data_frame_transforms_admin`/`data_frame_transforms_user` - roles will no longer succeed. Users should instead use the equivalent `transform_admin`/`transform_user` - roles. From 713f2065d4d328a2ac1d89a2d8eddbfef0bd32a0 Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Thu, 26 Dec 2024 08:40:39 -0500 Subject: [PATCH 08/13] Revert ClusterPrivilegeResolver --- .../authz/privilege/ClusterPrivilegeResolver.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 56e689dbf94b5..00d45fb135fb2 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -234,6 +234,10 @@ public class ClusterPrivilegeResolver { MONITOR_INFERENCE_PATTERN ); public static final NamedClusterPrivilege MONITOR_ML = new ActionClusterPrivilege("monitor_ml", MONITOR_ML_PATTERN); + public static final NamedClusterPrivilege MONITOR_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( + "monitor_data_frame_transforms", + MONITOR_TRANSFORM_PATTERN + ); public static final NamedClusterPrivilege MONITOR_TEXT_STRUCTURE = new ActionClusterPrivilege( "monitor_text_structure", MONITOR_TEXT_STRUCTURE_PATTERN @@ -249,6 +253,10 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE = new ActionClusterPrivilege("manage", ALL_CLUSTER_PATTERN, ALL_SECURITY_PATTERN); public static final NamedClusterPrivilege MANAGE_INFERENCE = new ActionClusterPrivilege("manage_inference", MANAGE_INFERENCE_PATTERN); public static final NamedClusterPrivilege MANAGE_ML = new ActionClusterPrivilege("manage_ml", MANAGE_ML_PATTERN); + public static final NamedClusterPrivilege MANAGE_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( + "manage_data_frame_transforms", + MANAGE_TRANSFORM_PATTERN + ); public static final NamedClusterPrivilege MANAGE_TRANSFORM = new ActionClusterPrivilege("manage_transform", MANAGE_TRANSFORM_PATTERN); public static final NamedClusterPrivilege MANAGE_TOKEN = new ActionClusterPrivilege("manage_token", MANAGE_TOKEN_PATTERN); public static final NamedClusterPrivilege MANAGE_WATCHER = new ActionClusterPrivilege("manage_watcher", MANAGE_WATCHER_PATTERN); @@ -418,6 +426,7 @@ public class ClusterPrivilegeResolver { MONITOR_INFERENCE, MONITOR_ML, MONITOR_TEXT_STRUCTURE, + MONITOR_TRANSFORM_DEPRECATED, MONITOR_TRANSFORM, MONITOR_WATCHER, MONITOR_ROLLUP, @@ -427,6 +436,7 @@ public class ClusterPrivilegeResolver { MANAGE_CONNECTOR, MANAGE_INFERENCE, MANAGE_ML, + MANAGE_TRANSFORM_DEPRECATED, MANAGE_TRANSFORM, MANAGE_TOKEN, MANAGE_WATCHER, From 4599256dcf23b802c1256a5ad870322d56e22dba Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Thu, 26 Dec 2024 08:43:00 -0500 Subject: [PATCH 09/13] Remove Deprecated Transform Role permissions --- .../security/authz/privilege/ClusterPrivilegeResolver.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 00d45fb135fb2..21fd9d478fd19 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -236,7 +236,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MONITOR_ML = new ActionClusterPrivilege("monitor_ml", MONITOR_ML_PATTERN); public static final NamedClusterPrivilege MONITOR_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( "monitor_data_frame_transforms", - MONITOR_TRANSFORM_PATTERN + Set.of() ); public static final NamedClusterPrivilege MONITOR_TEXT_STRUCTURE = new ActionClusterPrivilege( "monitor_text_structure", @@ -255,7 +255,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE_ML = new ActionClusterPrivilege("manage_ml", MANAGE_ML_PATTERN); public static final NamedClusterPrivilege MANAGE_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( "manage_data_frame_transforms", - MANAGE_TRANSFORM_PATTERN + Set.of() ); public static final NamedClusterPrivilege MANAGE_TRANSFORM = new ActionClusterPrivilege("manage_transform", MANAGE_TRANSFORM_PATTERN); public static final NamedClusterPrivilege MANAGE_TOKEN = new ActionClusterPrivilege("manage_token", MANAGE_TOKEN_PATTERN); From 485f0dab36295e00097b1b19513c0243387052c4 Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Fri, 27 Dec 2024 08:04:04 -0500 Subject: [PATCH 10/13] Update docs/changelog/117519.yaml Co-authored-by: Nikolaj Volgushev --- docs/changelog/117519.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml index 8faa23c9d9657..e1a2504f630b7 100644 --- a/docs/changelog/117519.yaml +++ b/docs/changelog/117519.yaml @@ -1,5 +1,5 @@ pr: 117519 -summary: Deprecating `data_frame_transforms` roles +summary: Remove `data_frame_transforms` roles area: Transform type: breaking issues: [] From bb6e4f74f4f0fd054879de8f60e018057eab2803 Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Fri, 27 Dec 2024 08:05:53 -0500 Subject: [PATCH 11/13] Revert "Remove Deprecated Transform Role permissions" This reverts commit 4599256dcf23b802c1256a5ad870322d56e22dba. --- .../security/authz/privilege/ClusterPrivilegeResolver.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 21fd9d478fd19..00d45fb135fb2 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -236,7 +236,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MONITOR_ML = new ActionClusterPrivilege("monitor_ml", MONITOR_ML_PATTERN); public static final NamedClusterPrivilege MONITOR_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( "monitor_data_frame_transforms", - Set.of() + MONITOR_TRANSFORM_PATTERN ); public static final NamedClusterPrivilege MONITOR_TEXT_STRUCTURE = new ActionClusterPrivilege( "monitor_text_structure", @@ -255,7 +255,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE_ML = new ActionClusterPrivilege("manage_ml", MANAGE_ML_PATTERN); public static final NamedClusterPrivilege MANAGE_TRANSFORM_DEPRECATED = new ActionClusterPrivilege( "manage_data_frame_transforms", - Set.of() + MANAGE_TRANSFORM_PATTERN ); public static final NamedClusterPrivilege MANAGE_TRANSFORM = new ActionClusterPrivilege("manage_transform", MANAGE_TRANSFORM_PATTERN); public static final NamedClusterPrivilege MANAGE_TOKEN = new ActionClusterPrivilege("manage_token", MANAGE_TOKEN_PATTERN); From f4bd0739ce0fd8a1c4ed08c8003677571e645c3d Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Fri, 27 Dec 2024 08:10:55 -0500 Subject: [PATCH 12/13] Revert docs, update changelog --- docs/changelog/117519.yaml | 2 +- docs/reference/rest-api/security/bulk-create-roles.asciidoc | 2 +- .../rest-api/security/get-builtin-privileges.asciidoc | 2 ++ docs/reference/security/authorization/privileges.asciidoc | 6 ++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/changelog/117519.yaml b/docs/changelog/117519.yaml index e1a2504f630b7..f228278983785 100644 --- a/docs/changelog/117519.yaml +++ b/docs/changelog/117519.yaml @@ -5,7 +5,7 @@ type: breaking issues: [] breaking: title: Remove `data_frame_transforms` roles - area: Machine Learning + area: Transform details: >- `data_frame_transforms_admin` and `data_frame_transforms_user` were deprecated in Elasticsearch 7 and are being removed in Elasticsearch 9. diff --git a/docs/reference/rest-api/security/bulk-create-roles.asciidoc b/docs/reference/rest-api/security/bulk-create-roles.asciidoc index bf8680b0c8491..37f49f2445770 100644 --- a/docs/reference/rest-api/security/bulk-create-roles.asciidoc +++ b/docs/reference/rest-api/security/bulk-create-roles.asciidoc @@ -328,7 +328,7 @@ The result would then have the `errors` field set to `true` and hold the error f "details": { "my_admin_role": { <4> "type": "action_request_validation_exception", - "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;" + "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_data_frame_transforms,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_data_frame_transforms,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;" } } } diff --git a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc index 4c5a95d3246a5..7f3d75b926780 100644 --- a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc +++ b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc @@ -78,6 +78,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_behavioral_analytics", "manage_ccr", "manage_connector", + "manage_data_frame_transforms", "manage_data_stream_global_retention", "manage_enrich", "manage_ilm", @@ -103,6 +104,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_watcher", "monitor", "monitor_connector", + "monitor_data_frame_transforms", "monitor_data_stream_global_retention", "monitor_enrich", "monitor_inference", diff --git a/docs/reference/security/authorization/privileges.asciidoc b/docs/reference/security/authorization/privileges.asciidoc index aa2341e465998..3b69e5c1ba984 100644 --- a/docs/reference/security/authorization/privileges.asciidoc +++ b/docs/reference/security/authorization/privileges.asciidoc @@ -95,6 +95,12 @@ only on clusters that contain follower indices. + This privilege is not available in {serverless-full}. +`manage_data_frame_transforms`:: +All operations related to managing {transforms}. +deprecated[7.5] Use `manage_transform` instead. ++ +This privilege is not available in {serverless-full}. + `manage_data_stream_global_retention`:: This privilege has no effect.deprecated[8.16] From a57695e2da689dfd499c0452d380bb73974c1ecf Mon Sep 17 00:00:00 2001 From: Pat Whelan Date: Fri, 27 Dec 2024 15:37:54 -0500 Subject: [PATCH 13/13] Revert privilege tests --- .../integration/TransformInsufficientPermissionsIT.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java b/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java index 872df710fdbcf..d3d86571e002f 100644 --- a/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java +++ b/x-pack/plugin/transform/qa/multi-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java @@ -352,7 +352,7 @@ private void testNoTransformAdminRole(boolean deferValidation, boolean unattende containsString( Strings.format( "action [cluster:admin/transform/put] is unauthorized for user [%s] with effective roles [%s], " - + "this action is granted by the cluster privileges [manage_transform,manage,all]", + + "this action is granted by the cluster privileges [manage_data_frame_transforms,manage_transform,manage,all]", user.username, user.effectiveRoles )