[Failure Store] Has Privileges API #125329
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
n1v0lg
added
>non-issue
:Security/Authorization
| } | ||
| } else { | ||
| } else if (checkWithFailuresSelector | ||
| && allowedPrivilegesAutomatonForFailuresSelector != null |
There was a problem hiding this comment.
one optimization to consider: we could wrap getIndexPrivilegesAutomaton calls into CachedSupplier and make allowedPrivilegesAutomatonForFailuresSelector and allowedPrivilegesAutomatonForDataSelector be computed lazily when checkWithDataSelector or checkWithFailuresSelector is true - respectively
There was a problem hiding this comment.
I was thinking about this too but CachedSupplier involves a synchronized block and might be a little too heavy for the context here (since we don't need synchronization here, I don't think) -- at least I can't immediately say if it would provide an actual gain or not. My thinking here is:
- Most calls will be checking for data selectors privileges (there are more of them, and it's the "normal" workflow to access regular data)
- This means we'll need the data selectors automata most of the time, which is why I added short-circuiting failures-only selector computation via
containsPrivilegesForFailuresSelector. We could do the same for data selectors but that's another pass over the privileges with another set of Map look-ups, or something slightly more complicated
Let me know if you have a stronger intuition here. I'd love to benchmark this and get some real performance numbers but would not want to block on that.
There was a problem hiding this comment.
Good point - we don't want synchronization here. FWIW We could implement a non-blocking version of cached supplier, but I don't feel this is something we should block on. My intuition is the same, we would be mostly checking data selectors and the optimization you already have could be sufficient.
|
Pinging @elastic/es-security (Team:Security) |
...aRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
Outdated
Show resolved
Hide resolved
n1v0lg
added
the
auto-merge-without-approval
💔 Backport failed
You can use sqren/backport to manually backport by running |
omricohenn
pushed a commit
to omricohenn/elasticsearch
that referenced
this pull request
Mar 28, 2025
This PR adds support for checking access to the failure store via the
Has Privileges API.
To check access for a data stream `logs`, a request must query for a
concrete named privilege, `read_failure_store` or
`manage_failure_store`, e.g., a request to the HasPrivileges API by a
user with `read_failure_store` over `logs`:
```
POST /_security/user/_has_privileges
{
"index": [
{
"names": ["logs"],
"privileges": ["read_failure_store", "read", "indices:data/read/*"]
}
]
}
```
Returns:
```
{ "username": "<...>", "has_all_requested": false,
"cluster": {}, "index": { "logs": {
"read_failure_store": true, "read": false, <1>
"indices:data/read/*": false <2> } }, "application": {}
}
```
Note that `<1>` and `<2>` are both `false` since `read` is not covered by `read_failure_store` and neither are any raw actions like `indices:data/read/*` since these implicitly correspond to data access.
Selectors are not allowed in the index patterns of HasPrivileges requests to avoid ambiguities such as checking `read` on `logs::failures` as well as the ambiguity of index patterns that are regular expressions.
slobodanadamovic
pushed a commit
to slobodanadamovic/elasticsearch
that referenced
this pull request
Mar 31, 2025
This PR adds support for checking access to the failure store via the
Has Privileges API.
To check access for a data stream `logs`, a request must query for a
concrete named privilege, `read_failure_store` or
`manage_failure_store`, e.g., a request to the HasPrivileges API by a
user with `read_failure_store` over `logs`:
```
POST /_security/user/_has_privileges
{
"index": [
{
"names": ["logs"],
"privileges": ["read_failure_store", "read", "indices:data/read/*"]
}
]
}
```
Returns:
```
{ "username": "<...>", "has_all_requested": false,
"cluster": {}, "index": { "logs": {
"read_failure_store": true, "read": false, <1>
"indices:data/read/*": false <2> } }, "application": {}
}
```
Note that `<1>` and `<2>` are both `false` since `read` is not covered by `read_failure_store` and neither are any raw actions like `indices:data/read/*` since these implicitly correspond to data access.
Selectors are not allowed in the index patterns of HasPrivileges requests to avoid ambiguities such as checking `read` on `logs::failures` as well as the ambiguity of index patterns that are regular expressions.
(cherry picked from commit 0e0214d)
# Conflicts:
# x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
elasticsearchmachine
pushed a commit
that referenced
this pull request
Mar 31, 2025
* [Failure Store] Has Privileges API (#125329) This PR adds support for checking access to the failure store via the Has Privileges API. To check access for a data stream `logs`, a request must query for a concrete named privilege, `read_failure_store` or `manage_failure_store`, e.g., a request to the HasPrivileges API by a user with `read_failure_store` over `logs`: ``` POST /_security/user/_has_privileges { "index": [ { "names": ["logs"], "privileges": ["read_failure_store", "read", "indices:data/read/*"] } ] } ``` Returns: ``` { "username": "<...>", "has_all_requested": false, "cluster": {}, "index": { "logs": { "read_failure_store": true, "read": false, <1> "indices:data/read/*": false <2> } }, "application": {} } ``` Note that `<1>` and `<2>` are both `false` since `read` is not covered by `read_failure_store` and neither are any raw actions like `indices:data/read/*` since these implicitly correspond to data access. Selectors are not allowed in the index patterns of HasPrivileges requests to avoid ambiguities such as checking `read` on `logs::failures` as well as the ambiguity of index patterns that are regular expressions. (cherry picked from commit 0e0214d) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java * fix compilation issue: use Operations.subsetOf * fix one more place --------- Co-authored-by: Nikolaj Volgushev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for checking access to the failure store via the Has Privileges API.
To check access for a data stream
logs, a request must query for a concrete named privilege,read_failure_storeormanage_failure_store, e.g., a request to the HasPrivileges API by a user withread_failure_storeoverlogs:Returns:
Note that
<1>and<2>are bothfalsesincereadis not covered byread_failure_storeand neither are any raw actions likeindices:data/read/*since these implicitly correspond to data access.Selectors are not allowed in the index patterns of HasPrivileges requests to avoid ambiguities such as checking
readonlogs::failuresas well as the ambiguity of index patterns that are regular expressions.