Skip to content

[9.0] Bugfix: Prevent invalid privileges in manage roles privilege #128847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 9, 2025
Merged

[9.0] Bugfix: Prevent invalid privileges in manage roles privilege #128847

merged 2 commits into from
Jun 9, 2025

Conversation

@gmjehovich
Copy link
Contributor

Backport of #128532

@gmjehovich
Bugfix: Prevent invalid privileges in manage roles privilege (elastic…
8fc6adc 
…#128532)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
@gmjehovich gmjehovich added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC backport Team:Security Meta label for security team v9.0.2 labels Jun 3, 2025
@gmjehovich gmjehovich requested a review from jfreden June 3, 2025 16:21
@gmjehovich
Copy link
Contributor Author

@jfreden On the original PR, I used another function ( IndexPrivilege.resolveBySelectorAccess() )- but that didn't exist on this branch. I saw this IndexPrivilege.get() function essentially does the same thing, so I wanted to make sure I could use it interchangeably.

slobodanadamovic
slobodanadamovic approved these changes Jun 6, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Since you are planing to backport the fix to 8.18 and 8.17 branches, I suggest you label this PR auto-backport and add appropriate version labels. This way you wont need to do it manually.

@gmjehovich gmjehovich added auto-backport Automatically create backport pull requests when merged v8.18.3 v8.17.8 labels Jun 9, 2025
@gmjehovich gmjehovich merged commit 96df3a9 into elastic:9.0 Jun 9, 2025
21 checks passed
This was referenced Jun 9, 2025
Merged
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.17
8.18

gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (elastic#128532) (
1c9ee18 
…elastic#128847)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (elastic#128532) (
53350ec 
…elastic#128847)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
elasticsearchmachine pushed a commit that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (#128532) (#128847
57921fb 
…) (#129155)

This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
elasticsearchmachine pushed a commit that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (#128532) (#128847
4464e17 
…) (#129156)

This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

@jfreden jfreden Awaiting requested review from jfreden

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged backport >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.17.8 v8.18.3 v9.0.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gmjehovich @elasticsearchmachine @slobodanadamovic