Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Create `manage_connector` privilege (#110128)

* Create manage_seaech_connector privilege

* `manage_search_connector` -> `manage_connector` and exclude connector secrets patterns from this privilege

* Add `monitor_connector` privilege

* Update Kibana system privilege to monitor_connector for telemetry

* Rename privilege to 'manage_connector_state'

Since privilege names are often namespaced and used with globs, we want to ensure that if there's a future privilege like `manage_connector_secrets`, that it is not implicitly included in this new privileg's <name>*. By extending the privilege name to include "_state", we better namespace this distinct from any "_secrets" namespace.

* Revert "Rename privilege to 'manage_connector_state'"

This reverts commit 70b89eee76cb9a03ac7caec3fe7927be4b6e11c3.
After further discussion with the security team, this name change is not needed after all
since the secret management privileges aren't currently prefixed with "manage_"

---------

Co-authored-by: Sean Story <sean.j.story@gmail.com>
Jedr Blaszyk 1 year ago
parent
01b7ccd4d1
commit
3b827f6a8c
4 changed files with 36 additions and 7 deletions
Split View Show Diff Stats
  1. 2 0
      docs/reference/rest-api/security/get-builtin-privileges.asciidoc
  2. 31 6
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
  3. 2 0
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
  4. 1 1
      x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml

+ 2 - 0
docs/reference/rest-api/security/get-builtin-privileges.asciidoc
View File 

@@ -77,6 +77,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
 
     "manage_autoscaling",
 
     "manage_behavioral_analytics",
 
     "manage_ccr",
 
+    "manage_connector",
 
     "manage_data_frame_transforms",
 
     "manage_data_stream_global_retention",
 
     "manage_enrich",
 
@@ -102,6 +103,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
 
     "manage_user_profile",
 
     "manage_watcher",
 
     "monitor",
 
+    "monitor_connector",
 
     "monitor_data_frame_transforms",
 
     "monitor_data_stream_global_retention",
 
     "monitor_enrich",

+ 31 - 6
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
View File 

@@ -67,6 +67,7 @@ import java.util.Set;
 
 import java.util.SortedMap;
 
 import java.util.TreeMap;
 
 import java.util.function.Predicate;
 
+import java.util.stream.Collectors;
 
 import java.util.stream.Stream;
 
 
 /**
 
@@ -174,6 +175,23 @@ public class ClusterPrivilegeResolver {
 
     );
 
 
     private static final Set<String> MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*");
 
+    private static final Set<String> MANAGE_CONNECTOR_PATTERN = Set.of("cluster:admin/xpack/connector/*");
 
+    private static final Set<String> MONITOR_CONNECTOR_PATTERN = Set.of(
 
+        "cluster:admin/xpack/connector/get",
 
+        "cluster:admin/xpack/connector/list",
 
+        "cluster:admin/xpack/connector/sync_job/get",
 
+        "cluster:admin/xpack/connector/sync_job/list"
 
+    );
 
+    private static final Set<String> READ_CONNECTOR_SECRETS_PATTERN = Set.of("cluster:admin/xpack/connector/secret/get");
 
+    private static final Set<String> WRITE_CONNECTOR_SECRETS_PATTERN = Set.of(
 
+        "cluster:admin/xpack/connector/secret/delete",
 
+        "cluster:admin/xpack/connector/secret/post",
 
+        "cluster:admin/xpack/connector/secret/put"
 
+    );
 
+    private static final Set<String> CONNECTOR_SECRETS_PATTERN = Stream.concat(
 
+        READ_CONNECTOR_SECRETS_PATTERN.stream(),
 
+        WRITE_CONNECTOR_SECRETS_PATTERN.stream()
 
+    ).collect(Collectors.toSet());
 
     private static final Set<String> MANAGE_SEARCH_QUERY_RULES_PATTERN = Set.of("cluster:admin/xpack/query_rules/*");
 
     private static final Set<String> MANAGE_SEARCH_SYNONYMS_PATTERN = Set.of(
 
         "cluster:admin/synonyms/*",
 
@@ -332,6 +350,15 @@ public class ClusterPrivilegeResolver {
 
         "manage_search_application",
 
         MANAGE_SEARCH_APPLICATION_PATTERN
 
     );
 
+    public static final NamedClusterPrivilege MANAGE_CONNECTOR = new ActionClusterPrivilege(
 
+        "manage_connector",
 
+        MANAGE_CONNECTOR_PATTERN,
 
+        CONNECTOR_SECRETS_PATTERN
 
+    );
 
+    public static final NamedClusterPrivilege MONITOR_CONNECTOR = new ActionClusterPrivilege(
 
+        "monitor_connector",
 
+        MONITOR_CONNECTOR_PATTERN
 
+    );
 
     public static final NamedClusterPrivilege MANAGE_SEARCH_SYNONYMS = new ActionClusterPrivilege(
 
         "manage_search_synonyms",
 
         MANAGE_SEARCH_SYNONYMS_PATTERN
 
@@ -362,16 +389,12 @@ public class ClusterPrivilegeResolver {
 
 
     public static final NamedClusterPrivilege READ_CONNECTOR_SECRETS = new ActionClusterPrivilege(
 
         "read_connector_secrets",
 
-        Set.of("cluster:admin/xpack/connector/secret/get")
 
+        READ_CONNECTOR_SECRETS_PATTERN
 
     );
 
 
     public static final NamedClusterPrivilege WRITE_CONNECTOR_SECRETS = new ActionClusterPrivilege(
 
         "write_connector_secrets",
 
-        Set.of(
 
-            "cluster:admin/xpack/connector/secret/delete",
 
-            "cluster:admin/xpack/connector/secret/post",
 
-            "cluster:admin/xpack/connector/secret/put"
 
-        )
 
+        WRITE_CONNECTOR_SECRETS_PATTERN
 
     );
 
     public static final NamedClusterPrivilege MONITOR_GLOBAL_RETENTION = new ActionClusterPrivilege(
 
         "monitor_data_stream_global_retention",
 
@@ -391,6 +414,7 @@ public class ClusterPrivilegeResolver {
 
             NONE,
 
             ALL,
 
             MONITOR,
 
+            MONITOR_CONNECTOR,
 
             MONITOR_INFERENCE,
 
             MONITOR_ML,
 
             MONITOR_TEXT_STRUCTURE,
 
@@ -400,6 +424,7 @@ public class ClusterPrivilegeResolver {
 
             MONITOR_ROLLUP,
 
             MONITOR_ENRICH,
 
             MANAGE,
 
+            MANAGE_CONNECTOR,
 
             MANAGE_INFERENCE,
 
             MANAGE_ML,
 
             MANAGE_TRANSFORM_DEPRECATED,

+ 2 - 0
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View File 

@@ -73,6 +73,8 @@ class KibanaOwnedReservedRoleDescriptors {
 
                 // For Fleet package upgrade
 
                 "manage_pipeline",
 
                 "manage_ilm",
 
+                // For connectors telemetry
 
+                "monitor_connector",
 
                 // For the endpoint package that ships a transform
 
                 "manage_transform",
 
                 InvalidateApiKeyAction.NAME,

+ 1 - 1
x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml
View File 

@@ -15,5 +15,5 @@ setup:
 
   # This is fragile - it needs to be updated every time we add a new cluster/index privilege
 
   # I would much prefer we could just check that specific entries are in the array, but we don't have
 
   # an assertion for that
 
-  - length: { "cluster" : 59 }
 
+  - length: { "cluster" : 61 }
 
   - length: { "index" : 22 }