Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

`manage_token` privilege for `kibana_system`

Creates the manage_token cluster privilege and adds it to the
kibana_system role. This is required if kibana were to use the token
service for its authenticator process.
Because kibana_system already has manage_saml this effectively
only adds the privilege to create tokens.
Albert Zaharovits 6 years ago
parent
3c466d29d9
commit
592a909ba7
3 changed files with 6 additions and 3 deletions
Split View Show Diff Stats
  1. 3 0
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java
  2. 1 1
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  3. 2 2
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 3 - 0
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java
View File 

@@ -31,6 +31,7 @@ public final class ClusterPrivilege extends Privilege {
 
     private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
 
     private static final Automaton MANAGE_SAML_AUTOMATON = patterns("cluster:admin/xpack/security/saml/*",
 
             InvalidateTokenAction.NAME, RefreshTokenAction.NAME);
 
+    private static final Automaton MANAGE_TOKEN_AUTOMATON = patterns("cluster:admin/xpack/security/token/*");
 
     private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
 
     private static final Automaton MONITOR_ML_AUTOMATON = patterns("cluster:monitor/xpack/ml/*");
 
     private static final Automaton MONITOR_WATCHER_AUTOMATON = patterns("cluster:monitor/xpack/watcher/*");
 
@@ -55,6 +56,7 @@ public final class ClusterPrivilege extends Privilege {
 
     public static final ClusterPrivilege MONITOR_ROLLUP =        new ClusterPrivilege("monitor_rollup",      MONITOR_ROLLUP_AUTOMATON);
 
     public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",              MANAGE_AUTOMATON);
 
     public static final ClusterPrivilege MANAGE_ML =             new ClusterPrivilege("manage_ml",           MANAGE_ML_AUTOMATON);
 
+    public static final ClusterPrivilege MANAGE_TOKEN =          new ClusterPrivilege("manage_token",        MANAGE_TOKEN_AUTOMATON);
 
     public static final ClusterPrivilege MANAGE_WATCHER =        new ClusterPrivilege("manage_watcher",      MANAGE_WATCHER_AUTOMATON);
 
     public static final ClusterPrivilege MANAGE_ROLLUP =         new ClusterPrivilege("manage_rollup",       MANAGE_ROLLUP_AUTOMATON);
 
     public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
 
@@ -79,6 +81,7 @@ public final class ClusterPrivilege extends Privilege {
 
             .put("monitor_rollup", MONITOR_ROLLUP)
 
             .put("manage", MANAGE)
 
             .put("manage_ml", MANAGE_ML)
 
+            .put("manage_token", MANAGE_TOKEN)
 
             .put("manage_watcher", MANAGE_WATCHER)
 
             .put("manage_index_templates", MANAGE_IDX_TEMPLATES)
 
             .put("manage_ingest_pipelines", MANAGE_INGEST_PIPELINES)

+ 1 - 1
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File 

@@ -111,7 +111,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                         null))
 
                 .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
 
                         new String[] {
 
-                            "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml",
 
+                            "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token"
 
                         },
 
                         new RoleDescriptor.IndicesPrivileges[] {
 
                                 RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(),

+ 2 - 2
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -199,11 +199,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertThat(kibanaRole.cluster().check(ClusterUpdateSettingsAction.NAME, request), is(false));
 
         assertThat(kibanaRole.cluster().check(MonitoringBulkAction.NAME, request), is(true));
 
 
-        // SAML
 
+        // SAML and token
 
         assertThat(kibanaRole.cluster().check(SamlPrepareAuthenticationAction.NAME, request), is(true));
 
         assertThat(kibanaRole.cluster().check(SamlAuthenticateAction.NAME, request), is(true));
 
         assertThat(kibanaRole.cluster().check(InvalidateTokenAction.NAME, request), is(true));
 
-        assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request), is(false));
 
+        assertThat(kibanaRole.cluster().check(CreateTokenAction.NAME, request), is(true));
 
 
         // Application Privileges
 
         DeletePrivilegesRequest deleteKibanaPrivileges = new DeletePrivilegesRequest("kibana-.kibana", new String[]{ "all", "read" });