Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[ML] Allow kibana_system writes to .ml-notifications* (#74711)

This change is to allow a followup to elastic/kibana#103608
to fix the functionality so that it works for non-superusers.
We do not expect average users of ML from Kibana to have
permission to write to the ML internal indices, so these
writes need to be done as the Kibana system user.
David Roberts 4 years ago
parent
8cc4b38617
commit
5db1b4211b
2 changed files with 21 additions and 3 deletions
Split View Show Diff Stats
  1. 2 2
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  2. 19 1
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 2 - 2
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File 

@@ -148,9 +148,9 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                                         .indices(".management-beats").privileges("create_index", "read", "write").build(),
 
                                 // To facilitate ML UI functionality being controlled using Kibana security privileges
 
                                 RoleDescriptor.IndicesPrivileges.builder()
 
-                                        .indices(".ml-anomalies*", ".ml-notifications*", ".ml-stats-*")
 
+                                        .indices(".ml-anomalies*", ".ml-stats-*")
 
                                         .privileges("read").build(),
 
-                                RoleDescriptor.IndicesPrivileges.builder().indices(".ml-annotations*")
 
+                                RoleDescriptor.IndicesPrivileges.builder().indices(".ml-annotations*", ".ml-notifications*")
 
                                         .privileges("read", "write").build(),
 
                                 // APM agent configuration
 
                                 RoleDescriptor.IndicesPrivileges.builder()

+ 19 - 1
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -438,7 +438,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         // read-only index access, excluding cross cluster
 
         Arrays.asList(
 
             ".ml-anomalies-" + randomAlphaOfLength(randomIntBetween(0, 13)),
 
-            ".ml-notifications-" + randomAlphaOfLength(randomIntBetween(0, 13)),
 
             ".ml-stats-" + randomAlphaOfLength(randomIntBetween(0, 13))
 
         ).forEach((index) -> {
 
             logger.trace("index name [{}]", index);
 
@@ -455,6 +454,25 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(false));
 
         });
 
 
+        // read/write index access, excluding cross cluster
 
+        Arrays.asList(
 
+            ".ml-annotations-" + randomAlphaOfLength(randomIntBetween(0, 13)),
 
+            ".ml-notifications-" + randomAlphaOfLength(randomIntBetween(0, 13))
 
+        ).forEach((index) -> {
 
+            logger.trace("index name [{}]", index);
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(false));
 
+        });
 
+
 
         // read-only indices for APM telemetry
 
         Arrays.asList("apm-*").forEach((index) -> {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false));