Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Remove kibana_user and kibana_dashboard_only_user index privileges (#37441)

* Remove kibana_user and kibana_dashboard_only_user .kibana* index privileges

* Removing unused imports
Brandon Kobel 6 years ago
parent
eb43ab6d60
commit
940f6ba4c1
3 changed files with 2 additions and 67 deletions
Split View Show Diff Stats
  1. 2 7
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  2. 0 27
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
  3. 0 33
      x-pack/plugin/security/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java

+ 2 - 7
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File 

@@ -46,9 +46,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                 .put("superuser", SUPERUSER_ROLE_DESCRIPTOR)
 
                 .put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null,
 
                         MetadataUtils.DEFAULT_RESERVED_METADATA))
 
-                .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] {
 
-                        RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete")
 
-                            .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] {
 
+                .put("kibana_user", new RoleDescriptor("kibana_user", null, null, new RoleDescriptor.ApplicationResourcePrivileges[] {
 
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
 
                             .application("kibana-.kibana").resources("*").privileges("all").build() },
 
                         null, null,
 
@@ -97,10 +95,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                 .put("kibana_dashboard_only_user", new RoleDescriptor(
 
                         "kibana_dashboard_only_user",
 
                         null,
 
-                        new RoleDescriptor.IndicesPrivileges[] {
 
-                            RoleDescriptor.IndicesPrivileges.builder()
 
-                                .indices(".kibana*").privileges("read", "view_index_metadata").build()
 
-                        },
 
+                        null,
 
                         new RoleDescriptor.ApplicationResourcePrivileges[] {
 
                             RoleDescriptor.ApplicationResourcePrivileges.builder()
 
                             .application("kibana-.kibana").resources("*").privileges("read").build() },

+ 0 - 27
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -312,20 +312,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertThat(kibanaUserRole.indices().allowedIndicesMatcher("indices:foo")
 
                 .test(randomAlphaOfLengthBetween(8, 24)), is(false));
 
 
-        Arrays.asList(".kibana", ".kibana-devnull").forEach((index) -> {
 
-            logger.info("index name [{}]", index);
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher("indices:foo").test(index), is(false));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher("indices:bar").test(index), is(false));
 
-
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
 
-            assertThat(kibanaUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
 
-        });
 
-
 
         final String randomApplication = "kibana-" + randomAlphaOfLengthBetween(8, 24);
 
         assertThat(kibanaUserRole.application().grants(new ApplicationPrivilege(randomApplication, "app-random", "all"), "*"), is(false));
 
 
@@ -569,19 +555,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
 
         assertThat(dashboardsOnlyUserRole.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));
 
 
-        final String index = ".kibana";
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher("indices:foo").test(index), is(false));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher("indices:bar").test(index), is(false));
 
-
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
 
-
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(index), is(true));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
 
-        assertThat(dashboardsOnlyUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
 
-
 
         final String randomApplication = "kibana-" + randomAlphaOfLengthBetween(8, 24);
 
         assertThat(dashboardsOnlyUserRole.application().grants(new ApplicationPrivilege(randomApplication, "app-random", "all"), "*"),
 
             is(false));

+ 0 - 33
x-pack/plugin/security/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java
View File 

@@ -5,15 +5,11 @@
 
  */
 
 package org.elasticsearch.integration;
 
 
-import org.elasticsearch.action.DocWriteResponse;
 
-import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
 
 import org.elasticsearch.action.admin.indices.get.GetIndexResponse;
 
 import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse;
 
 import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse.FieldMappingMetaData;
 
 import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsResponse;
 
 import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryResponse;
 
-import org.elasticsearch.action.delete.DeleteResponse;
 
-import org.elasticsearch.action.index.IndexResponse;
 
 import org.elasticsearch.action.search.MultiSearchResponse;
 
 import org.elasticsearch.action.search.SearchResponse;
 
 import org.elasticsearch.cluster.metadata.MappingMetaData;
 
@@ -23,11 +19,9 @@ import org.elasticsearch.index.query.QueryBuilders;
 
 import org.elasticsearch.test.NativeRealmIntegTestCase;
 
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 
 
-import java.util.Locale;
 
 import java.util.Map;
 
 
 import static java.util.Collections.singletonMap;
 
-import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 
 import static org.hamcrest.Matchers.arrayContaining;
 
 import static org.hamcrest.Matchers.equalTo;
 
 import static org.hamcrest.Matchers.greaterThan;
 
@@ -149,33 +143,6 @@ public class KibanaUserRoleIntegTests extends NativeRealmIntegTestCase {
 
         assertThat(response.getIndices(), arrayContaining(index));
 
     }
 
 
-    public void testCreateIndexDeleteInKibanaIndex() throws Exception {
 
-        final String index = randomBoolean()? ".kibana" : ".kibana-" + randomAlphaOfLengthBetween(1, 10).toLowerCase(Locale.ENGLISH);
 
-
 
-        if (randomBoolean()) {
 
-            CreateIndexResponse createIndexResponse = client().filterWithHeader(singletonMap("Authorization",
 
-                UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
 
-                .admin().indices().prepareCreate(index).get();
 
-            assertThat(createIndexResponse.isAcknowledged(), is(true));
 
-        }
 
-
 
-        IndexResponse response = client()
 
-            .filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
 
-            .prepareIndex()
 
-            .setIndex(index)
 
-            .setType("dashboard")
 
-            .setSource("foo", "bar")
 
-            .setRefreshPolicy(IMMEDIATE)
 
-            .get();
 
-        assertEquals(DocWriteResponse.Result.CREATED, response.getResult());
 
-
 
-        DeleteResponse deleteResponse = client()
 
-            .filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
 
-            .prepareDelete(index, "dashboard", response.getId())
 
-            .get();
 
-        assertEquals(DocWriteResponse.Result.DELETED, deleteResponse.getResult());
 
-    }
 
-
 
     public void testGetMappings() throws Exception {
 
         final String index = "logstash-20-12-2015";
 
         final String type = "event";