Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[Fleet] Allow kibana_system to put datastream lifecycle (#97732)

Nicolas Chaulet 2 years ago
parent
d2685926f3
commit
a34ff55faa
3 changed files with 15 additions and 1 deletions
Split View Show Diff Stats
  1. 5 0
      docs/changelog/97732.yaml
  2. 6 1
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
  3. 4 0
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 5 - 0
docs/changelog/97732.yaml
View File 

@@ -0,0 +1,5 @@
 
+pr: 97732
 
+summary: "[Fleet] Allow `kibana_system` to put datastream lifecycle"
 
+area: Authorization
 
+type: enhancement
 
+issues: []

+ 6 - 1
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View File 

@@ -191,7 +191,12 @@ class KibanaOwnedReservedRoleDescriptors {
 
                         ".logs-osquery_manager.action.responses-*",
 
                         "profiling-*"
 
                     )
 
-                    .privileges(UpdateSettingsAction.NAME, PutMappingAction.NAME, RolloverAction.NAME)
 
+                    .privileges(
 
+                        UpdateSettingsAction.NAME,
 
+                        PutMappingAction.NAME,
 
+                        RolloverAction.NAME,
 
+                        "indices:admin/data_stream/lifecycle/put"
 
+                    )
 
                     .build(),
 
                 // Endpoint specific action responses. Kibana reads from these to display responses to the user.
 
                 RoleDescriptor.IndicesPrivileges.builder().indices(".logs-endpoint.action.responses-*").privileges("read").build(),

+ 4 - 0
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -961,6 +961,10 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(PutMappingAction.NAME).test(indexAbstraction), is(true));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher("indices:admin/data_stream/lifecycle/put").test(indexAbstraction),
 
+                is(true)
 
+            );
 
 
             // Implied by the overall view_index_metadata and monitor privilege
 
             assertViewIndexMetadata(kibanaRole, indexName);