Halaman utama Jelajahi Bantuan
Masuk
lqb
/
elasticsearch
cermin dari https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

Add delete privilege to kibana_system for APM and Endpoint ILM policies (#81811)

Josh Dover 3 tahun lalu
induk
03954f1e8d
melakukan
c8660574ae
2 mengubah file dengan 38 tambahan dan 2 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 6 0
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  2. 32 2
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 6 - 0
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Tampilan Berkas 

@@ -10,6 +10,7 @@ import org.elasticsearch.action.ActionListener;
 
 import org.elasticsearch.action.admin.cluster.remote.RemoteInfoAction;
 
 import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
 
 import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
 
+import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction;
 
 import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
 
 import org.elasticsearch.action.admin.indices.rollover.RolloverAction;
 
 import org.elasticsearch.action.admin.indices.settings.put.UpdateSettingsAction;
 
@@ -717,6 +718,11 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                     )
 
                     .privileges(UpdateSettingsAction.NAME, PutMappingAction.NAME, RolloverAction.NAME)
 
                     .build(),
 
+                // For ILM policy for APM & Endpoint packages that have delete action
 
+                RoleDescriptor.IndicesPrivileges.builder()
 
+                    .indices(".logs-endpoint.diagnostic.collection-*", "traces-apm.sampled-*")
 
+                    .privileges(DeleteIndexAction.NAME)
 
+                    .build(),
 
                 // For src/dest indices of the Endpoint package that ships a transform
 
                 RoleDescriptor.IndicesPrivileges.builder()
 
                     .indices("metrics-endpoint.metadata*")

+ 32 - 2
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
Tampilan Berkas 

@@ -543,7 +543,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         Arrays.asList(".logs-endpoint.diagnostic.collection-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false));
 
-            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
 
@@ -557,6 +556,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(PutMappingAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
+            // Privileges needed for installing current ILM policy with delete action
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
 
         });
 
 
         Arrays.asList(
 
@@ -714,7 +715,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(false));
 
-            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(false));
 
 
@@ -723,6 +723,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
 
+
 
+            // Endpoint diagnostic and sampled traces data streams also have an ILM policy with a delete action, all others should not.
 
+            final boolean isAlsoIlmDeleteIndex = indexName.startsWith(".logs-endpoint.diagnostic.collection-")
 
+                || indexName.startsWith("traces-apm.sampled-");
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(isAlsoIlmDeleteIndex));
 
         });
 
 
         // 4. Transform for endpoint package
 
@@ -780,6 +785,31 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(false));
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(false));
 
         });
 
+
 
+        // Ensure privileges necessary for ILM policies in APM & Endpoint packages
 
+        Arrays.asList(
 
+            "metrics-apm.app-" + randomAlphaOfLengthBetween(3, 8),
 
+            "metrics-apm.internal-" + randomAlphaOfLengthBetween(3, 8),
 
+            "metrics-apm.profiling-" + randomAlphaOfLengthBetween(3, 8),
 
+            "logs-apm.error_logs-" + randomAlphaOfLengthBetween(3, 8),
 
+            "traces-apm-" + randomAlphaOfLengthBetween(3, 8)
 
+        ).forEach(indexName -> {
 
+            logger.info("index name [{}]", indexName);
 
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
 
+
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
+        });
 
+        Arrays.asList(
 
+            ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(3, 8),
 
+            "traces-apm.sampled-" + randomAlphaOfLengthBetween(3, 8)
 
+        ).forEach(indexName -> {
 
+            logger.info("index name [{}]", indexName);
 
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
 
+
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
+        });
 
     }
 
 
     public void testKibanaAdminRole() {