Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[ML] Add Kibana application privilege to data frame admin/user roles (#42757)

Data frame transforms are restricted by different roles to ML, but
share the ML UI.  To prevent the ML UI being hidden for users who
only have the data frame admin or user role, it is necessary to add
the ML Kibana application privilege to the backend data frame roles.
David Roberts 6 years ago
parent
a5529c8df9
commit
fddeb0cb46
2 changed files with 34 additions and 2 deletions
Split View Show Diff Stats
  1. 10 2
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  2. 24 0
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 10 - 2
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File 

@@ -180,14 +180,22 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                             RoleDescriptor.IndicesPrivileges.builder()
 
                                 .indices(".data-frame-notifications*")
 
                                 .privileges("view_index_metadata", "read").build()
 
-                        }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
 
+                        },
 
+                        new RoleDescriptor.ApplicationResourcePrivileges[] {
 
+                            RoleDescriptor.ApplicationResourcePrivileges.builder()
 
+                                .application("kibana-*").resources("*").privileges("reserved_ml").build()
 
+                        }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
 
                 .put("data_frame_transforms_user", new RoleDescriptor("data_frame_transforms_user",
 
                         new String[] { "monitor_data_frame_transforms" },
 
                         new RoleDescriptor.IndicesPrivileges[]{
 
                             RoleDescriptor.IndicesPrivileges.builder()
 
                                 .indices(".data-frame-notifications*")
 
                                 .privileges("view_index_metadata", "read").build()
 
-                        }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
 
+                        },
 
+                        new RoleDescriptor.ApplicationResourcePrivileges[] {
 
+                            RoleDescriptor.ApplicationResourcePrivileges.builder()
 
+                                .application("kibana-*").resources("*").privileges("reserved_ml").build()
 
+                        }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
 
                 .put("watcher_admin", new RoleDescriptor("watcher_admin", new String[] { "manage_watcher" },
 
                         new RoleDescriptor.IndicesPrivileges[] {
 
                                 RoleDescriptor.IndicesPrivileges.builder().indices(Watch.INDEX, TriggeredWatchStoreField.INDEX_NAME,

+ 24 - 0
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -1096,6 +1096,18 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNoAccessAllowed(role, ".data-frame-internal-1"); // internal use only
 
 
         assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES);
 
+
 
+        final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true));
 
+
 
+        final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false));
 
     }
 
 
     public void testDataFrameTransformsUserRole() {
 
@@ -1120,6 +1132,18 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNoAccessAllowed(role, ".data-frame-internal-1");
 
 
         assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES);
 
+
 
+        final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false));
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true));
 
+
 
+        final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false));
 
+        assertThat(role.application().grants(
 
+            new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false));
 
     }
 
 
     public void testWatcherAdminRole() {