Skip to content

Commit

Permalink
Remove reserved roles for code search (elastic#50068)
Browse files Browse the repository at this point in the history 
The "code_user" and "code_admin" reserved roles existed to support
code search which is no longer included in Kibana.

The "kibana_system" role included privileges to read/write from the
code search indices, but no longer needs that access.

Resolves: elastic#49842
  • Loading branch information
@tvernum @SivagurunathanV
tvernum authored and SivagurunathanV committed Jan 21, 2020
1 parent 235f336 commit 8513af8
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 73 deletions.
4 changes: 2 additions & 2 deletions ...h-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -694,8 +694,8 @@ public void testGetRoles() throws Exception {

List<Role> roles = response.getRoles();
assertNotNull(response);
// 29 system roles plus the three we created
assertThat(roles.size(), equalTo(33));
// 28 system roles plus the three we created
assertThat(roles.size(), equalTo(28 + 3));
}

{
Expand Down
13 changes: 0 additions & 13 deletions ...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".management-beats").privileges("create_index", "read", "write").build(),
// .code_internal-* is for Code's internal worker queue index creation.
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*", ".code_internal-*").privileges("all").build(),
// .apm-* is for APM's agent configuration index creation
RoleDescriptor.IndicesPrivileges.builder()
.indices(".apm-agent-configuration").privileges("all").build(),
Expand Down Expand Up @@ -253,16 +250,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" },
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("code_admin", new RoleDescriptor("code_admin", new String[] {},
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*").privileges("all").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("code_user", new RoleDescriptor("code_user", new String[] {},
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*").privileges("read").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
Expand Down
60 changes: 2 additions & 58 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,8 @@ public void testIsReserved() {
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true));
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true));
assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true));
assertThat(ReservedRolesStore.isReserved("code_admin"), is(true));
assertThat(ReservedRolesStore.isReserved("code_user"), is(true));
assertThat(ReservedRolesStore.isReserved("code_admin"), is(false));
assertThat(ReservedRolesStore.isReserved("code_user"), is(false));
}

public void testSnapshotUserRole() {
Expand Down Expand Up @@ -1383,60 +1383,4 @@ public void testLogstashAdminRole() {
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
}

public void testCodeAdminRole() {
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_admin");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));

Role codeAdminRole = Role.builder(roleDescriptor, null).build();

assertThat(codeAdminRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
mock(Authentication.class)), is(false));

assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".code-"), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
is(false));

final String index = ".code-" + randomIntBetween(0, 5);

assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(codeAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
}

public void testCodeUserRole() {
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_user");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));

Role codeUserRole = Role.builder(roleDescriptor, null).build();

assertThat(codeUserRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
mock(Authentication.class)), is(false));

assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test("foo"), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".reporting"), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".code-"), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
is(false));

final String index = ".code-" + randomIntBetween(0, 5);

assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false));
assertThat(codeUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
assertThat(codeUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
}
}

0 comments on commit 8513af8

Please sign in to comment.