[Backport] Add 'create_doc' index privilege (#45806) #47645
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use case: User with `create_doc` index privilege will be allowed to only index new documents either via Index API or Bulk API. There are two cases that we need to think: - **User indexing a new document without specifying an Id.** For this ES auto generates an Id and now ES version 7.5.0 onwards defaults to `op_type` `create` we just need to authorize on the `op_type`. - **User indexing a new document with an Id.** This is problematic as we do not know whether a document with Id exists or not. If the `op_type` is `create` then we can assume the user is trying to add a document, if it exists it is going to throw an error from the index engine. Given these both cases, we can safely authorize based on the `op_type` value. If the value is `create` then the user with `create_doc` privilege is authorized to index new documents. In the `AuthorizationService` when authorizing a bulk request, we check the implied action. This code changes that to append the `:op_type/index` or `:op_type/create` to indicate the implied index action.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use case:
User with
create_docindex privilege will be allowed to only index new documentseither via Index API or Bulk API.
There are two cases that we need to think:
For this ES auto generates an Id and now ES version 7.5.0 onwards defaults to
op_typecreatewe just need to authorize on theop_type.This is problematic as we do not know whether a document with Id exists or not.
If the
op_typeiscreatethen we can assume the user is trying to add a document, if it exists it is going to throw an error from the index engine.Given these both cases, we can safely authorize based on the
op_typevalue. If the value iscreatethen the user withcreate_docprivilege is authorized to index new documents.In the
AuthorizationServicewhen authorizing a bulk request, we check the implied action.This code changes that to append the
:op_type/indexor:op_type/createto indicate the implied index action.