From 38b912d57a37e2fc22e0d0dd222b045a30a26de6 Mon Sep 17 00:00:00 2001 From: Anton Shuvaev Date: Tue, 24 Dec 2019 23:22:40 +0300 Subject: [PATCH 1/5] Add 'monitor_snapshot' cluster privilege --- .../security/get-builtin-privileges.asciidoc | 1 + .../authorization/privileges.asciidoc | 3 ++ .../privilege/ClusterPrivilegeResolver.java | 4 +++ .../authz/store/ReservedRolesStore.java | 7 ++++ .../integration/ClusterPrivilegeTests.java | 33 +++++++++++++++++-- 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc index cedffe7a6f9d4..edd529d116d92 100644 --- a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc +++ b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc @@ -63,6 +63,7 @@ A successful call returns an object with "cluster" and "index" fields. "cluster" : [ "all", "create_snapshot", + "monitor_snapshot", "delegate_pki", "manage", "manage_api_key", diff --git a/x-pack/docs/en/security/authorization/privileges.asciidoc b/x-pack/docs/en/security/authorization/privileges.asciidoc index aed7b236e172d..1d53c7b20aa6a 100644 --- a/x-pack/docs/en/security/authorization/privileges.asciidoc +++ b/x-pack/docs/en/security/authorization/privileges.asciidoc @@ -16,6 +16,9 @@ settings update, rerouting, or managing users and roles. Privileges to create snapshots for existing repositories. Can also list and view details on existing repositories and snapshots. +`monitor_snapshot`:: +Privileges to list and view details on existing repositories and snapshots. + `manage`:: Builds on `monitor` and adds cluster operations that change values in the cluster. This includes snapshotting, updating settings, and rerouting. It also includes diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 65469f77a116c..c9754e586c0a6 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -66,6 +66,8 @@ public class ClusterPrivilegeResolver { Set.of("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME); private static final Set CREATE_SNAPSHOT_PATTERN = Set.of(CreateSnapshotAction.NAME, SnapshotsStatusAction.NAME + "*", GetSnapshotsAction.NAME, SnapshotsStatusAction.NAME, GetRepositoriesAction.NAME); + private static final Set MONITOR_SNAPSHOT_PATTERN = Set.of(SnapshotsStatusAction.NAME + "*", GetSnapshotsAction.NAME, + SnapshotsStatusAction.NAME, GetRepositoriesAction.NAME); private static final Set READ_CCR_PATTERN = Set.of(ClusterStateAction.NAME, HasPrivilegesAction.NAME); private static final Set MANAGE_ILM_PATTERN = Set.of("cluster:admin/ilm/*"); private static final Set READ_ILM_PATTERN = Set.of(GetLifecycleAction.NAME, GetStatusAction.NAME); @@ -109,6 +111,7 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege MANAGE_CCR = new ActionClusterPrivilege("manage_ccr", MANAGE_CCR_PATTERN); public static final NamedClusterPrivilege READ_CCR = new ActionClusterPrivilege("read_ccr", READ_CCR_PATTERN); public static final NamedClusterPrivilege CREATE_SNAPSHOT = new ActionClusterPrivilege("create_snapshot", CREATE_SNAPSHOT_PATTERN); + public static final NamedClusterPrivilege MONITOR_SNAPSHOT = new ActionClusterPrivilege("monitor_snapshot", MONITOR_SNAPSHOT_PATTERN); public static final NamedClusterPrivilege MANAGE_ILM = new ActionClusterPrivilege("manage_ilm", MANAGE_ILM_PATTERN); public static final NamedClusterPrivilege READ_ILM = new ActionClusterPrivilege("read_ilm", READ_ILM_PATTERN); public static final NamedClusterPrivilege MANAGE_SLM = new ActionClusterPrivilege("manage_slm", MANAGE_SLM_PATTERN); @@ -146,6 +149,7 @@ public class ClusterPrivilegeResolver { MANAGE_CCR, READ_CCR, CREATE_SNAPSHOT, + MONITOR_SNAPSHOT, MANAGE_ILM, READ_ILM, MANAGE_SLM, diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d9db50678c160..166b9315b5f86 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -256,6 +256,13 @@ private static Map initializeReservedRoles() { .privileges("view_index_metadata") .allowRestrictedIndices(true) .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) + .put("monitor_snapshot_user", new RoleDescriptor("monitor_snapshot_user", new String[] { "monitor_snapshot", GetRepositoriesAction.NAME }, + new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() + .indices("*") + .privileges("view_index_metadata") + .allowRestrictedIndices(true) + .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) + .put("enrich_user", new RoleDescriptor("enrich_user", new String[]{ "manage_enrich", "manage_ingest_pipelines", "monitor" }, new RoleDescriptor.IndicesPrivileges[]{ RoleDescriptor.IndicesPrivileges.builder() .indices(".enrich-*") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java index c434d3b182888..c699e21aed72b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java @@ -36,13 +36,17 @@ public class ClusterPrivilegeTests extends AbstractPrivilegeTestCase { " - names: 'someindex'\n" + " privileges: [ all ]\n" + "role_d:\n" + - " cluster: [ create_snapshot ]\n"; + " cluster: [ create_snapshot ]\n" + + "\n" + + "role_e:\n" + + " cluster: [ monitor_snapshot]\n"; private static final String USERS_ROLES = "role_a:user_a\n" + "role_b:user_b\n" + "role_c:user_c\n" + - "role_d:user_d\n"; + "role_d:user_d\n" + + "role_e:user_e\n"; private static Path repositoryLocation; @@ -81,7 +85,8 @@ protected String configUsers() { "user_a:" + usersPasswdHashed + "\n" + "user_b:" + usersPasswdHashed + "\n" + "user_c:" + usersPasswdHashed + "\n" + - "user_d:" + usersPasswdHashed + "\n"; + "user_d:" + usersPasswdHashed + "\n" + + "user_e:" + usersPasswdHashed + "\n"; } @Override @@ -139,6 +144,19 @@ public void testThatClusterPrivilegesWorkAsExpectedViaHttp() throws Exception { assertAccessIsDenied("user_d", "GET", "/_nodes/infos"); assertAccessIsDenied("user_d", "POST", "/_cluster/reroute"); assertAccessIsDenied("user_d", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }"); + + // user_e can view repos and snapshots on existing repos, everything else is DENIED + assertAccessIsDenied("user_e", "GET", "/_cluster/state"); + assertAccessIsDenied("user_e", "GET", "/_cluster/health"); + assertAccessIsDenied("user_e", "GET", "/_cluster/settings"); + assertAccessIsDenied("user_e", "GET", "/_cluster/stats"); + assertAccessIsDenied("user_e", "GET", "/_cluster/pending_tasks"); + assertAccessIsDenied("user_e", "GET", "/_nodes/stats"); + assertAccessIsDenied("user_e", "GET", "/_nodes/hot_threads"); + assertAccessIsDenied("user_e", "GET", "/_nodes/infos"); + assertAccessIsDenied("user_e", "POST", "/_cluster/reroute"); + assertAccessIsDenied("user_e", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }"); + } public void testThatSnapshotAndRestore() throws Exception { @@ -147,6 +165,7 @@ public void testThatSnapshotAndRestore() throws Exception { assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo", repoJson); assertAccessIsDenied("user_c", "PUT", "/_snapshot/my-repo", repoJson); assertAccessIsDenied("user_d", "PUT", "/_snapshot/my-repo", repoJson); + assertAccessIsDenied("user_e", "PUT", "/_snapshot/my-repo", repoJson); assertAccessIsAllowed("user_a", "PUT", "/_snapshot/my-repo", repoJson); Request createBar = new Request("PUT", "/someindex/_doc/1"); @@ -155,16 +174,19 @@ public void testThatSnapshotAndRestore() throws Exception { assertAccessIsDenied("user_a", createBar); assertAccessIsDenied("user_b", createBar); assertAccessIsDenied("user_d", createBar); + assertAccessIsDenied("user_e", createBar); assertAccessIsAllowed("user_c", createBar); assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }"); assertAccessIsDenied("user_c", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }"); + assertAccessIsDenied("user_e", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }"); assertAccessIsAllowed("user_a", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }"); assertAccessIsDenied("user_b", "GET", "/_snapshot/my-repo/my-snapshot/_status"); assertAccessIsDenied("user_c", "GET", "/_snapshot/my-repo/my-snapshot/_status"); assertAccessIsAllowed("user_a", "GET", "/_snapshot/my-repo/my-snapshot/_status"); assertAccessIsAllowed("user_d", "GET", "/_snapshot/my-repo/my-snapshot/_status"); + assertAccessIsAllowed("user_e", "GET", "/_snapshot/my-repo/my-snapshot/_status"); // This snapshot needs to be finished in order to be restored waitForSnapshotToFinish("my-repo", "my-snapshot"); @@ -175,6 +197,7 @@ public void testThatSnapshotAndRestore() throws Exception { assertAccessIsDenied("user_a", "DELETE", "/someindex"); assertAccessIsDenied("user_b", "DELETE", "/someindex"); assertAccessIsDenied("user_d", "DELETE", "/someindex"); + assertAccessIsDenied("user_e", "DELETE", "/someindex"); assertAccessIsAllowed("user_c", "DELETE", "/someindex"); Request restoreSnapshotRequest = new Request("POST", "/_snapshot/my-repo/my-snapshot/_restore"); @@ -182,21 +205,25 @@ public void testThatSnapshotAndRestore() throws Exception { assertAccessIsDenied("user_b", restoreSnapshotRequest); assertAccessIsDenied("user_c", restoreSnapshotRequest); assertAccessIsDenied("user_d", restoreSnapshotRequest); + assertAccessIsDenied("user_e", restoreSnapshotRequest); assertAccessIsAllowed("user_a", restoreSnapshotRequest); assertAccessIsDenied("user_a", "GET", "/someindex/_doc/1"); assertAccessIsDenied("user_b", "GET", "/someindex/_doc/1"); assertAccessIsDenied("user_d", "GET", "/someindex/_doc/1"); + assertAccessIsDenied("user_e", "GET", "/someindex/_doc/1"); assertAccessIsAllowed("user_c", "GET", "/someindex/_doc/1"); assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo/my-snapshot"); assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo/my-snapshot"); assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo/my-snapshot"); + assertAccessIsDenied("user_e", "DELETE", "/_snapshot/my-repo/my-snapshot"); assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo/my-snapshot"); assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo"); assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo"); assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo"); + assertAccessIsDenied("user_e", "DELETE", "/_snapshot/my-repo"); assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo"); } From 0a4a35becaf0bb9123b0dafb53f8b5cf9ba4af13 Mon Sep 17 00:00:00 2001 From: Anton Shuvaev Date: Tue, 24 Dec 2019 23:45:19 +0300 Subject: [PATCH 2/5] fix checkstyle --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 166b9315b5f86..25ef033b38e27 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -256,7 +256,8 @@ private static Map initializeReservedRoles() { .privileges("view_index_metadata") .allowRestrictedIndices(true) .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) - .put("monitor_snapshot_user", new RoleDescriptor("monitor_snapshot_user", new String[] { "monitor_snapshot", GetRepositoriesAction.NAME }, + .put("monitor_snapshot_user", new RoleDescriptor("monitor_snapshot_user", + new String[] { "monitor_snapshot", GetRepositoriesAction.NAME }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("*") .privileges("view_index_metadata") From a17714ee1f5456f834e43286c61798c65c5dde06 Mon Sep 17 00:00:00 2001 From: Anton Shuvaev Date: Wed, 25 Dec 2019 23:06:59 +0300 Subject: [PATCH 3/5] Fix tests --- .../client/documentation/SecurityDocumentationIT.java | 2 +- .../en/rest-api/security/get-builtin-privileges.asciidoc | 2 +- .../docs/en/security/authorization/built-in-roles.asciidoc | 6 ++++++ .../resources/rest-api-spec/test/privileges/11_builtin.yml | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java index ec2043d3da296..62ab7f5249281 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java @@ -695,7 +695,7 @@ public void testGetRoles() throws Exception { List roles = response.getRoles(); assertNotNull(response); // 28 system roles plus the three we created - assertThat(roles.size(), equalTo(28 + 3)); + assertThat(roles.size(), equalTo(29 + 3)); } { diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc index edd529d116d92..e5af329b63843 100644 --- a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc +++ b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc @@ -63,7 +63,6 @@ A successful call returns an object with "cluster" and "index" fields. "cluster" : [ "all", "create_snapshot", - "monitor_snapshot", "delegate_pki", "manage", "manage_api_key", @@ -88,6 +87,7 @@ A successful call returns an object with "cluster" and "index" fields. "monitor_data_frame_transforms", "monitor_ml", "monitor_rollup", + "monitor_snapshot", "monitor_transform", "monitor_watcher", "none", diff --git a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc index 55d12709124f4..601033f6fd77d 100644 --- a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc +++ b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc @@ -151,6 +151,12 @@ existing snapshot repositories and snapshot details. It does not grant authority to remove or add repositories or to restore snapshots. It also does not enable to change index settings or to read or update index data. +[[built-in-roles-monitor-snapshot-user]] `monitor_snapshot_user`:: +Grants the necessary privileges to view the configuration of +existing snapshot repositories and snapshot details. It does not grant authority +to create snapshots, to restore snapshots and to remove or add repositories. +It also does not enable to change index settings or to read or update index data. + [[built-in-roles-superuser]] `superuser`:: Grants full access to the cluster, including all indices and data. A user with the `superuser` role can also manage users and roles and diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml index c7130faf27749..02961a2db12f8 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml @@ -15,5 +15,5 @@ setup: # This is fragile - it needs to be updated every time we add a new cluster/index privilege # I would much prefer we could just check that specific entries are in the array, but we don't have # an assertion for that - - length: { "cluster" : 33 } + - length: { "cluster" : 34 } - length: { "index" : 17 } From 61c1f9a09c1480853583ce9a0ba455332174a745 Mon Sep 17 00:00:00 2001 From: Anton Shuvaev Date: Mon, 30 Dec 2019 11:25:18 +0500 Subject: [PATCH 4/5] Remove monitor_snapshot_user role --- .../authorization/built-in-roles.asciidoc | 42 ++++++++----------- .../authz/store/ReservedRolesStore.java | 8 ---- 2 files changed, 18 insertions(+), 32 deletions(-) diff --git a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc index 601033f6fd77d..333f6fbfe7a1e 100644 --- a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc +++ b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc @@ -15,7 +15,7 @@ Grants access necessary for the APM system user to send system-level data (such as monitoring) to {es}. [[built-in-roles-apm-user]] `apm_user` :: -Grants the privileges required for APM users (such as `read` and +Grants the privileges required for APM users (such as `read` and `view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices). [[built-in-roles-beats-admin]] `beats_admin` :: @@ -27,7 +27,7 @@ Grants access necessary for the Beats system user to send system-level data (such as monitoring) to {es}. + -- -[NOTE] +[NOTE] =============================== * This role should not be assigned to users as the granted permissions may change between releases. @@ -37,27 +37,27 @@ suitable for writing beats output to {es}. -- -[[built-in-roles-transform-admin]] `transform_admin` :: -Grants `manage_transform` cluster privileges, which enable you to manage -{transforms}. This role also includes all +[[built-in-roles-transform-admin]] `transform_admin` :: +Grants `manage_transform` cluster privileges, which enable you to manage +{transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-transform-user]] `transform_user` :: -Grants `monitor_transform` cluster privileges, which enable you to use +Grants `monitor_transform` cluster privileges, which enable you to use {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` :: -(This role is deprecated, please use the -<> role instead.) Grants -`manage_data_frame_transforms` cluster privileges, which enable you to manage +(This role is deprecated, please use the +<> role instead.) Grants +`manage_data_frame_transforms` cluster privileges, which enable you to manage {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` :: -(This role is deprecated, please use the -<> role instead.) Grants -`monitor_data_frame_transforms` cluster privileges, which enable you to use +(This role is deprecated, please use the +<> role instead.) Grants +`monitor_data_frame_transforms` cluster privileges, which enable you to use {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. @@ -100,7 +100,7 @@ Grants access necessary for the Logstash system user to send system-level data {logstash-ref}/ls-security.html[Configuring Security in Logstash]. + -- -[NOTE] +[NOTE] =============================== * This role should not be assigned to users as the granted permissions may change between releases. @@ -131,17 +131,17 @@ Monitoring users should also be assigned the `kibana_user` role. [[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`:: Grants the minimum privileges required to write data into the monitoring indices -(`.monitoring-*`). This role also has the privileges necessary to create -{metricbeat} indices (`metricbeat-*`) and write data into them. +(`.monitoring-*`). This role also has the privileges necessary to create +{metricbeat} indices (`metricbeat-*`) and write data into them. [[built-in-roles-remote-monitoring-collector]] `remote_monitoring_collector`:: Grants the minimum privileges required to collect monitoring data for the {stack}. [[built-in-roles-reporting-user]] `reporting_user`:: Grants the specific privileges required for users of {reporting} other than those -required to use {kib}. This role grants access to the reporting indices; each -user has access to only their own reports. Reporting users should also be -assigned the `kibana_user` role and a role that grants them access to the data +required to use {kib}. This role grants access to the reporting indices; each +user has access to only their own reports. Reporting users should also be +assigned the `kibana_user` role and a role that grants them access to the data that will be used to generate reports. [[built-in-roles-snapshot-user]] `snapshot_user`:: @@ -151,12 +151,6 @@ existing snapshot repositories and snapshot details. It does not grant authority to remove or add repositories or to restore snapshots. It also does not enable to change index settings or to read or update index data. -[[built-in-roles-monitor-snapshot-user]] `monitor_snapshot_user`:: -Grants the necessary privileges to view the configuration of -existing snapshot repositories and snapshot details. It does not grant authority -to create snapshots, to restore snapshots and to remove or add repositories. -It also does not enable to change index settings or to read or update index data. - [[built-in-roles-superuser]] `superuser`:: Grants full access to the cluster, including all indices and data. A user with the `superuser` role can also manage users and roles and diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 25ef033b38e27..d9db50678c160 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -256,14 +256,6 @@ private static Map initializeReservedRoles() { .privileges("view_index_metadata") .allowRestrictedIndices(true) .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) - .put("monitor_snapshot_user", new RoleDescriptor("monitor_snapshot_user", - new String[] { "monitor_snapshot", GetRepositoriesAction.NAME }, - new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() - .indices("*") - .privileges("view_index_metadata") - .allowRestrictedIndices(true) - .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) - .put("enrich_user", new RoleDescriptor("enrich_user", new String[]{ "manage_enrich", "manage_ingest_pipelines", "monitor" }, new RoleDescriptor.IndicesPrivileges[]{ RoleDescriptor.IndicesPrivileges.builder() .indices(".enrich-*") From f86b36fdf97b74018b1f2e07331b2048b0c035cd Mon Sep 17 00:00:00 2001 From: Anton Shuvaev Date: Mon, 30 Dec 2019 11:33:45 +0500 Subject: [PATCH 5/5] Remove monitor_snapshot_user role --- .../SecurityDocumentationIT.java | 2 +- .../authorization/built-in-roles.asciidoc | 36 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java index 62ab7f5249281..ec2043d3da296 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java @@ -695,7 +695,7 @@ public void testGetRoles() throws Exception { List roles = response.getRoles(); assertNotNull(response); // 28 system roles plus the three we created - assertThat(roles.size(), equalTo(29 + 3)); + assertThat(roles.size(), equalTo(28 + 3)); } { diff --git a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc index 333f6fbfe7a1e..55d12709124f4 100644 --- a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc +++ b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc @@ -15,7 +15,7 @@ Grants access necessary for the APM system user to send system-level data (such as monitoring) to {es}. [[built-in-roles-apm-user]] `apm_user` :: -Grants the privileges required for APM users (such as `read` and +Grants the privileges required for APM users (such as `read` and `view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices). [[built-in-roles-beats-admin]] `beats_admin` :: @@ -27,7 +27,7 @@ Grants access necessary for the Beats system user to send system-level data (such as monitoring) to {es}. + -- -[NOTE] +[NOTE] =============================== * This role should not be assigned to users as the granted permissions may change between releases. @@ -37,27 +37,27 @@ suitable for writing beats output to {es}. -- -[[built-in-roles-transform-admin]] `transform_admin` :: -Grants `manage_transform` cluster privileges, which enable you to manage -{transforms}. This role also includes all +[[built-in-roles-transform-admin]] `transform_admin` :: +Grants `manage_transform` cluster privileges, which enable you to manage +{transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-transform-user]] `transform_user` :: -Grants `monitor_transform` cluster privileges, which enable you to use +Grants `monitor_transform` cluster privileges, which enable you to use {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` :: -(This role is deprecated, please use the -<> role instead.) Grants -`manage_data_frame_transforms` cluster privileges, which enable you to manage +(This role is deprecated, please use the +<> role instead.) Grants +`manage_data_frame_transforms` cluster privileges, which enable you to manage {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` :: -(This role is deprecated, please use the -<> role instead.) Grants -`monitor_data_frame_transforms` cluster privileges, which enable you to use +(This role is deprecated, please use the +<> role instead.) Grants +`monitor_data_frame_transforms` cluster privileges, which enable you to use {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. @@ -100,7 +100,7 @@ Grants access necessary for the Logstash system user to send system-level data {logstash-ref}/ls-security.html[Configuring Security in Logstash]. + -- -[NOTE] +[NOTE] =============================== * This role should not be assigned to users as the granted permissions may change between releases. @@ -131,17 +131,17 @@ Monitoring users should also be assigned the `kibana_user` role. [[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`:: Grants the minimum privileges required to write data into the monitoring indices -(`.monitoring-*`). This role also has the privileges necessary to create -{metricbeat} indices (`metricbeat-*`) and write data into them. +(`.monitoring-*`). This role also has the privileges necessary to create +{metricbeat} indices (`metricbeat-*`) and write data into them. [[built-in-roles-remote-monitoring-collector]] `remote_monitoring_collector`:: Grants the minimum privileges required to collect monitoring data for the {stack}. [[built-in-roles-reporting-user]] `reporting_user`:: Grants the specific privileges required for users of {reporting} other than those -required to use {kib}. This role grants access to the reporting indices; each -user has access to only their own reports. Reporting users should also be -assigned the `kibana_user` role and a role that grants them access to the data +required to use {kib}. This role grants access to the reporting indices; each +user has access to only their own reports. Reporting users should also be +assigned the `kibana_user` role and a role that grants them access to the data that will be used to generate reports. [[built-in-roles-snapshot-user]] `snapshot_user`::