Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 'monitor_snapshot' cluster privilege #50489

Merged
merged 6 commits into from
Jan 6, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ A successful call returns an object with "cluster" and "index" fields.
"monitor_data_frame_transforms",
"monitor_ml",
"monitor_rollup",
"monitor_snapshot",
"monitor_transform",
"monitor_watcher",
"none",
Expand Down
3 changes: 3 additions & 0 deletions x-pack/docs/en/security/authorization/privileges.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ settings update, rerouting, or managing users and roles.
Privileges to create snapshots for existing repositories. Can also list and view
details on existing repositories and snapshots.

`monitor_snapshot`::
Privileges to list and view details on existing repositories and snapshots.

`manage`::
Builds on `monitor` and adds cluster operations that change values in the cluster.
This includes snapshotting, updating settings, and rerouting. It also includes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ public class ClusterPrivilegeResolver {
Set.of("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME);
private static final Set<String> CREATE_SNAPSHOT_PATTERN = Set.of(CreateSnapshotAction.NAME, SnapshotsStatusAction.NAME + "*",
GetSnapshotsAction.NAME, SnapshotsStatusAction.NAME, GetRepositoriesAction.NAME);
private static final Set<String> MONITOR_SNAPSHOT_PATTERN = Set.of(SnapshotsStatusAction.NAME + "*", GetSnapshotsAction.NAME,
SnapshotsStatusAction.NAME, GetRepositoriesAction.NAME);
private static final Set<String> READ_CCR_PATTERN = Set.of(ClusterStateAction.NAME, HasPrivilegesAction.NAME);
private static final Set<String> MANAGE_ILM_PATTERN = Set.of("cluster:admin/ilm/*");
private static final Set<String> READ_ILM_PATTERN = Set.of(GetLifecycleAction.NAME, GetStatusAction.NAME);
Expand Down Expand Up @@ -109,6 +111,7 @@ public class ClusterPrivilegeResolver {
public static final NamedClusterPrivilege MANAGE_CCR = new ActionClusterPrivilege("manage_ccr", MANAGE_CCR_PATTERN);
public static final NamedClusterPrivilege READ_CCR = new ActionClusterPrivilege("read_ccr", READ_CCR_PATTERN);
public static final NamedClusterPrivilege CREATE_SNAPSHOT = new ActionClusterPrivilege("create_snapshot", CREATE_SNAPSHOT_PATTERN);
public static final NamedClusterPrivilege MONITOR_SNAPSHOT = new ActionClusterPrivilege("monitor_snapshot", MONITOR_SNAPSHOT_PATTERN);
public static final NamedClusterPrivilege MANAGE_ILM = new ActionClusterPrivilege("manage_ilm", MANAGE_ILM_PATTERN);
public static final NamedClusterPrivilege READ_ILM = new ActionClusterPrivilege("read_ilm", READ_ILM_PATTERN);
public static final NamedClusterPrivilege MANAGE_SLM = new ActionClusterPrivilege("manage_slm", MANAGE_SLM_PATTERN);
Expand Down Expand Up @@ -146,6 +149,7 @@ public class ClusterPrivilegeResolver {
MANAGE_CCR,
READ_CCR,
CREATE_SNAPSHOT,
MONITOR_SNAPSHOT,
MANAGE_ILM,
READ_ILM,
MANAGE_SLM,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,17 @@ public class ClusterPrivilegeTests extends AbstractPrivilegeTestCase {
" - names: 'someindex'\n" +
" privileges: [ all ]\n" +
"role_d:\n" +
" cluster: [ create_snapshot ]\n";
" cluster: [ create_snapshot ]\n" +
"\n" +
"role_e:\n" +
" cluster: [ monitor_snapshot]\n";

private static final String USERS_ROLES =
"role_a:user_a\n" +
"role_b:user_b\n" +
"role_c:user_c\n" +
"role_d:user_d\n";
"role_d:user_d\n" +
"role_e:user_e\n";

private static Path repositoryLocation;

Expand Down Expand Up @@ -81,7 +85,8 @@ protected String configUsers() {
"user_a:" + usersPasswdHashed + "\n" +
"user_b:" + usersPasswdHashed + "\n" +
"user_c:" + usersPasswdHashed + "\n" +
"user_d:" + usersPasswdHashed + "\n";
"user_d:" + usersPasswdHashed + "\n" +
"user_e:" + usersPasswdHashed + "\n";
}

@Override
Expand Down Expand Up @@ -139,6 +144,19 @@ public void testThatClusterPrivilegesWorkAsExpectedViaHttp() throws Exception {
assertAccessIsDenied("user_d", "GET", "/_nodes/infos");
assertAccessIsDenied("user_d", "POST", "/_cluster/reroute");
assertAccessIsDenied("user_d", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }");

// user_e can view repos and snapshots on existing repos, everything else is DENIED
assertAccessIsDenied("user_e", "GET", "/_cluster/state");
assertAccessIsDenied("user_e", "GET", "/_cluster/health");
assertAccessIsDenied("user_e", "GET", "/_cluster/settings");
assertAccessIsDenied("user_e", "GET", "/_cluster/stats");
assertAccessIsDenied("user_e", "GET", "/_cluster/pending_tasks");
assertAccessIsDenied("user_e", "GET", "/_nodes/stats");
assertAccessIsDenied("user_e", "GET", "/_nodes/hot_threads");
assertAccessIsDenied("user_e", "GET", "/_nodes/infos");
assertAccessIsDenied("user_e", "POST", "/_cluster/reroute");
assertAccessIsDenied("user_e", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }");

}

public void testThatSnapshotAndRestore() throws Exception {
Expand All @@ -147,6 +165,7 @@ public void testThatSnapshotAndRestore() throws Exception {
assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo", repoJson);
assertAccessIsDenied("user_c", "PUT", "/_snapshot/my-repo", repoJson);
assertAccessIsDenied("user_d", "PUT", "/_snapshot/my-repo", repoJson);
assertAccessIsDenied("user_e", "PUT", "/_snapshot/my-repo", repoJson);
assertAccessIsAllowed("user_a", "PUT", "/_snapshot/my-repo", repoJson);

Request createBar = new Request("PUT", "/someindex/_doc/1");
Expand All @@ -155,16 +174,19 @@ public void testThatSnapshotAndRestore() throws Exception {
assertAccessIsDenied("user_a", createBar);
assertAccessIsDenied("user_b", createBar);
assertAccessIsDenied("user_d", createBar);
assertAccessIsDenied("user_e", createBar);
assertAccessIsAllowed("user_c", createBar);

assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }");
assertAccessIsDenied("user_c", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }");
assertAccessIsDenied("user_e", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }");
assertAccessIsAllowed("user_a", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }");

assertAccessIsDenied("user_b", "GET", "/_snapshot/my-repo/my-snapshot/_status");
assertAccessIsDenied("user_c", "GET", "/_snapshot/my-repo/my-snapshot/_status");
assertAccessIsAllowed("user_a", "GET", "/_snapshot/my-repo/my-snapshot/_status");
assertAccessIsAllowed("user_d", "GET", "/_snapshot/my-repo/my-snapshot/_status");
assertAccessIsAllowed("user_e", "GET", "/_snapshot/my-repo/my-snapshot/_status");

// This snapshot needs to be finished in order to be restored
waitForSnapshotToFinish("my-repo", "my-snapshot");
Expand All @@ -175,28 +197,33 @@ public void testThatSnapshotAndRestore() throws Exception {
assertAccessIsDenied("user_a", "DELETE", "/someindex");
assertAccessIsDenied("user_b", "DELETE", "/someindex");
assertAccessIsDenied("user_d", "DELETE", "/someindex");
assertAccessIsDenied("user_e", "DELETE", "/someindex");
assertAccessIsAllowed("user_c", "DELETE", "/someindex");

Request restoreSnapshotRequest = new Request("POST", "/_snapshot/my-repo/my-snapshot/_restore");
restoreSnapshotRequest.addParameter("wait_for_completion", "true");
assertAccessIsDenied("user_b", restoreSnapshotRequest);
assertAccessIsDenied("user_c", restoreSnapshotRequest);
assertAccessIsDenied("user_d", restoreSnapshotRequest);
assertAccessIsDenied("user_e", restoreSnapshotRequest);
assertAccessIsAllowed("user_a", restoreSnapshotRequest);

assertAccessIsDenied("user_a", "GET", "/someindex/_doc/1");
assertAccessIsDenied("user_b", "GET", "/someindex/_doc/1");
assertAccessIsDenied("user_d", "GET", "/someindex/_doc/1");
assertAccessIsDenied("user_e", "GET", "/someindex/_doc/1");
assertAccessIsAllowed("user_c", "GET", "/someindex/_doc/1");

assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo/my-snapshot");
assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo/my-snapshot");
assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo/my-snapshot");
assertAccessIsDenied("user_e", "DELETE", "/_snapshot/my-repo/my-snapshot");
assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo/my-snapshot");

assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo");
assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo");
assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo");
assertAccessIsDenied("user_e", "DELETE", "/_snapshot/my-repo");
assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo");
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ setup:
# This is fragile - it needs to be updated every time we add a new cluster/index privilege
# I would much prefer we could just check that specific entries are in the array, but we don't have
# an assertion for that
- length: { "cluster" : 33 }
- length: { "cluster" : 34 }
- length: { "index" : 17 }