forked from elastic/elasticsearch
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Note restricted indices in access denied message (elastic#85013)
When security prevents access to an index, it indicates the action that was attempted, the indices it was applied to and the privileges that would grant that access. However, if the index is a restricted index, that message was insufficient. Even if the user was granted "all" on "*", they would still be prevented from performing actions on restricted indices such as ".security" or ".kibana". Access to those indices would require a role that grants access with the allow_restricted_indices field set to true This change expands the error message to note which indices are "restricted" as a way of guiding users towards the necessary solution.
- Loading branch information
Showing
6 changed files
with
83 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
pr: 85013 | ||
summary: Note restricted indices in access denied message | ||
area: Authorization | ||
type: enhancement | ||
issues: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
...e/src/test/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngineTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.authz; | ||
|
||
import org.elasticsearch.test.ESTestCase; | ||
|
||
import java.util.List; | ||
import java.util.function.Predicate; | ||
|
||
import static org.hamcrest.Matchers.is; | ||
|
||
public class AuthorizationEngineTests extends ESTestCase { | ||
|
||
public void testIndexAuthorizationResultFailureMessage() { | ||
final Predicate<String> restrictedIndex = s -> s.startsWith("."); | ||
assertThat( | ||
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(List.of("index-1", "index-2", ".index-3"), restrictedIndex), | ||
is("on indices [index-1,index-2] and restricted indices [.index-3]") | ||
); | ||
|
||
assertThat( | ||
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(List.of("index-1"), restrictedIndex), | ||
is("on indices [index-1]") | ||
); | ||
|
||
assertThat( | ||
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription( | ||
List.of(".index-1", ".index-2", ".index-3"), | ||
restrictedIndex | ||
), | ||
is("on restricted indices [.index-1,.index-2,.index-3]") | ||
); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters