[ML][Data Frame] add the src priv check for view_index_metadata (#43118)

elastic · Jun 12, 2019 · 4e392e1 · 4e392e1
1 parent 40a55af
commit 4e392e1
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/...n/java/org/elasticsearch/xpack/dataframe/action/TransportPutDataFrameTransformAction.java b/...n/java/org/elasticsearch/xpack/dataframe/action/TransportPutDataFrameTransformAction.java
@@ -173,23 +173,29 @@ protected void masterOperation(Request request, ClusterState clusterState, Actio
         // Early check to verify that the user can create the destination index and can read from the source
         if (licenseState.isAuthAllowed()) {
             final String username = securityContext.getUser().principal();
-            RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
-                .indices(config.getSource().getIndex())
-                .privileges("read")
-                .build();
+            List<String> srcPrivileges = new ArrayList<>(2);
+            srcPrivileges.add("read");
+
             List<String> destPrivileges = new ArrayList<>(3);
             destPrivileges.add("read");
             destPrivileges.add("index");
             // If the destination index does not exist, we can assume that we may have to create it on start.
             // We should check that the creating user has the privileges to create the index.
             if (concreteDest.length == 0) {
                 destPrivileges.add("create_index");
+                // We need to read the source indices mapping to deduce the destination mapping
+                srcPrivileges.add("view_index_metadata");
             }
             RoleDescriptor.IndicesPrivileges destIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
                 .indices(destIndex)
                 .privileges(destPrivileges)
                 .build();
 
+            RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
+                .indices(config.getSource().getIndex())
+                .privileges(srcPrivileges)
+                .build();
+
             HasPrivilegesRequest privRequest = new HasPrivilegesRequest();
             privRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]);
             privRequest.username(username);