Permission for restricted indices #37577
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
albertzaharovits
added
>enhancement
v7.0.0
:Security/Authorization
|
Pinging @elastic/es-security |
jaymode
reviewed
Jan 18, 2019
| @Nullable String query) { | ||
| super(indices, privileges); | ||
| private IndicesPrivileges(Collection<String> indices, Collection<String> privileges, boolean allowRestrictedIndices, | ||
| @Nullable FieldSecurity fieldSecurity, @Nullable String query) { |
There was a problem hiding this comment.
nit: can you align the fields so that the @ on this line aligns with the C
| return check(action) && (indexNameMatcher.test(index) | ||
| && ((false == RestrictedIndicesNames.NAMES_SET.contains(index)) // if it is not restricted no more checks are required | ||
| || IndexPrivilege.MONITOR.predicate().test(action) // allow monitor as a special case, even for restricted | ||
| || allowRestrictedIndices) |
There was a problem hiding this comment.
I suggest we reorder this check to:
(indexNameMatcher.test(index) && (allowRestrictedIndices || false == RestrictedIndicesNames.NAMES_SET.contains(index) || IndexPrivilege.MONITOR.predicate().test(action))
| } | ||
| } | ||
| } | ||
| return indexMatcher(restrictedIndices) |
There was a problem hiding this comment.
I think it might be worth checking if we have any restricted or any ordinary
final Predicate<String> predicate;
if (restricted.isEmpty()) {
predicate = indexMatcher(ordinaryIndices)
.and(index -> false == RestrictedIndicesNames.NAMES_SET.contains(index));
} else if (ordinary.isEmpty()) {
predicate = indexMatcher(restrictedIndices);
} else {
predicate = indexMatcher(restrictedIndices)
.or(indexMatcher(ordinaryIndices)
.and(index -> false == RestrictedIndicesNames.NAMES_SET.contains(index)));
}also, shouldn't we take into account the monitor action case?
There was a problem hiding this comment.
I think it might be worth checking if we have any restricted or any ordinary
Agreed will do!
shouldn't we take into account the monitor action case?
Ha! I noticed this too, but I decided to keep the original behavior. In the original behavior, monitoring for wildcards will not work, indices have to be named explicitly.
Out of the three options:
- remove support all together
- keep it as is
- extend monitoring priv to wildcards
I am leaning towards 1, but only slightly. Maintaining the status quo was chosen so that this PR sail smoothly.
I think we can make any such change in a different PR (if it's breaking I'll take good care of it to catch the train!)
There was a problem hiding this comment.
Let's maintain status quo in this PR and then do 1 in a followup targeted towards 7.0
| import java.util.Collections; | ||
| import java.util.Set; | ||
|
|
||
| public class RestrictedIndicesNames { |
There was a problem hiding this comment.
make the class final and add private constructor
There was a problem hiding this comment.
I'll learn, I'll learn, thanks for the patience!
|
Thanks for the speedy feedback @jaymode ! I have pushed the fixes. |
jaymode
approved these changes
Jan 18, 2019
|
run gradle build tests 1 |
albertzaharovits
added a commit
that referenced
this pull request
Jan 20, 2019
This grants the capability to grant privileges over certain restricted
indices (.security and .security-6 at the moment).
It also removes the special status of the superuser role.
IndicesPermission.Group is extended by adding the `allow_restricted_indices`
boolean flag. By default the flag is false. When it is toggled, you acknowledge
that the indices under the scope of the permission group can cover the
restricted indices as well. Otherwise, by default, restricted indices are ignored
when granting privileges, thus rendering them hidden for authorization purposes.
This effectively adds a confirmation "check-box" for roles that might grant
privileges to restricted indices.
The "special status" of the superuser role has been removed and coded as
any other role:
```
new RoleDescriptor("superuser",
new String[] { "all" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
.privileges("all")
.allowRestrictedIndices(true)
// this ----^
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("*")
.privileges("*")
.resources("*")
.build()
},
null, new String[] { "*" },
MetadataUtils.DEFAULT_RESERVED_METADATA,
Collections.emptyMap());
```
In the context of the Backup .security work, this allows the creation of a
"curator role" that would permit listing (get settings) for all indices
(including the restricted ones). That way the curator role would be able to
ist and snapshot all indices, but not read or restore any of them.
Supersedes #36765
Relates #34454
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Jan 21, 2019
* elastic/master: (104 commits) Permission for restricted indices (elastic#37577) Remove Watcher Account "unsecure" settings (elastic#36736) Add cache cleaning task for ML snapshot (elastic#37505) Update jdk used by the docker builds (elastic#37621) Remove an unused constant in PutMappingRequest. Update get users to allow unknown fields (elastic#37593) Do not add index event listener if CCR disabled (elastic#37432) Add local session timeouts to leader node (elastic#37438) Add some deprecation optimizations (elastic#37597) refactor inner geogrid classes to own class files (elastic#37596) Remove obsolete deprecation checks (elastic#37510) ML: Add support for single bucket aggs in Datafeeds (elastic#37544) ML: creating ML State write alias and pointing writes there (elastic#37483) Deprecate types in the put mapping API. (elastic#37280) [ILM] Add unfollow action (elastic#36970) Packaging: Update marker used to allow ELASTIC_PASSWORD (elastic#37243) Fix setting openldap realm ssl config Document the need for JAVA11_HOME (elastic#37589) SQL: fix object extraction from sources (elastic#37502) Nit in settings.gradle for Eclipse ...
This was referenced Jan 21, 2019
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Jan 5, 2022
allowRestrictedIndices was only added in ES6.7 (see elastic#37577). For randomised testing we should not set that field if we are generating a role descriptor that will be serialized into an older version stream. Resolves: elastic#82216
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jan 10, 2022
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Jan 10, 2022
allowRestrictedIndices was only added in ES6.7 (see elastic#37577). For randomised testing we should not set that field if we are generating a role descriptor that will be serialized into an older version stream. Resolves: elastic#82216
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jan 10, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Supersedes #36765 .
This grants the capability to grant privileges over certain restricted indices (
.securityand.security-6at the moment) . It also removes the special status of thesuperuserrole.IndicesPermission.Groupis extended by adding theallow_restricted_indicesboolean flag. By default the flag isfalse. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes.This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices.
The "special status" of the
superuserrole has been removed and coded as any other role:In the context of the Backup .security work, this would allow the creation of a curator role that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to list and snapshot all indices, but not read or restore any of them.
Relates #34454