Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix privilege requirement for CCS with Point In Time reader #62261

Merged
merged 7 commits into from
Sep 21, 2020
Merged

Fix privilege requirement for CCS with Point In Time reader #62261

merged 7 commits into from
Sep 21, 2020

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Sep 11, 2020
edited
Loading

When target indices are remote only, CCS does not require user to have privileges on the local cluster. This PR ensure Point-In-Time reader follows the same pattern.

Relates: #61827

@dnhatn @jimczi

@ywangd ywangd added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.10.0 labels Sep 11, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Sep 11, 2020
albertzaharovits
albertzaharovits reviewed Sep 14, 2020
View reviewed changes
...security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java Outdated
public void testUserWithNoRolesOpenPointInTimeWithRemoteIndices() {
final boolean hasLocalIndices = randomBoolean();
final String[] indices = new String[]{
hasLocalIndices ? randomAlphaOfLength(5) : "other_cluster:" + randomAlphaOfLength(5),
Copy link
Contributor

@albertzaharovits albertzaharovits Sep 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also exercise the condition that remote indices are wildcards (it could be a random)

albertzaharovits
albertzaharovits reviewed Sep 14, 2020
View reviewed changes
...security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java Outdated
@@ -479,6 +484,46 @@ public void testRemoteIndicesOnlyWorkWithApplicableRequestTypes() throws IOExcep
verifyNoMoreInteractions(auditTrail);
}

public void testUserWithNoRolesOpenPointInTimeWithRemoteIndices() {
final boolean hasLocalIndices = randomBoolean();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

set this to both values in a for-each.

albertzaharovits
albertzaharovits approved these changes Sep 14, 2020
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Nice one Yang!

I had just a couple of small nits +
Also can you please amend the IndicesAndAliasesResolverTests#testRemotableRequestsAllowRemoteIndices test for the OpenPointInTimeRequest (and maybe randomly make foo a wildcard foo*).

@dnhatn
Copy link
Member

dnhatn commented Sep 14, 2020

@ywangd Thanks for fixing this.

@ywangd
Copy link
Member Author

ywangd commented Sep 18, 2020

Thanks @albertzaharovits

That was a good catch on the yaml test. You are right, neither subsequent search nor close remote PIT require any local privilege. It was a copy/paste error from the previous test's Authorization headers. I have now rectified them. Thanks!

@ywangd ywangd merged commit 4dd85a1 into elastic:master Sep 21, 2020
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Sep 21, 2020
@ywangd
Fix privilege requirement for CCS with Point In Time reader (elastic#…
692cb6f 
…62261)

When target indices are remote only, CCS does not require user to have privileges on the local cluster. This PR ensure Point-In-Time reader follows the same pattern.

Relates: elastic#61827
ywangd added a commit that referenced this pull request Sep 22, 2020
@ywangd
Fix privilege requirement for CCS with Point In Time reader (#62261) (#…
28503f0 
…62696)

When target indices are remote only, CCS does not require user to have privileges on the local cluster. This PR ensure Point-In-Time reader follows the same pattern.

Relates: #61827
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
>non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.10.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ywangd @elasticmachine @dnhatn @albertzaharovits @jakelandis