Create snapshot role (#35820)

This commit introduces the `create_snapshot` cluster privilege and
the `snapshot_user` role.
This role is to be used by "cronable" tools that call the snapshot API
periodically without recurring to the `manage` cluster privilege. The
`create_snapshot` cluster privilege is much more limited compared to
the `manage` privilege.

The `snapshot_user` role grants the privileges to view the metadata of
all indices (including restricted ones, i.e. .security). It obviously grants the
create snapshot privilege but the repository has to be created using another
role. In addition, it grants the privileges to (only) GET repositories and
snapshots, but not create and delete them.

The role does not allow to create repositories. This distinction is important
because snapshotting equates to the `read` index privilege if the user has
control of the snapshot destination, but this is not the case in this instance,
because the role does not grant control over repository configuration.

Author: albertzaharovits

client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java

@@ -638,8 +638,8 @@ public void testGetRoles() throws Exception {
 
             List<Role> roles = response.getRoles();
             assertNotNull(response);
-            // 23 system roles plus the three we created
-            assertThat(roles.size(), equalTo(26));
+            // 24 system roles plus the three we created
+            assertThat(roles.size(), equalTo(27));
         }
 
         {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java

@@ -6,6 +6,10 @@
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
 import org.apache.lucene.util.automaton.Automaton;
+import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
+import org.elasticsearch.action.admin.cluster.snapshots.create.CreateSnapshotAction;
+import org.elasticsearch.action.admin.cluster.snapshots.get.GetSnapshotsAction;
+import org.elasticsearch.action.admin.cluster.snapshots.status.SnapshotsStatusAction;
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.MapBuilder;
@@ -48,6 +52,8 @@ public final class ClusterPrivilege extends Privilege {
     private static final Automaton MANAGE_ROLLUP_AUTOMATON = patterns("cluster:admin/xpack/rollup/*", "cluster:monitor/xpack/rollup/*");
     private static final Automaton MANAGE_CCR_AUTOMATON =
         patterns("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME);
+    private static final Automaton CREATE_SNAPSHOT_AUTOMATON = patterns(CreateSnapshotAction.NAME, SnapshotsStatusAction.NAME + "*",
+            GetSnapshotsAction.NAME, SnapshotsStatusAction.NAME, GetRepositoriesAction.NAME);
     private static final Automaton READ_CCR_AUTOMATON = patterns(ClusterStateAction.NAME, HasPrivilegesAction.NAME);
     private static final Automaton MANAGE_ILM_AUTOMATON = patterns("cluster:admin/ilm/*");
     private static final Automaton READ_ILM_AUTOMATON = patterns(GetLifecycleAction.NAME, GetStatusAction.NAME);
@@ -73,6 +79,7 @@ public final class ClusterPrivilege extends Privilege {
     public static final ClusterPrivilege MANAGE_PIPELINE =       new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*");
     public static final ClusterPrivilege MANAGE_CCR =            new ClusterPrivilege("manage_ccr", MANAGE_CCR_AUTOMATON);
     public static final ClusterPrivilege READ_CCR =              new ClusterPrivilege("read_ccr", READ_CCR_AUTOMATON);
+    public static final ClusterPrivilege CREATE_SNAPSHOT =       new ClusterPrivilege("create_snapshot", CREATE_SNAPSHOT_AUTOMATON);
     public static final ClusterPrivilege MANAGE_ILM =            new ClusterPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON);
     public static final ClusterPrivilege READ_ILM =              new ClusterPrivilege("read_ilm", READ_ILM_AUTOMATON);
 
@@ -98,6 +105,7 @@ public final class ClusterPrivilege extends Privilege {
             .put("manage_rollup", MANAGE_ROLLUP)
             .put("manage_ccr", MANAGE_CCR)
             .put("read_ccr", READ_CCR)
+            .put("create_snapshot", CREATE_SNAPSHOT)
             .put("manage_ilm", MANAGE_ILM)
             .put("read_ilm", READ_ILM)
             .immutableMap();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -64,8 +64,8 @@ public final class IndexPrivilege extends Privilege {
         CloseIndexAction.NAME + "*");
     private static final Automaton MANAGE_ILM_AUTOMATON = patterns("indices:admin/ilm/*");
 
-    public static final IndexPrivilege NONE =                new IndexPrivilege("none",             Automatons.EMPTY);
-    public static final IndexPrivilege ALL =                 new IndexPrivilege("all",              ALL_AUTOMATON);
+    public static final IndexPrivilege NONE =                new IndexPrivilege("none",                Automatons.EMPTY);
+    public static final IndexPrivilege ALL =                 new IndexPrivilege("all",                 ALL_AUTOMATON);
     public static final IndexPrivilege READ =                new IndexPrivilege("read",                READ_AUTOMATON);
     public static final IndexPrivilege READ_CROSS_CLUSTER =  new IndexPrivilege("read_cross_cluster",  READ_CROSS_CLUSTER_AUTOMATON);
     public static final IndexPrivilege CREATE =              new IndexPrivilege("create",              CREATE_AUTOMATON);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.xpack.core.security.authz.store;
 
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
 import org.elasticsearch.common.collect.MapBuilder;
 import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
@@ -179,6 +180,12 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         RoleDescriptor.IndicesPrivileges.builder()
                             .indices(".code-*").privileges("read").build()
                     }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
+                .put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
+                        new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder()
+                                .indices("*")
+                                .privileges("view_index_metadata")
+                                .allowRestrictedIndices(true)
+                                .build() }, null, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
                 .immutableMap();
     }
 

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -7,8 +7,13 @@
 
 import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.cluster.health.ClusterHealthAction;
+import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
+import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryAction;
 import org.elasticsearch.action.admin.cluster.reroute.ClusterRerouteAction;
 import org.elasticsearch.action.admin.cluster.settings.ClusterUpdateSettingsAction;
+import org.elasticsearch.action.admin.cluster.snapshots.create.CreateSnapshotAction;
+import org.elasticsearch.action.admin.cluster.snapshots.get.GetSnapshotsAction;
+import org.elasticsearch.action.admin.cluster.snapshots.status.SnapshotsStatusAction;
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
 import org.elasticsearch.action.admin.cluster.stats.ClusterStatsAction;
 import org.elasticsearch.action.admin.indices.create.CreateIndexAction;
@@ -173,9 +178,54 @@ public void testIsReserved() {
         assertThat(ReservedRolesStore.isReserved(APMSystemUser.ROLE_NAME), is(true));
         assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true));
         assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true));
+        assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true));
         assertThat(ReservedRolesStore.isReserved("code_admin"), is(true));
         assertThat(ReservedRolesStore.isReserved("code_user"), is(true));
+    }
+
+    public void testSnapshotUserRole() {
+        final TransportRequest request = mock(TransportRequest.class);
+
+        RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("snapshot_user");
+        assertNotNull(roleDescriptor);
+        assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
+
+        Role snapshotUserRole = Role.builder(roleDescriptor, null).build();
+        assertThat(snapshotUserRole.cluster().check(GetRepositoriesAction.NAME, request), is(true));
+        assertThat(snapshotUserRole.cluster().check(CreateSnapshotAction.NAME, request), is(true));
+        assertThat(snapshotUserRole.cluster().check(SnapshotsStatusAction.NAME, request), is(true));
+        assertThat(snapshotUserRole.cluster().check(GetSnapshotsAction.NAME, request), is(true));
+
+        assertThat(snapshotUserRole.cluster().check(PutRepositoryAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(GetIndexTemplatesAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(DeleteIndexTemplateAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(PutPipelineAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(GetPipelineAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(DeletePipelineAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(ClusterRerouteAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(ClusterUpdateSettingsAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(MonitoringBulkAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(GetWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(PutWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(DeleteWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(ExecuteWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(AckWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(ActivateWatchAction.NAME, request), is(false));
+        assertThat(snapshotUserRole.cluster().check(WatcherServiceAction.NAME, request), is(false));
+
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(randomAlphaOfLengthBetween(8, 24)), is(false));
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), is(false));
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(randomAlphaOfLengthBetween(8, 24)), is(false));
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(randomAlphaOfLengthBetween(8, 24)), is(false));
+
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(GetIndexAction.NAME)
+                .test(randomAlphaOfLengthBetween(8, 24)), is(true));
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(GetIndexAction.NAME)
+                .test(RestrictedIndicesNames.INTERNAL_SECURITY_INDEX), is(true));
+        assertThat(snapshotUserRole.indices().allowedIndicesMatcher(GetIndexAction.NAME)
+                .test(RestrictedIndicesNames.SECURITY_INDEX_NAME), is(true));
 
+        assertNoAccessAllowed(snapshotUserRole, RestrictedIndicesNames.NAMES_SET);
     }
 
     public void testIngestAdminRole() {

x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java

@@ -32,12 +32,15 @@ public class ClusterPrivilegeTests extends AbstractPrivilegeTestCase {
                     "role_c:\n" +
                     "  indices:\n" +
                     "    - names: 'someindex'\n" +
-                    "      privileges: [ all ]\n";
+                    "      privileges: [ all ]\n" +
+                    "role_d:\n" +
+                    "  cluster: [ create_snapshot ]\n";
 
     private static final String USERS_ROLES =
                     "role_a:user_a\n" +
                     "role_b:user_b\n" +
-                    "role_c:user_c\n";
+                    "role_c:user_c\n" +
+                    "role_d:user_d\n";
 
     private static Path repositoryLocation;
 
@@ -75,8 +78,8 @@ protected String configUsers() {
         return super.configUsers() +
             "user_a:" + usersPasswdHashed + "\n" +
             "user_b:" + usersPasswdHashed + "\n" +
-            "user_c:" + usersPasswdHashed + "\n";
-
+            "user_c:" + usersPasswdHashed + "\n" +
+            "user_d:" + usersPasswdHashed + "\n";
     }
 
     @Override
@@ -122,20 +125,34 @@ public void testThatClusterPrivilegesWorkAsExpectedViaHttp() throws Exception {
         assertAccessIsDenied("user_c", "GET", "/_nodes/infos");
         assertAccessIsDenied("user_c", "POST", "/_cluster/reroute");
         assertAccessIsDenied("user_c", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }");
+
+        // user_d can view repos and create and view snapshots on existings repos, everything else is DENIED
+        assertAccessIsDenied("user_d", "GET", "/_cluster/state");
+        assertAccessIsDenied("user_d", "GET", "/_cluster/health");
+        assertAccessIsDenied("user_d", "GET", "/_cluster/settings");
+        assertAccessIsDenied("user_d", "GET", "/_cluster/stats");
+        assertAccessIsDenied("user_d", "GET", "/_cluster/pending_tasks");
+        assertAccessIsDenied("user_d", "GET", "/_nodes/stats");
+        assertAccessIsDenied("user_d", "GET", "/_nodes/hot_threads");
+        assertAccessIsDenied("user_d", "GET", "/_nodes/infos");
+        assertAccessIsDenied("user_d", "POST", "/_cluster/reroute");
+        assertAccessIsDenied("user_d", "PUT", "/_cluster/settings", "{ \"transient\" : { \"search.default_search_timeout\": \"1m\" } }");
     }
 
     public void testThatSnapshotAndRestore() throws Exception {
         String repoJson = Strings.toString(jsonBuilder().startObject().field("type", "fs").startObject("settings").field("location",
                 repositoryLocation.toString()).endObject().endObject());
         assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo", repoJson);
         assertAccessIsDenied("user_c", "PUT", "/_snapshot/my-repo", repoJson);
+        assertAccessIsDenied("user_d", "PUT", "/_snapshot/my-repo", repoJson);
         assertAccessIsAllowed("user_a", "PUT", "/_snapshot/my-repo", repoJson);
 
         Request createBar = new Request("PUT", "/someindex/bar/1");
         createBar.setJsonEntity("{ \"name\" : \"elasticsearch\" }");
         createBar.addParameter("refresh", "true");
         assertAccessIsDenied("user_a", createBar);
         assertAccessIsDenied("user_b", createBar);
+        assertAccessIsDenied("user_d", createBar);
         assertAccessIsAllowed("user_c", createBar);
 
         assertAccessIsDenied("user_b", "PUT", "/_snapshot/my-repo/my-snapshot", "{ \"indices\": \"someindex\" }");
@@ -145,30 +162,38 @@ public void testThatSnapshotAndRestore() throws Exception {
         assertAccessIsDenied("user_b", "GET", "/_snapshot/my-repo/my-snapshot/_status");
         assertAccessIsDenied("user_c", "GET", "/_snapshot/my-repo/my-snapshot/_status");
         assertAccessIsAllowed("user_a", "GET", "/_snapshot/my-repo/my-snapshot/_status");
+        assertAccessIsAllowed("user_d", "GET", "/_snapshot/my-repo/my-snapshot/_status");
 
         // This snapshot needs to be finished in order to be restored
         waitForSnapshotToFinish("my-repo", "my-snapshot");
+        // user_d can create snapshots, but not concurrently
+        assertAccessIsAllowed("user_d", "PUT", "/_snapshot/my-repo/my-snapshot-d", "{ \"indices\": \"someindex\" }");
 
         assertAccessIsDenied("user_a", "DELETE", "/someindex");
         assertAccessIsDenied("user_b", "DELETE", "/someindex");
+        assertAccessIsDenied("user_d", "DELETE", "/someindex");
         assertAccessIsAllowed("user_c", "DELETE", "/someindex");
 
         Request restoreSnapshotRequest = new Request("POST", "/_snapshot/my-repo/my-snapshot/_restore");
         restoreSnapshotRequest.addParameter("wait_for_completion", "true");
         assertAccessIsDenied("user_b", restoreSnapshotRequest);
         assertAccessIsDenied("user_c", restoreSnapshotRequest);
+        assertAccessIsDenied("user_d", restoreSnapshotRequest);
         assertAccessIsAllowed("user_a", restoreSnapshotRequest);
 
         assertAccessIsDenied("user_a", "GET", "/someindex/bar/1");
         assertAccessIsDenied("user_b", "GET", "/someindex/bar/1");
+        assertAccessIsDenied("user_d", "GET", "/someindex/bar/1");
         assertAccessIsAllowed("user_c", "GET", "/someindex/bar/1");
 
         assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo/my-snapshot");
         assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo/my-snapshot");
+        assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo/my-snapshot");
         assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo/my-snapshot");
 
         assertAccessIsDenied("user_b", "DELETE", "/_snapshot/my-repo");
         assertAccessIsDenied("user_c", "DELETE", "/_snapshot/my-repo");
+        assertAccessIsDenied("user_d", "DELETE", "/_snapshot/my-repo");
         assertAccessIsAllowed("user_a", "DELETE", "/_snapshot/my-repo");
     }