Fix verbose get data stream API not requiring extra privileges #112973
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When a user uses the `GET /_data_stream?verbose` API to retrieve the verbose version of the response (which includes the `maximum_timestamp`, as added in elastic#112303), the response object should be performed with the same privilege-checking as the get-data-stream API, meaning that no extra priveleges should be required return the field. This commit makes the Transport action use an entitled client so that extra privileges are not required, and adds a test to ensure that it works.
dakrone
added
>bug
:Data Management/Data streams
|
Pinging @elastic/es-data-management (Team:Data Management) |
elasticsearchmachine
added
the
Team:Data Management
|
Hi @dakrone, I've created a changelog YAML for you. |
masseyke
reviewed
Sep 17, 2024
| @@ -90,7 +91,7 @@ public TransportGetDataStreamsAction( | |||
| this.systemIndices = systemIndices; | |||
| this.globalRetentionSettings = globalRetentionSettings; | |||
| clusterSettings = clusterService.getClusterSettings(); | |||
| this.client = client; | |||
| this.client = new OriginSettingClient(client, "stack"); | |||
There was a problem hiding this comment.
For anyone confused in the future like I was, "stack" is the value of ClientHelper.STACK_ORIGIN, which is in x-pack so can't be pulled in here. This gets used in org.elasticsearch.xpack.security.authz.AuthorizationUtils.switchUserBasedOnActionOriginAndExecute().
dakrone
added a commit
to dakrone/elasticsearch
that referenced
this pull request
Sep 17, 2024
…ic#112973) * Fix verbose get data stream API not requiring extra privileges When a user uses the `GET /_data_stream?verbose` API to retrieve the verbose version of the response (which includes the `maximum_timestamp`, as added in elastic#112303), the response object should be performed with the same privilege-checking as the get-data-stream API, meaning that no extra priveleges should be required return the field. This commit makes the Transport action use an entitled client so that extra privileges are not required, and adds a test to ensure that it works. * Update docs/changelog/112973.yaml
💚 Backport successful
|
elasticsearchmachine
pushed a commit
that referenced
this pull request
Sep 17, 2024
…) (#113035) * Fix verbose get data stream API not requiring extra privileges When a user uses the `GET /_data_stream?verbose` API to retrieve the verbose version of the response (which includes the `maximum_timestamp`, as added in #112303), the response object should be performed with the same privilege-checking as the get-data-stream API, meaning that no extra priveleges should be required return the field. This commit makes the Transport action use an entitled client so that extra privileges are not required, and adds a test to ensure that it works. * Update docs/changelog/112973.yaml Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
javanna
pushed a commit
to javanna/elasticsearch
that referenced
this pull request
Sep 18, 2024
…ic#112973) * Fix verbose get data stream API not requiring extra privileges When a user uses the `GET /_data_stream?verbose` API to retrieve the verbose version of the response (which includes the `maximum_timestamp`, as added in elastic#112303), the response object should be performed with the same privilege-checking as the get-data-stream API, meaning that no extra priveleges should be required return the field. This commit makes the Transport action use an entitled client so that extra privileges are not required, and adds a test to ensure that it works. * Update docs/changelog/112973.yaml
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a user uses the
GET /_data_stream?verboseAPI to retrieve the verbose version of the response (which includes themaximum_timestamp, as added in #112303), the response object should be performed with the same privilege-checking as the get-data-stream API, meaning that no extra priveleges should be required return the field.This commit makes the Transport action use an entitled client so that extra privileges are not required, and adds a test to ensure that it works.