Support builtin privileges in get privileges API #42134
Conversation
Adds "_cluster" and "_index" endpoints to the get privileges API so that builtin index and cluster privileges can be retrieved via the Rest API Resolves: elastic#29771
tvernum
added
>enhancement
>breaking
:Security/Authorization
|
Pinging @elastic/es-security |
|
A few notes on this:
I'm proposing this approach because I think it creates the correct API at a logical level (a single API for all privileges types, with the ability to filter the output to exactly what you want), even though it has some obvious warts. Then we can fix those warts (at some point in the future) with API versioning. I'm open to creating distinct APIs for builtin privileges, but I think that we would prefer to have it all in a single API. If I had done the design work more thoroughly the first time, then I think the direction would be obvious. |
jkakavas
left a comment
jkakavas
left a comment
There was a problem hiding this comment.
I'm perfectly fine with the approach given the constraints and lack of API versioning Tim. I took a first look, will you update this PR with docs and HLRC (so we should wait for review) or merge this and tackle the rest in a followup? If the latter, I'll take one more pass tomorrow, but it already looks good to me
| public final class GetPrivilegesRequest extends ActionRequest implements ApplicationPrivilegesRequest { | ||
|
|
||
| @Nullable | ||
| private String application; |
There was a problem hiding this comment.
Can we change this to scope in 8.0 ?
| @Override | ||
| public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException { | ||
| final String application = request.param("application"); | ||
| final String scope = request.param("application"); |
There was a problem hiding this comment.
Can we change the parameter name to scope in 8.0.0 and add a small comment here to explain why we map application to a scope when backporting in 7.x ?
| // Application names cannot start with `_`, so we use this for built-in names | ||
| if ("_cluster".equals(scope)) { | ||
| requestBuilder.privilegeTypes(GetPrivilegesRequest.PrivilegeType.CLUSTER); | ||
| } else if ("_index".equals(scope)) { |
There was a problem hiding this comment.
suggestion: extract _cluster , _index , _application to class vars ?
|
Thanks @jkakavas I'll wait for feedback from @albertzaharovits and then add add HLRC + docs if he's happy to move forward. |
|
@elasticmachine update branch (I get Eclipse proj setup failures) |
| } | ||
|
|
||
| public Set<PrivilegeType> privilegeTypes() { | ||
| return Collections.unmodifiableSet(this.includedTypes); |
There was a problem hiding this comment.
nit: make the field immutable (do this wrapping in readFrom)
|
I am not very much a fan of this. In all such cases (names on the top level namespace) I would prefer to just deprecate the API and create a new one. I don't like it because the client has to account for "special" application names, with different parsing rules; just think of how you'd parse this in HLRC. However, I think we have a better option here: Given that the current API is consistent with I think these rather extensive format changes are not worth it just for returning some constants, however convincing your writeup is. |
|
OK, let's take a step back and ask what API we would want if we weren't constrained by the existing API. I think @albertzaharovits is correct in that, actually there's no real use case (or at least no currently identified use case) for retrieving all defined privileges (builtin & application). Kibana's Security Management UI wants to know about builtin privileges, and Applications will want to know about their own privileges, but I would question the use-case of anyone who actually wants to get all the builtin privileges and all the application privileges. There might be a reason for that, but I don't know what it is. To my thinking, that means that we would want an endpoint design that:
So, that would be (roughly):
And then we could add
But what we have is:
As a path forward, I'd prefer @albertzaharovits's alternative option of
As it keeps everything under a single namespace and is a reasonable approximation of what I think we ought to have done from the start. |
|
@elasticmachine run elasticsearch-ci/bwc |
|
I've updated this PR based on my most recent proposal. It also includes Docs & HLRC changes. |
albertzaharovits
left a comment
albertzaharovits
left a comment
There was a problem hiding this comment.
This is looking very polished! I have only one objection, which is that the privilege for the new API is to high at manage_security and I would suggest monitor (in the same basket with _ssl/certificates)
The changes entailed by this are small so I'll LGTM it now 👍
| ==== Authorization | ||
|
|
||
| To use this API, you must have - the `manage_security` cluster privilege | ||
| (or a greater privilege such as `all`) |
There was a problem hiding this comment.
I think the monitor privilege would be more suitable, what do you think?
| import java.util.Objects; | ||
|
|
||
| /** | ||
| * Response containing one or more application privileges retrieved from the security index |
There was a problem hiding this comment.
s/one or more application privileges retrieved from the security index/built-in (cluster/index) privileges
| new String[] { | ||
| "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token", "manage_oidc" | ||
| "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token", "manage_oidc", | ||
| GetBuiltinPrivilegesAction.NAME |
There was a problem hiding this comment.
If GetBuiltinPrivilegesAction collates under monitor, don't forget to update this.
| import java.util.TreeSet; | ||
|
|
||
| /** | ||
| * Transport action to retrieve one or more application privileges from the security index |
There was a problem hiding this comment.
built-in cluster/indices privileges
| import static org.elasticsearch.rest.RestRequest.Method.GET; | ||
|
|
||
| /** | ||
| * Rest action to retrieve an application privilege from the security index |
There was a problem hiding this comment.
built-in cluster/index privileges
I had the same thought, but my plan was to raise a separate PR for a read-only security privilege instead. |
@tvernum No preference. |
|
@jkakavas Do you want to review this? I'd like to get it into 7.3 if I can. |
|
Apologies, I got lost in my backlog. I'm happy with this being merged with the explanation in #42134 (comment) and @albertzaharovits review |
|
@elasticmachine update branch |
Adds a new "/_security/privilege/_builtin" endpoint so that builtin index and cluster privileges can be retrieved via the Rest API Backport of: elastic#42134
Adds a new "/_security/privilege/_builtin" endpoint so that builtin index and cluster privileges can be retrieved via the Rest API Backport of: #42134
5 participants
Adds "_cluster" and "_index" endpoints to the get privileges API so
that builtin index and cluster privileges can be retrieved via the
Rest API
Resolves: #29771