Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TSDB: Test create_doc permission #86638

Merged
merged 2 commits into from
May 11, 2022
Merged

TSDB: Test create_doc permission #86638

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
009a0e0
TSDB: Test `create_doc` permission
nik9000 May 10, 2022
a1774f9
Merge branch 'master' into tsdb_create_doc_permission
elasticmachine May 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
234 changes: 234 additions & 0 deletions x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/authz/70_tsdb.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,3 +198,237 @@ document level security on tsid is not possible:
tsids:
terms:
field: _tsid

---
create_doc permission can create:
- skip:
version: " - 8.0.99"
reason: _tsid support introduced in 8.1.0
features: headers

- do:
security.put_role:
name: "createonly"
body: >
{
"indices": [
{
"names": ["*"],
"privileges": ["create_doc"]
}
]
}

- do:
security.put_user:
username: "limited"
body: >
{
"password" : "x-pack-test-password",
"roles" : [ "createonly" ],
"full_name" : "user who can only create docs"
}

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
bulk:
refresh: true
index: test
body:
- '{"create": {}}'
- '{"@timestamp": "2021-04-28T22:50:04.467Z", "metricset": "pod", "k8s": {"pod": {"name": "cat", "uid":"947e4ced-1786-4e53-9e0c-5c447e959507", "ip": "10.10.55.1", "network": {"tx": 2001818691, "rx": 802133794}}}}'
- match: { items.0.create._version: 1 }

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
index:
refresh: true
index: test
body:
"@timestamp": "2021-04-28T23:51:03.142Z"
metricset: pod
k8s:
pod:
name: dog
uid: df3145b3-0563-4d3b-a0f7-897eb2876ea9
ip: 10.10.55.3
network:
tx: 111434595272
rx: 430605511
- match: { _version: 1 }

---
create_doc permission can't overwrite:
- skip:
version: " - 8.0.99"
reason: _tsid support introduced in 8.1.0
features: headers

- do:
security.put_role:
name: "createonly"
body: >
{
"indices": [
{
"names": ["*"],
"privileges": ["create_doc"]
}
]
}

- do:
security.put_user:
username: "limited"
body: >
{
"password" : "x-pack-test-password",
"roles" : [ "createonly" ],
"full_name" : "user who can only create docs"
}

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
bulk:
refresh: true
index: test
body:
- '{"index": {}}'
- '{"@timestamp": "2021-04-28T18:50:04.467Z", "metricset": "pod", "k8s": {"pod": {"name": "cat", "uid":"947e4ced-1786-4e53-9e0c-5c447e959507", "ip": "10.10.55.1", "network": {"tx": 2001818691, "rx": 802133794}}}}'
- match: { items.0.index.error.reason: "/is\\ unauthorized\\ for\\ user\\ \\[limited\\]/" }

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
catch: "/is\ unauthorized\ for\ user\ \\[limited\\]/"
index:
refresh: true
index: test
op_type: index
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious what happens without this?
I assume that AutoIdHandler will set the op_type to create and then TSDB will reject the request because a document with the (auto generated) id already exists.

Is that the intended semantics of the {ts-index}/_doc endpoint - if there's a possibility that there might be an existing doc for the same tsid, then you need to set the op_type or be prepared to handle a failure?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the AutoIdHandler will only set the op_type to create if no op_type has been specified. So it will overwrite a document?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. It's a bit weird to me, but that's what happens. Without this you get create and overwrites stop in their tracks. I think it's a good thing that this isn't index dependent, but it is weird. And for _bulk we don't see it because folks say create or index. It's a quirk that'll have to be documented for tsdb.

body:
"@timestamp": "2021-04-28T18:51:03.142Z"
metricset: pod
k8s:
pod:
name: dog
uid: df3145b3-0563-4d3b-a0f7-897eb2876ea9
ip: 10.10.55.3
network:
tx: 111434595272
rx: 430605511

---
index permission can create:
- skip:
version: " - 8.0.99"
reason: _tsid support introduced in 8.1.0
features: headers

- do:
security.put_role:
name: "indexonly"
body: >
{
"indices": [
{
"names": ["*"],
"privileges": ["index"]
}
]
}

- do:
security.put_user:
username: "limited"
body: >
{
"password" : "x-pack-test-password",
"roles" : [ "indexonly" ],
"full_name" : "user who can only index docs"
}

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
bulk:
refresh: true
index: test
body:
- '{"create": {}}'
- '{"@timestamp": "2021-04-28T22:50:04.467Z", "metricset": "pod", "k8s": {"pod": {"name": "cat", "uid":"947e4ced-1786-4e53-9e0c-5c447e959507", "ip": "10.10.55.1", "network": {"tx": 2001818691, "rx": 802133794}}}}'
- match: { items.0.create._version: 1 }

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
index:
refresh: true
index: test
body:
"@timestamp": "2021-04-28T23:51:03.142Z"
metricset: pod
k8s:
pod:
name: dog
uid: df3145b3-0563-4d3b-a0f7-897eb2876ea9
ip: 10.10.55.3
network:
tx: 111434595272
rx: 430605511
- match: { _version: 1 }

---
index permission can overwrite:
- skip:
version: " - 8.0.99"
reason: _tsid support introduced in 8.1.0
features: headers

- do:
security.put_role:
name: "indexonly"
body: >
{
"indices": [
{
"names": ["*"],
"privileges": ["index"]
}
]
}

- do:
security.put_user:
username: "limited"
body: >
{
"password" : "x-pack-test-password",
"roles" : [ "indexonly" ],
"full_name" : "user who can only index docs"
}

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
bulk:
refresh: true
index: test
body:
- '{"index": {}}'
- '{"@timestamp": "2021-04-28T18:50:04.467Z", "metricset": "pod", "k8s": {"pod": {"name": "cat", "uid":"947e4ced-1786-4e53-9e0c-5c447e959507", "ip": "10.10.55.1", "network": {"tx": 2001818691, "rx": 802133794}}}}'
- match: { items.0.index._version: 2 }

- do:
headers: { Authorization: "Basic bGltaXRlZDp4LXBhY2stdGVzdC1wYXNzd29yZA==" } # limited - user
index:
refresh: true
index: test
op_type: index
body:
"@timestamp": "2021-04-28T18:51:03.142Z"
metricset: pod
k8s:
pod:
name: dog
uid: df3145b3-0563-4d3b-a0f7-897eb2876ea9
ip: 10.10.55.3
network:
tx: 111434595272
rx: 430605511
- match: { _version: 2 }