Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extra kibana_system privileges for Fleet transform upgrades #91499

Merged
merged 3 commits into from
Nov 22, 2022
Merged

Extra kibana_system privileges for Fleet transform upgrades #91499

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2c2d50c
Extra kibana_system privileges for Fleet transform upgrades
droberts195 Nov 10, 2022
9f723e6
Update docs/changelog/91499.yaml
droberts195 Nov 21, 2022
09c2f68
Merge branch 'main' into fleet_transform_upgrade_privileges
elasticmachine Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/changelog/91499.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 91499
summary: Extra `kibana_system` privileges for Fleet transform upgrades
area: Authorization
type: enhancement
issues: []
14 changes: 11 additions & 3 deletions ...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -811,12 +811,20 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
".metrics-endpoint.metadata_current_default",
".metrics-endpoint.metadata_united_default"
)
.privileges("create_index", "delete_index", "read", "index")
.privileges("create_index", "delete_index", "read", "index", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME)
.build(),
// For src/dest indices of the example transform package
RoleDescriptor.IndicesPrivileges.builder()
.indices("kibana_sample_data_*")
.privileges("create_index", "delete_index", "read", "index", "view_index_metadata")
.privileges(
"create_index",
"delete_index",
"read",
"index",
"view_index_metadata",
IndicesAliasesAction.NAME,
UpdateSettingsAction.NAME
)
.build(),
// For src/dest indices of the Cloud Security Posture packages that ships a transform
RoleDescriptor.IndicesPrivileges.builder()
Expand All @@ -825,7 +833,7 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
.build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices("logs-cloud_security_posture.findings_latest-default", "logs-cloud_security_posture.scores-default")
.privileges("create_index", "read", "index", "delete")
.privileges("create_index", "read", "index", "delete", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME)
.build() },
null,
new ConfigurableClusterPrivilege[] {
Expand Down
18 changes: 13 additions & 5 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -993,12 +993,15 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true));
// Allow create and delete index
// Allow create and delete index, modifying aliases, and updating index settings
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteDataStreamAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));

// Implied by the overall view_index_metadata and monitor privilege
assertViewIndexMetadata(kibanaRole, indexName);
Expand All @@ -1013,9 +1016,8 @@ public void testKibanaSystemRole() {
is(indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM)
);

// Deny deleting documents and modifying the index settings
// Deny deleting documents and rollover
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(false));
});

Expand Down Expand Up @@ -1073,10 +1075,13 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true));
// Allow create and delete index
// Allow create and delete index, modifying aliases, and updating index settings
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));

// Implied by the overall view_index_metadata and monitor privilege
assertViewIndexMetadata(kibanaRole, indexName);
Expand Down Expand Up @@ -1121,9 +1126,12 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true));
// Allow create and delete index
// Allow create and delete index, modifying aliases, and updating index settings
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));

// Implied by the overall view_index_metadata and monitor privilege
assertViewIndexMetadata(kibanaRole, indexName);
Expand Down