Fix unable to create roles under Stack Management (#156381)

Resolves #156249 --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
elastic · May 2, 2023 · de0498d · de0498d
1 parent 296b05a
commit de0498d
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 11 deletions.
diff --git a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts
@@ -389,6 +389,49 @@ describe('Put payload schema', () => {
  }
  `);
  });
+
+ test('passes through remote_indices when specified', () => {
+ expect(
+ getPutPayloadSchema(() => basePrivilegeNamesMap).validate({
+ elasticsearch: {
+ remote_indices: [
+ {
+ clusters: ['remote_cluster'],
+ names: ['remote_index'],
+ privileges: ['all'],
+ },
+ ],
+ },
+ })
+ ).toMatchInlineSnapshot(`
+ Object {
+ "elasticsearch": Object {
+ "remote_indices": Array [
+ Object {
+ "clusters": Array [
+ "remote_cluster",
+ ],
+ "names": Array [
+ "remote_index",
+ ],
+ "privileges": Array [
+ "all",
+ ],
+ },
+ ],
+ },
+ }
+ `);
+ });
+
+ // This is important for backwards compatibility
+ test('does not set default value for remote_indices when not specified', () => {
+ expect(getPutPayloadSchema(() => basePrivilegeNamesMap).validate({})).toMatchInlineSnapshot(`
+ Object {
+ "elasticsearch": Object {},
+ }
+ `);
+ });
 });
 
 describe('validateKibanaPrivileges', () => {

diff --git a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts
@@ -37,7 +37,7 @@ export const transformPutPayloadToElasticsearchRole = (
  metadata: rolePayload.metadata,
  cluster: elasticsearch.cluster || [],
  indices: elasticsearch.indices || [],
- remote_indices: elasticsearch.remote_indices || [],
+ remote_indices: elasticsearch.remote_indices,
  run_as: elasticsearch.run_as || [],
  applications: [
  ...transformPrivilegesToElasticsearchPrivileges(application, kibana),

diff --git a/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts b/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts
@@ -325,7 +325,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [],
  },
@@ -359,7 +359,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {
@@ -402,7 +402,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {
@@ -443,7 +443,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {
@@ -480,6 +480,18 @@ describe('PUT role', () => {
  query: `{ "match": { "title": "foo" } }`,
  },
  ],
+ remote_indices: [
+ {
+ field_security: {
+ grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+ except: ['test-field-security-except-1', 'test-field-security-except-2'],
+ },
+ clusters: ['test-cluster-name-1', 'test-cluster-name-2'],
+ names: ['test-index-name-1', 'test-index-name-2'],
+ privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+ query: `{ "match": { "title": "foo" } }`,
+ },
+ ],
  run_as: ['test-run-as-1', 'test-run-as-2'],
  },
  kibana: [
@@ -539,7 +551,18 @@ describe('PUT role', () => {
  query: `{ "match": { "title": "foo" } }`,
  },
  ],
- remote_indices: [],
+ remote_indices: [
+ {
+ field_security: {
+ grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+ except: ['test-field-security-except-1', 'test-field-security-except-2'],
+ },
+ clusters: ['test-cluster-name-1', 'test-cluster-name-2'],
+ names: ['test-index-name-1', 'test-index-name-2'],
+ privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+ query: `{ "match": { "title": "foo" } }`,
+ },
+ ],
  metadata: { foo: 'test-metadata' },
  run_as: ['test-run-as-1', 'test-run-as-2'],
  },
@@ -661,7 +684,7 @@ describe('PUT role', () => {
  query: `{ "match": { "title": "foo" } }`,
  },
  ],
- remote_indices: [],
+ remote_indices: undefined,
  metadata: { foo: 'test-metadata' },
  run_as: ['test-run-as-1', 'test-run-as-2'],
  },
@@ -765,7 +788,7 @@ describe('PUT role', () => {
  privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
  },
  ],
- remote_indices: [],
+ remote_indices: undefined,
  metadata: { foo: 'test-metadata' },
  run_as: ['test-run-as-1', 'test-run-as-2'],
  },
@@ -803,7 +826,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {
@@ -848,7 +871,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {
@@ -893,7 +916,7 @@ describe('PUT role', () => {
  body: {
  cluster: [],
  indices: [],
- remote_indices: [],
+ remote_indices: undefined,
  run_as: [],
  applications: [
  {