Skip to content

Commit

Permalink
Allow built-in monitoring_user role to call GET _xpack API (elastic#3…
Browse files Browse the repository at this point in the history
…8060)

This PR adds the `monitor/xpack/info` cluster-level privilege to the built-in `monitoring_user` role.

This privilege is required for the Monitoring UI to call the `GET _xpack API` on the Monitoring Cluster. It needs to do this in order to determine the license of the Monitoring Cluster, which further determines whether Cluster Alerts are shown to the user or not.

Resolves elastic#37970.
  • Loading branch information
ycombinator committed Feb 1, 2019
1 parent 51791f9 commit 988748f
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
null, null,
MetadataUtils.DEFAULT_RESERVED_METADATA, null))
.put("monitoring_user", new RoleDescriptor("monitoring_user",
new String[] { "cluster:monitor/main" },
new String[] { "cluster:monitor/main", "cluster:monitor/xpack/info" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.action.XPackInfoAction;
import org.elasticsearch.xpack.core.ml.MlMetaIndex;
import org.elasticsearch.xpack.core.ml.action.CloseJobAction;
import org.elasticsearch.xpack.core.ml.action.DeleteCalendarAction;
Expand Down Expand Up @@ -416,6 +417,7 @@ public void testMonitoringUserRole() {

Role monitoringUserRole = Role.builder(roleDescriptor, null).build();
assertThat(monitoringUserRole.cluster().check(MainAction.NAME, request), is(true));
assertThat(monitoringUserRole.cluster().check(XPackInfoAction.NAME, request), is(true));
assertThat(monitoringUserRole.cluster().check(ClusterHealthAction.NAME, request), is(false));
assertThat(monitoringUserRole.cluster().check(ClusterStateAction.NAME, request), is(false));
assertThat(monitoringUserRole.cluster().check(ClusterStatsAction.NAME, request), is(false));
Expand Down

0 comments on commit 988748f

Please sign in to comment.