Skip to content

Commit 2811b97

Browse files
tvernumtvernum
authored
Remove reserved roles for code search (#50115)
The "code_user" and "code_admin" reserved roles existed to support code search which is no longer included in Kibana. The "kibana_system" role included privileges to read/write from the code search indices, but no longer needs that access. Backport of: #50068
1 parent e287427 commit 2811b97

File tree

3 files changed

+4
-73
lines changed

3 files changed

+4
-73
lines changed

client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -693,8 +693,8 @@ public void testGetRoles() throws Exception {
693693

694694
List<Role> roles = response.getRoles();
695695
assertNotNull(response);
696-
// 29 system roles plus the three we created
697-
assertThat(roles.size(), equalTo(33));
696+
// 28 system roles plus the three we created
697+
assertThat(roles.size(), equalTo(28 + 3));
698698
}
699699

700700
{

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -122,9 +122,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
122122
.indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
123123
RoleDescriptor.IndicesPrivileges.builder()
124124
.indices(".management-beats").privileges("create_index", "read", "write").build(),
125-
// .code_internal-* is for Code's internal worker queue index creation.
126-
RoleDescriptor.IndicesPrivileges.builder()
127-
.indices(".code-*", ".code_internal-*").privileges("all").build(),
128125
// .apm-* is for APM's agent configuration index creation
129126
RoleDescriptor.IndicesPrivileges.builder()
130127
.indices(".apm-agent-configuration").privileges("all").build(),
@@ -253,16 +250,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
253250
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
254251
.put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" },
255252
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
256-
.put("code_admin", new RoleDescriptor("code_admin", new String[] {},
257-
new RoleDescriptor.IndicesPrivileges[] {
258-
RoleDescriptor.IndicesPrivileges.builder()
259-
.indices(".code-*").privileges("all").build()
260-
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
261-
.put("code_user", new RoleDescriptor("code_user", new String[] {},
262-
new RoleDescriptor.IndicesPrivileges[] {
263-
RoleDescriptor.IndicesPrivileges.builder()
264-
.indices(".code-*").privileges("read").build()
265-
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
266253
.put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
267254
new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder()
268255
.indices("*")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

Lines changed: 2 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -200,8 +200,8 @@ public void testIsReserved() {
200200
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true));
201201
assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true));
202202
assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true));
203-
assertThat(ReservedRolesStore.isReserved("code_admin"), is(true));
204-
assertThat(ReservedRolesStore.isReserved("code_user"), is(true));
203+
assertThat(ReservedRolesStore.isReserved("code_admin"), is(false));
204+
assertThat(ReservedRolesStore.isReserved("code_user"), is(false));
205205
}
206206

207207
public void testSnapshotUserRole() {
@@ -1383,60 +1383,4 @@ public void testLogstashAdminRole() {
13831383
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
13841384
assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
13851385
}
1386-
1387-
public void testCodeAdminRole() {
1388-
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_admin");
1389-
assertNotNull(roleDescriptor);
1390-
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
1391-
1392-
Role codeAdminRole = Role.builder(roleDescriptor, null).build();
1393-
1394-
assertThat(codeAdminRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
1395-
mock(Authentication.class)), is(false));
1396-
1397-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
1398-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
1399-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".code-"), is(true));
1400-
assertThat(codeAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
1401-
is(false));
1402-
1403-
final String index = ".code-" + randomIntBetween(0, 5);
1404-
1405-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
1406-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
1407-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
1408-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
1409-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
1410-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
1411-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
1412-
assertThat(codeAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
1413-
}
1414-
1415-
public void testCodeUserRole() {
1416-
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_user");
1417-
assertNotNull(roleDescriptor);
1418-
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
1419-
1420-
Role codeUserRole = Role.builder(roleDescriptor, null).build();
1421-
1422-
assertThat(codeUserRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class),
1423-
mock(Authentication.class)), is(false));
1424-
1425-
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test("foo"), is(false));
1426-
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".reporting"), is(false));
1427-
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".code-"), is(true));
1428-
assertThat(codeUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
1429-
is(false));
1430-
1431-
final String index = ".code-" + randomIntBetween(0, 5);
1432-
1433-
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
1434-
assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
1435-
assertThat(codeUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
1436-
assertThat(codeUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false));
1437-
assertThat(codeUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
1438-
assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
1439-
assertThat(codeUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true));
1440-
assertThat(codeUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
1441-
}
14421386
}

0 commit comments

Comments
 (0)