Skip to content

Create snapshot role #35820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jan 27, 2019
Merged

Create snapshot role #35820

merged 13 commits into from
Jan 27, 2019

Conversation

@albertzaharovits
Copy link
Contributor

@albertzaharovits albertzaharovits commented Nov 22, 2018
edited
Loading

EDITED 2:

This commit introduces the create_snapshot cluster privilege and the snapshot_user role.
This role is to be used by "cronable" tools that call the snapshot API periodically without recurring to the manage cluster privilege. The create_snapshot cluster privilege is much more limited compared to the manage privilege.

The snapshot_user role grants the privileges to view the metadata of all indices (including restricted ones, i.e. .security). It obviously grants the create snapshot privilege but the repository has to be created using another role. In addition, it grants the privileges to (only) GET repositories and
snapshots, but not create and delete them.

The role does not allow to create repositories. This distinction is important because snapshotting equates to the read index privilege if the user has control of the snapshot destination, but this is not the case in this instance, because the role does not grant control over repository configuration.

EDITED:

This creates the create_snapshot role cluster privilege and the snapshot_user role.
This role be used by "cron-able" tools that call the snapshot API periodically without recurring to the manage role. The create_snapshot snapshot_user role has much more limited privileges compared to the manage role.

This role has the privilege to view the metadata of all indices (including restricted ones, i.e. .security). It can obviously create snapshots but the repository has to be created by another role. In addition it has the privileges to only GET repositories and snapshots.

The role does not allow to create repositories. This distinction is important because snapshotting equates to the read privilege if the user has control of the snapshot destination, but this is not the case because the role does grant control over repository configuration.

Note that this privilege does not allow to "list" indices and will not
improve the experience with "curator". After mulling it over, I think
listing indices is orthogonal to the snapshot operation. I think many
tools (scripts) would benefit of this role alone and granting only "list"
for indices will make up for a sub-optimal experience during searches
(seeing indices and getting denied when using them in get or search).
If the requirement is to support curator out of the box, I propose
we create a curator user in the reserved realm and grant him the
privileges to get its job done (including this role).

NB1 We don't have the code to grant listing the .security index even
if we wish so. This is pending discussion in the mailing list.

NB2 This PR is against a feature branch.

Relates #34454

@albertzaharovits albertzaharovits added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Nov 22, 2018
@albertzaharovits albertzaharovits self-assigned this Nov 22, 2018
@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 22, 2018

Pinging @elastic/es-security

tvernum
tvernum requested changes Nov 25, 2018
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This really needs more tests.

  1. A unit test for the privilege, that it grants the right actions.
  2. I think we need to have a proper IntegTest too. We've been bitten so many times by core features not quite working with security, that we need a proper test of "can I snapshot if I have the create_snapshot" privilege.
    Hopefully that's just a matter of running the existing snapshot tests with a minimally-privileged role (just the filesystem based ones should be fine).

...re/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java Outdated
Copy link
Contributor

@tvernum tvernum Nov 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think "create_snapshot(s)" is clearer.
"snapshot" leaves open the question about whether you can restore/delete and if someone was auditing that a role did what they expected, they would need to check the docs to be sure what snapshot actually grants.

@albertzaharovits albertzaharovits changed the base branch from backup_security_index to master January 24, 2019 19:35
@albertzaharovits albertzaharovits changed the title Snapshot only role Create snapshot role Jan 24, 2019
@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Jan 24, 2019

@tvernum I have addressed your review comments. Thanks! The original PR was indeed subpar.

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Jan 24, 2019

@tvernum @jaymode this is ready for another review round!

tvernum
tvernum approved these changes Jan 25, 2019
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+:100:

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Jan 25, 2019

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request-1/5989/console

REPRODUCE WITH: ./gradlew :client:rest-high-level:integTestRunner -Dtests.seed=69AA65BB89E3EDFD -Dtests.class=org.elasticsearch.client.documentation.SecurityDocumentationIT -Dtests.method="testGetRoles" -Dtests.security.manager=true -Dtests.locale=sr-RS -Dtests.timezone=Europe/Ulyanovsk -Dcompiler.java=11 -Druntime.java=8
14:21:33 1> [2019-01-25T16:21:16,334][INFO ][o.e.c.d.SecurityDocumentationIT] [testClearRealmCache] after test
14:21:33 1> [2019-01-25T16:21:16,342][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoles] before test
14:21:33 1> [2019-01-25T16:21:16,903][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoles] after test
14:21:33 FAILURE 0.58s | SecurityDocumentationIT.testGetRoles <<< FAILURES!
14:21:33 > Throwable #1: java.lang.AssertionError:
14:21:33 > Expected: <26>
14:21:33 2> NOTE: leaving temporary files on disk at: /var/lib/jenkins/workspace/elastic+elasticsearch+pull-request-1/client/rest-high-level/build/testrun/integTestRunner/J0/temp/org.elasticsearch.client.documentation.SecurityDocumentationIT_69AA65BB89E3EDFD-001
14:21:33 > but: was <27>
14:21:33 2> NOTE: test params are: codec=Asserting(Lucene80): {}, docValues:{}, maxPointsInLeafNode=908, maxMBSortInHeap=5.291601721504775, sim=Asserting(org.apache.lucene.search.similarities.AssertingSimilarity@320928fa), locale=sr-RS, timezone=Europe/Ulyanovsk
14:21:33 > at __randomizedtesting.SeedInfo.seed([69AA65BB89E3EDFD:D3095EF5512C97CC]:0)
14:21:33 2> NOTE: Linux 4.12.14-95.3-default amd64/Oracle Corporation 1.8.0_202 (64-bit)/cpus=16,threads=1,free=369214920,total=514850816
14:21:33 > at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
14:21:33 > at org.elasticsearch.client.documentation.SecurityDocumentationIT.testGetRoles(SecurityDocumentationIT.java:642)
14:21:33 > at java.lang.Thread.run(Thread.java:748)

@elasticmachine run elasticsearch-ci/1

jaymode
jaymode approved these changes Jan 25, 2019
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
RoleDescriptor.IndicesPrivileges.builder()
.indices(".code-*").privileges("read").build()
}, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
.put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME },
Copy link
Member

@jaymode jaymode Jan 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add this reserved role to the documentation?

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Jan 27, 2019

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request-1/6139/console

15:36:21 2> REPRODUCE WITH: ./gradlew :client:rest-high-level:integTestRunner -Dtests.seed=8FD5A1F04D9D181B -Dtests.class=org.elasticsearch.client.documentation.SecurityDocumentationIT -Dtests.method="testGetRoles" -Dtests.security.manager=true -Dtests.locale=el -Dtests.timezone=Africa/Kinshasa -Dcompiler.java=11 -Druntime.java=8
15:36:21 1> [2019-01-27T14:35:54,579][INFO ][o.e.c.d.SecurityDocumentationIT] [testClearRolesCache] after test
15:36:21 1> [2019-01-27T14:35:54,587][INFO ][o.e.c.d.SecurityDocumentationIT] [testAuthenticate] before test
15:36:21 1> [2019-01-27T14:35:54,656][INFO ][o.e.c.d.SecurityDocumentationIT] [testAuthenticate] after test
15:36:21 1> [2019-01-27T14:35:54,663][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteRole] before test
15:36:21 1> [2019-01-27T14:35:55,108][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteRole] after test
15:36:21 1> [2019-01-27T14:35:55,114][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutUser] before test
15:36:21 1> [2019-01-27T14:35:55,727][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutUser] after test
15:36:21 1> [2019-01-27T14:35:55,734][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetPrivileges] before test
15:36:21 1> [2019-01-27T14:35:56,226][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetPrivileges] after test
15:36:21 1> [2019-01-27T14:35:56,233][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutRoleMapping] before test
15:36:21 1> [2019-01-27T14:35:56,775][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutRoleMapping] after test
15:36:21 1> [2019-01-27T14:35:56,782][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutRole] before test
15:36:21 1> [2019-01-27T14:35:57,198][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutRole] after test
15:36:21 1> [2019-01-27T14:35:57,204][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeletePrivilege] before test
15:36:21 1> [2019-01-27T14:35:57,702][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeletePrivilege] after test
15:36:21 1> [2019-01-27T14:35:57,708][INFO ][o.e.c.d.SecurityDocumentationIT] [testEnableUser] before test
15:36:21 1> [2019-01-27T14:35:58,192][INFO ][o.e.c.d.SecurityDocumentationIT] [testEnableUser] after test
15:36:21 1> [2019-01-27T14:35:58,199][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetUserPrivileges] before test
15:36:21 1> [2019-01-27T14:35:58,280][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetUserPrivileges] after test
15:36:21 1> [2019-01-27T14:35:58,286][INFO ][o.e.c.d.SecurityDocumentationIT] [testDisableUser] before test
15:36:21 1> [2019-01-27T14:35:58,788][INFO ][o.e.c.d.SecurityDocumentationIT] [testDisableUser] after test
15:36:21 1> [2019-01-27T14:35:58,794][INFO ][o.e.c.d.SecurityDocumentationIT] [testClearRealmCache] before test
15:36:21 1> [2019-01-27T14:35:59,060][INFO ][o.e.c.d.SecurityDocumentationIT] [testClearRealmCache] after test
15:36:21 1> [2019-01-27T14:35:59,066][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetSslCertificates] before test
15:36:21 1> [2019-01-27T14:35:59,185][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetSslCertificates] after test
15:36:21 1> [2019-01-27T14:35:59,191][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutPrivileges] before test
15:36:21 1> [2019-01-27T14:35:59,631][INFO ][o.e.c.d.SecurityDocumentationIT] [testPutPrivileges] after test
15:36:21 1> [2019-01-27T14:35:59,637][INFO ][o.e.c.d.SecurityDocumentationIT] [testChangePassword] before test
15:36:21 1> [2019-01-27T14:36:00,369][INFO ][o.e.c.d.SecurityDocumentationIT] [testChangePassword] after test
15:36:21 1> [2019-01-27T14:36:00,375][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteRoleMapping] before test
15:36:21 1> [2019-01-27T14:36:01,013][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteRoleMapping] after test
15:36:21 1> [2019-01-27T14:36:01,019][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoles] before test
15:36:21 1> [2019-01-27T14:36:01,462][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoles] after test
15:36:21 FAILURE 0.46s | SecurityDocumentationIT.testGetRoles <<< FAILURES!
15:36:21 2> NOTE: leaving temporary files on disk at: /var/lib/jenkins/workspace/elastic+elasticsearch+pull-request-1/client/rest-high-level/build/testrun/integTestRunner/J0/temp/org.elasticsearch.client.documentation.SecurityDocumentationIT_8FD5A1F04D9D181B-001
15:36:21 > Throwable #1: java.lang.AssertionError:
15:36:21 > Expected: <26>
15:36:21 2> NOTE: test params are: codec=Lucene80, sim=Asserting(org.apache.lucene.search.similarities.AssertingSimilarity@3c8367b9), locale=el, timezone=Africa/Kinshasa
15:36:21 2> NOTE: Linux 3.10.0-957.1.3.el7.x86_64 amd64/Oracle Corporation 1.8.0_202 (64-bit)/cpus=16,threads=1,free=469543984,total=517996544
15:36:21 2> NOTE: All tests run in this JVM: [StoredScriptsDocumentationIT, TasksIT, CCRIT, RollupIT, ILMDocumentationIT, MachineLearningGetResultsIT, RankEvalIT, LicensingDocumentationIT, IngestClientIT, PingAndInfoIT, WatcherIT, IndicesClientIT, IngestClientDocumentationIT, MigrationIT, CCRDocumentationIT, BulkProcessorIT, SnapshotIT, StoredScriptsIT, ClusterClientDocumentationIT, SnapshotClientDocumentationIT, RollupDocumentationIT, GraphDocumentationIT, MlClientDocumentationIT, CRUDDocumentationIT, SearchDocumentationIT, IndicesClientDocumentationIT, MachineLearningIT, SecurityIT, MigrationDocumentationIT, IndexLifecycleIT, CrudIT, MigrationClientDocumentationIT, ClusterClientIT, BulkProcessorRetryIT, BulkRequestWithGlobalParametersIT, GraphIT, LicenseIT, ReindexIT, SearchIT, MiscellaneousDocumentationIT, SecurityDocumentationIT]
15:36:21 > but: was <27>
15:36:21 > at __randomizedtesting.SeedInfo.seed([8FD5A1F04D9D181B:35769ABE9552622A]:0)
15:36:21 > at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
15:36:21 > at org.elasticsearch.client.documentation.SecurityDocumentationIT.testGetRoles(SecurityDocumentationIT.java:642)
15:36:21 > at java.lang.Thread.run(Thread.java:748)
15:36:21 1> [2019-01-27T14:36:01,478][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetUsers] before test
15:36:21 1> [2019-01-27T14:36:02,207][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetUsers] after test
15:36:21 1> [2019-01-27T14:36:02,213][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteUser] before test
15:36:21 1> [2019-01-27T14:36:02,768][INFO ][o.e.c.d.SecurityDocumentationIT] [testDeleteUser] after test
15:36:21 1> [2019-01-27T14:36:02,774][INFO ][o.e.c.d.SecurityDocumentationIT] [testInvalidateToken] before test
15:36:21 1> [2019-01-27T14:36:16,335][INFO ][o.e.c.d.SecurityDocumentationIT] [testInvalidateToken] after test
15:36:21 1> [2019-01-27T14:36:16,342][INFO ][o.e.c.d.SecurityDocumentationIT] [testCreateToken] before test
15:36:21 1> [2019-01-27T14:36:20,720][INFO ][o.e.c.d.SecurityDocumentationIT] [testCreateToken] after test
15:36:21 1> [2019-01-27T14:36:20,727][INFO ][o.e.c.d.SecurityDocumentationIT] [testHasPrivileges] before test
15:36:21 1> [2019-01-27T14:36:20,812][INFO ][o.e.c.d.SecurityDocumentationIT] [testHasPrivileges] after test
15:36:21 1> [2019-01-27T14:36:20,819][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoleMappings] before test
15:36:21 1> [2019-01-27T14:36:21,381][INFO ][o.e.c.d.SecurityDocumentationIT] [testGetRoleMappings] after test
15:36:21 Completed [41/43] in 26.92s, 23 tests, 1 failure <<< FAILURES!

@elasticmachine run elasticsearch-ci/1

@albertzaharovits
Copy link
Contributor Author

albertzaharovits commented Jan 27, 2019

ooops the prev failure was legit, the test was counting reserved roles. Pushed a fix!

@albertzaharovits albertzaharovits merged commit 66ddd8d into elastic:master Jan 27, 2019
@albertzaharovits albertzaharovits deleted the snapshot_role branch January 27, 2019 21:09
albertzaharovits added a commit that referenced this pull request Jan 27, 2019
@albertzaharovits
Create snapshot role (#35820)
3ae70c6 
This commit introduces the `create_snapshot` cluster privilege and
the `snapshot_user` role.
This role is to be used by "cronable" tools that call the snapshot API
periodically without recurring to the `manage` cluster privilege. The
`create_snapshot` cluster privilege is much more limited compared to
the `manage` privilege.

The `snapshot_user` role grants the privileges to view the metadata of
all indices (including restricted ones, i.e. .security). It obviously grants the
create snapshot privilege but the repository has to be created using another
role. In addition, it grants the privileges to (only) GET repositories and
snapshots, but not create and delete them.

The role does not allow to create repositories. This distinction is important
because snapshotting equates to the `read` index privilege if the user has
control of the snapshot destination, but this is not the case in this instance,
because the role does not grant control over repository configuration.
@albertzaharovits albertzaharovits mentioned this pull request Feb 13, 2019
Merged
albertzaharovits added a commit to elastic/kibana that referenced this pull request Feb 14, 2019
@albertzaharovits
Add create_snapshot privilege
6dbbe50 
A new cluster privilege type has been added to ES in elastic/elasticsearch#35820 .
@albertzaharovits albertzaharovits mentioned this pull request Feb 14, 2019
Merged
albertzaharovits added a commit to elastic/stack-docs that referenced this pull request Feb 19, 2019
@albertzaharovits
snapshot_user built-in role and create_snapshot cluster priv (#212)
7a378d1 
This is the docs part for the `snapshot_user` role and the `create_snapshot`
cluster privilege which were added in
[elastic/elasticsearch#35820](elastic/elasticsearch#35820)
albertzaharovits added a commit to elastic/stack-docs that referenced this pull request Feb 19, 2019
@albertzaharovits
snapshot_user built-in role and create_snapshot cluster priv (#212)
50ab637 
This is the docs part for the `snapshot_user` role and the `create_snapshot`
cluster privilege which were added in
[elastic/elasticsearch#35820](elastic/elasticsearch#35820)
albertzaharovits added a commit to elastic/stack-docs that referenced this pull request Feb 19, 2019
@albertzaharovits
snapshot_user built-in role and create_snapshot cluster priv (#212)
0b1c10a 
This is the docs part for the `snapshot_user` role and the `create_snapshot`
cluster privilege which were added in
[elastic/elasticsearch#35820](elastic/elasticsearch#35820)
albertzaharovits added a commit to elastic/stack-docs that referenced this pull request Feb 19, 2019
@albertzaharovits
snapshot_user built-in role and create_snapshot cluster priv (#212)
9d291bb 
This is the docs part for the `snapshot_user` role and the `create_snapshot`
cluster privilege which were added in
[elastic/elasticsearch#35820](elastic/elasticsearch#35820)
albertzaharovits added a commit to elastic/kibana that referenced this pull request Feb 20, 2019
@albertzaharovits
Add create_snapshot privilege (#31086)
2c30e9f 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
albertzaharovits added a commit to albertzaharovits/kibana that referenced this pull request Feb 20, 2019
@albertzaharovits
Add create_snapshot privilege (elastic#31086)
04f5a77 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
@albertzaharovits albertzaharovits mentioned this pull request Feb 20, 2019
Closed
kobelb pushed a commit to kobelb/kibana that referenced this pull request Feb 20, 2019
@albertzaharovits @kobelb
Add create_snapshot privilege (elastic#31086)
e87c0bc 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
kobelb pushed a commit to kobelb/kibana that referenced this pull request Feb 20, 2019
@albertzaharovits @kobelb
Add create_snapshot privilege (elastic#31086)
814ae06 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
kobelb pushed a commit to kobelb/kibana that referenced this pull request Feb 20, 2019
@albertzaharovits @kobelb
Add create_snapshot privilege (elastic#31086)
6fd5b86 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
kobelb added a commit to elastic/kibana that referenced this pull request Feb 20, 2019
@kobelb
Add create_snapshot privilege (#31086) (#31598)
fd58b08 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
kobelb added a commit to elastic/kibana that referenced this pull request Feb 20, 2019
@kobelb
Add create_snapshot privilege (#31086) (#31596)
f4746f2 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
kobelb added a commit to elastic/kibana that referenced this pull request Feb 20, 2019
@kobelb
Add create_snapshot privilege (#31086) (#31597)
bcc85e4 
A new cluster privilege type has been added to ES in [elastic/elasticsearch#35820](elastic/elasticsearch#35820) .
@albertzaharovits albertzaharovits mentioned this pull request Apr 16, 2019
Closed
3 tasks
@albertzaharovits albertzaharovits mentioned this pull request Jul 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

@jaymode jaymode jaymode approved these changes

Assignees

@albertzaharovits albertzaharovits

Labels

>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v6.7.0 v7.0.0-beta1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@albertzaharovits @elasticmachine @tvernum @jaymode @colings86