From 7ff17d3bcd4ddcb9e86793b235e8d10552c74f87 Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Wed, 24 Apr 2019 15:59:36 -0600 Subject: [PATCH 1/3] Add `manage_slm` and `read_slm` roles This adds two more built in roles - `manage_slm` which has permission to perform any of the SLM actions, as well as stopping, starting, and retrieving the operation status of ILM. `read_slm` which has permission to retrieve snapshot lifecycle policies as well as retrieving the operation status of ILM. Relates to #38461 --- .../authz/privilege/ClusterPrivilege.java | 10 +++++++ .../authz/privilege/PrivilegeTests.java | 28 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java index c929fb3bfd348..baaab6fd05d50 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java @@ -15,10 +15,13 @@ import org.elasticsearch.common.collect.MapBuilder; import org.elasticsearch.xpack.core.indexlifecycle.action.GetLifecycleAction; import org.elasticsearch.xpack.core.indexlifecycle.action.GetStatusAction; +import org.elasticsearch.xpack.core.indexlifecycle.action.StartILMAction; +import org.elasticsearch.xpack.core.indexlifecycle.action.StopILMAction; import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction; import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction; import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction; import org.elasticsearch.xpack.core.security.support.Automatons; +import org.elasticsearch.xpack.core.snapshotlifecycle.action.GetSnapshotLifecycleAction; import java.util.Collections; import java.util.HashSet; @@ -60,6 +63,9 @@ public final class ClusterPrivilege extends Privilege { private static final Automaton READ_CCR_AUTOMATON = patterns(ClusterStateAction.NAME, HasPrivilegesAction.NAME); private static final Automaton MANAGE_ILM_AUTOMATON = patterns("cluster:admin/ilm/*"); private static final Automaton READ_ILM_AUTOMATON = patterns(GetLifecycleAction.NAME, GetStatusAction.NAME); + private static final Automaton MANAGE_SLM_AUTOMATON = + patterns("cluster:admin/slm/*", StartILMAction.NAME, StopILMAction.NAME, GetStatusAction.NAME); + private static final Automaton READ_SLM_AUTOMATON = patterns(GetSnapshotLifecycleAction.NAME, GetStatusAction.NAME); public static final ClusterPrivilege NONE = new ClusterPrivilege("none", Automatons.EMPTY); public static final ClusterPrivilege ALL = new ClusterPrivilege("all", ALL_CLUSTER_AUTOMATON); @@ -90,6 +96,8 @@ public final class ClusterPrivilege extends Privilege { public static final ClusterPrivilege CREATE_SNAPSHOT = new ClusterPrivilege("create_snapshot", CREATE_SNAPSHOT_AUTOMATON); public static final ClusterPrivilege MANAGE_ILM = new ClusterPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON); public static final ClusterPrivilege READ_ILM = new ClusterPrivilege("read_ilm", READ_ILM_AUTOMATON); + public static final ClusterPrivilege MANAGE_SLM = new ClusterPrivilege("manage_slm", MANAGE_SLM_AUTOMATON); + public static final ClusterPrivilege READ_SLM = new ClusterPrivilege("read_slm", READ_SLM_AUTOMATON); public static final Predicate ACTION_MATCHER = ClusterPrivilege.ALL.predicate(); @@ -119,6 +127,8 @@ public final class ClusterPrivilege extends Privilege { .put("create_snapshot", CREATE_SNAPSHOT) .put("manage_ilm", MANAGE_ILM) .put("read_ilm", READ_ILM) + .put("manage_slm", MANAGE_SLM) + .put("read_slm", READ_SLM) .immutableMap(); private static final ConcurrentHashMap, ClusterPrivilege> CACHE = new ConcurrentHashMap<>(); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java index 4af7dd2e57d62..180a4b43b21e5 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java @@ -204,4 +204,32 @@ public void testIlmPrivileges() { assertThat(predicate.test("indices:admin/whatever"), is(false)); } } + + public void testSlmPriviledges() { + { + Predicate predicate = ClusterPrivilege.MANAGE_SLM.predicate(); + // check cluster actions + assertThat(predicate.test("cluster:admin/slm/delete"), is(true)); + assertThat(predicate.test("cluster:admin/slm/put"), is(true)); + assertThat(predicate.test("cluster:admin/slm/get"), is(true)); + assertThat(predicate.test("cluster:admin/ilm/start"), is(true)); + assertThat(predicate.test("cluster:admin/ilm/stop"), is(true)); + assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); + // check non-slm action + assertThat(predicate.test("cluster:admin/whatever"), is(false)); + } + + { + Predicate predicate = ClusterPrivilege.READ_SLM.predicate(); + // check cluster actions + assertThat(predicate.test("cluster:admin/slm/delete"), is(false)); + assertThat(predicate.test("cluster:admin/slm/put"), is(false)); + assertThat(predicate.test("cluster:admin/slm/get"), is(true)); + assertThat(predicate.test("cluster:admin/ilm/start"), is(false)); + assertThat(predicate.test("cluster:admin/ilm/stop"), is(false)); + assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); + // check non-slm action + assertThat(predicate.test("cluster:admin/whatever"), is(false)); + } + } } From 04fa4108cf5d36db3fbdb4901567f6617d05533c Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Fri, 26 Apr 2019 17:18:01 -0600 Subject: [PATCH 2/3] Add execute to the test --- .../xpack/core/security/authz/privilege/PrivilegeTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java index 180a4b43b21e5..92bfdf8f9326b 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java @@ -214,6 +214,7 @@ public void testSlmPriviledges() { assertThat(predicate.test("cluster:admin/slm/get"), is(true)); assertThat(predicate.test("cluster:admin/ilm/start"), is(true)); assertThat(predicate.test("cluster:admin/ilm/stop"), is(true)); + assertThat(predicate.test("cluster:admin/ilm/execute"), is(true)); assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); // check non-slm action assertThat(predicate.test("cluster:admin/whatever"), is(false)); @@ -227,6 +228,7 @@ public void testSlmPriviledges() { assertThat(predicate.test("cluster:admin/slm/get"), is(true)); assertThat(predicate.test("cluster:admin/ilm/start"), is(false)); assertThat(predicate.test("cluster:admin/ilm/stop"), is(false)); + assertThat(predicate.test("cluster:admin/ilm/execute"), is(false)); assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); // check non-slm action assertThat(predicate.test("cluster:admin/whatever"), is(false)); From 38c7b70e100b403f1b516f5d04b081018076b9bf Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Mon, 29 Apr 2019 09:20:15 -0600 Subject: [PATCH 3/3] Fix ilm -> slm typo in test --- .../xpack/core/security/authz/privilege/PrivilegeTests.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java index 92bfdf8f9326b..a21c3655a6a06 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java @@ -214,7 +214,7 @@ public void testSlmPriviledges() { assertThat(predicate.test("cluster:admin/slm/get"), is(true)); assertThat(predicate.test("cluster:admin/ilm/start"), is(true)); assertThat(predicate.test("cluster:admin/ilm/stop"), is(true)); - assertThat(predicate.test("cluster:admin/ilm/execute"), is(true)); + assertThat(predicate.test("cluster:admin/slm/execute"), is(true)); assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); // check non-slm action assertThat(predicate.test("cluster:admin/whatever"), is(false)); @@ -228,7 +228,7 @@ public void testSlmPriviledges() { assertThat(predicate.test("cluster:admin/slm/get"), is(true)); assertThat(predicate.test("cluster:admin/ilm/start"), is(false)); assertThat(predicate.test("cluster:admin/ilm/stop"), is(false)); - assertThat(predicate.test("cluster:admin/ilm/execute"), is(false)); + assertThat(predicate.test("cluster:admin/slm/execute"), is(false)); assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true)); // check non-slm action assertThat(predicate.test("cluster:admin/whatever"), is(false));