From a98e9e75e6d37f388ff7acc5e688259abf71d787 Mon Sep 17 00:00:00 2001 From: Mengwei Ding Date: Wed, 16 Oct 2019 14:30:07 -0700 Subject: [PATCH 1/2] [Code] Remove code_admin/code_user roles --- .../authz/store/ReservedRolesStore.java | 10 ---- .../authz/store/ReservedRolesStoreTests.java | 58 ------------------- 2 files changed, 68 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index ed80944a3764e..092e5fc31105d 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -248,16 +248,6 @@ private static Map initializeReservedRoles() { null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("rollup_admin", new RoleDescriptor("rollup_admin", new String[] { "manage_rollup" }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) - .put("code_admin", new RoleDescriptor("code_admin", new String[] {}, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices(".code-*").privileges("all").build() - }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) - .put("code_user", new RoleDescriptor("code_user", new String[] {}, - new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices(".code-*").privileges("read").build() - }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("snapshot_user", new RoleDescriptor("snapshot_user", new String[] { "create_snapshot", GetRepositoriesAction.NAME }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("*") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 97fd4172b4ce6..cab162de84251 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -200,8 +200,6 @@ public void testIsReserved() { assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.COLLECTION_ROLE_NAME), is(true)); assertThat(ReservedRolesStore.isReserved(RemoteMonitoringUser.INDEXING_ROLE_NAME), is(true)); assertThat(ReservedRolesStore.isReserved("snapshot_user"), is(true)); - assertThat(ReservedRolesStore.isReserved("code_admin"), is(true)); - assertThat(ReservedRolesStore.isReserved("code_user"), is(true)); } public void testSnapshotUserRole() { @@ -1370,60 +1368,4 @@ public void testLogstashAdminRole() { assertThat(logstashAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true)); assertThat(logstashAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true)); } - - public void testCodeAdminRole() { - RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_admin"); - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - - Role codeAdminRole = Role.builder(roleDescriptor, null).build(); - - assertThat(codeAdminRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class), - mock(Authentication.class)), is(false)); - - assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".code-"), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), - is(false)); - - final String index = ".code-" + randomIntBetween(0, 5); - - assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true)); - assertThat(codeAdminRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true)); - } - - public void testCodeUserRole() { - RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("code_user"); - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - - Role codeUserRole = Role.builder(roleDescriptor, null).build(); - - assertThat(codeUserRole.cluster().check(DelegatePkiAuthenticationAction.NAME, mock(TransportRequest.class), - mock(Authentication.class)), is(false)); - - assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test("foo"), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".reporting"), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(".code-"), is(true)); - assertThat(codeUserRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), - is(false)); - - final String index = ".code-" + randomIntBetween(0, 5); - - assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true)); - assertThat(codeUserRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false)); - } } From 17ad1655319d272fbee5f1ac30976a87fd21fc53 Mon Sep 17 00:00:00 2001 From: Mengwei Ding Date: Mon, 21 Oct 2019 15:33:13 -0700 Subject: [PATCH 2/2] fix test --- .../client/documentation/SecurityDocumentationIT.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java index 7964cb04ab249..7cf834072a47f 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java @@ -695,7 +695,7 @@ public void testGetRoles() throws Exception { List roles = response.getRoles(); assertNotNull(response); // 29 system roles plus the three we created - assertThat(roles.size(), equalTo(33)); + assertThat(roles.size(), equalTo(31)); } {