Has privileges API for profiles #85898
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
albertzaharovits
added
the
:Security/Authorization
Contributor
Author
|
@elasticmachine update branch |
Contributor
Author
|
ready for another round @ywangd . |
ywangd
approved these changes
May 4, 2022
Member
ywangd
left a comment
ywangd
left a comment
There was a problem hiding this comment.
LGTM thanks for the iterations!
...k/plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileService.java
Outdated
Show resolved
Hide resolved
...ugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
Show resolved
Hide resolved
This was referenced Jun 3, 2022
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jun 7, 2022
Docs for the new Has Privileges API for profiles from #85898. [Has privileges user profile API preview](https://elasticsearch_87360.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/security-api-has-privileges-user-profiles.html).
albertzaharovits
added a commit
to albertzaharovits/elasticsearch
that referenced
this pull request
Jun 7, 2022
Docs for the new Has Privileges API for profiles from elastic#85898. [Has privileges user profile API preview](https://elasticsearch_87360.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/security-api-has-privileges-user-profiles.html).
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jun 7, 2022
Docs for the new Has Privileges API for profiles from #85898. [Has privileges user profile API preview](https://elasticsearch_87360.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/security-api-has-privileges-user-profiles.html).
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jun 7, 2022
yml REST test for the profile has privilege API from #85898.
albertzaharovits
added a commit
to albertzaharovits/elasticsearch
that referenced
this pull request
Jun 7, 2022
yml REST test for the profile has privilege API from elastic#85898.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jun 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces a new Security API (
_security/profile/_has_privileges) that can be used to verify which Users, given their associated User Profiles (multiple profile uids can be specified in a single request), have the requested privileges.This is analogous to the existing Has privileges API | Elasticsearch Guide [8.1] | Elastic. It also uses the same format for specifying the privileges to be checked, and should be used in the same situations (ie to run an authorization preflight check or to verify privileges over application resources). However, unlike the existing has privilege API, this can be used to check the privileges of multiple users (not of the currently authenticated one), but the users must have an existing profile, and the response is binary only (has or has not the requested privileges).
Calling this API requires the
manage_user_profilecluster privilege.