From fb55cfc8af78a0eb4bf1ce7bde469f0c0d6d0b79 Mon Sep 17 00:00:00 2001 From: kobelb Date: Fri, 29 Mar 2019 12:41:36 -0700 Subject: [PATCH 1/5] Add Kibana application privileges for monitoring and ml reserved roles --- .../authz/store/ReservedRolesStore.java | 20 ++++++++--- .../authz/store/ReservedRolesStoreTests.java | 36 +++++++++++++++++++ 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d2745e4ef8e2e..d9fded1fb2bdd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -57,8 +57,12 @@ private static Map initializeReservedRoles() { new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices(".monitoring-*").privileges("read", "read_cross_cluster").build() - }, - null, MetadataUtils.DEFAULT_RESERVED_METADATA)) + }, + new RoleDescriptor.ApplicationResourcePrivileges[] { + RoleDescriptor.ApplicationResourcePrivileges.builder() + .application("kibana-*").resources("*").privileges("reserved_monitoring").build() + }, + null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("remote_monitoring_agent", new RoleDescriptor("remote_monitoring_agent", new String[] { "manage_index_templates", "manage_ingest_pipelines", "monitor", @@ -146,7 +150,11 @@ private static Map initializeReservedRoles() { RoleDescriptor.IndicesPrivileges.builder().indices(".ml-annotations*") .privileges("view_index_metadata", "read", "write").build() }, - null, MetadataUtils.DEFAULT_RESERVED_METADATA)) + new RoleDescriptor.ApplicationResourcePrivileges[] { + RoleDescriptor.ApplicationResourcePrivileges.builder() + .application("kibana-*").resources("*").privileges("reserved_ml").build() + }, + null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("machine_learning_admin", new RoleDescriptor("machine_learning_admin", new String[] { "manage_ml" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() @@ -155,7 +163,11 @@ private static Map initializeReservedRoles() { RoleDescriptor.IndicesPrivileges.builder().indices(".ml-annotations*") .privileges("view_index_metadata", "read", "write").build() }, - null, MetadataUtils.DEFAULT_RESERVED_METADATA)) + new RoleDescriptor.ApplicationResourcePrivileges[] { + RoleDescriptor.ApplicationResourcePrivileges.builder() + .application("kibana-*").resources("*").privileges("reserved_ml").build() + }, + null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("data_frame_transforms_admin", new RoleDescriptor("data_frame_transforms_admin", new String[] { "manage_data_frame_transforms" }, new RoleDescriptor.IndicesPrivileges[]{ diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 9d970cca55119..f2fcc71ff9fba 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -452,6 +452,18 @@ public void testMonitoringUserRole() { assertThat(monitoringUserRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(index), is(true)); assertNoAccessAllowed(monitoringUserRole, RestrictedIndicesNames.RESTRICTED_NAMES); + + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(otherApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(false)); } public void testRemoteMonitoringAgentRole() { @@ -957,6 +969,18 @@ public void testMachineLearningAdminRole() { assertReadWriteDocsButNotDeleteIndexAllowed(role, AnnotationIndex.INDEX_NAME); assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); + + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat(role.application().grants( + new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); } public void testMachineLearningUserRole() { @@ -1028,6 +1052,18 @@ public void testMachineLearningUserRole() { assertReadWriteDocsButNotDeleteIndexAllowed(role, AnnotationIndex.INDEX_NAME); assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); + + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + + final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); + assertThat(role.application().grants( + new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); } public void testDataFrameTransformsAdminRole() { From e291b21be372d1fbe3641b0cd214f02c9d5a4f43 Mon Sep 17 00:00:00 2001 From: kobelb Date: Thu, 4 Apr 2019 17:38:57 -0700 Subject: [PATCH 2/5] Adding test for kibana-.kibana application explicitly --- .../authz/store/ReservedRolesStoreTests.java | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index f2fcc71ff9fba..440b462ab1749 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -453,6 +453,12 @@ public void testMonitoringUserRole() { assertNoAccessAllowed(monitoringUserRole, RestrictedIndicesNames.RESTRICTED_NAMES); + final String kibaanaApplicataion = "kibana-.kibana"; + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + assertThat(monitoringUserRole.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(monitoringUserRole.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); @@ -970,6 +976,12 @@ public void testMachineLearningAdminRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); + final String kibaanaApplicataion = "kibana-.kibana"; + assertThat(role.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); @@ -1053,6 +1065,13 @@ public void testMachineLearningUserRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); + final String kibaanaApplicataion = "kibana-.kibana"; + assertThat(role.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + + final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); From cba889c5463f12ec8b24b7ea07b01e79e6fabbf5 Mon Sep 17 00:00:00 2001 From: kobelb Date: Thu, 4 Apr 2019 17:41:24 -0700 Subject: [PATCH 3/5] Whoa there, fat fingered kibana and application... --- .../authz/store/ReservedRolesStoreTests.java | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 440b462ab1749..4e633f66dce31 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -453,11 +453,11 @@ public void testMonitoringUserRole() { assertNoAccessAllowed(monitoringUserRole, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibaanaApplicataion = "kibana-.kibana"; + final String kibanaApplication = "kibana-.kibana"; assertThat(monitoringUserRole.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); assertThat(monitoringUserRole.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(monitoringUserRole.application().grants( @@ -976,11 +976,11 @@ public void testMachineLearningAdminRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibaanaApplicataion = "kibana-.kibana"; + final String kibanaApplication = "kibana-.kibana"; assertThat(role.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( @@ -1065,11 +1065,11 @@ public void testMachineLearningUserRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibaanaApplicataion = "kibana-.kibana"; + final String kibanaApplication = "kibana-.kibana"; assertThat(role.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-foo", "foo"), "*"), is(false)); + new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibaanaApplicataion, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); From 0d005d0e8d62bd24eabf903f4a1d6ce4109c96c4 Mon Sep 17 00:00:00 2001 From: kobelb Date: Thu, 4 Apr 2019 17:44:20 -0700 Subject: [PATCH 4/5] And I copied something from monitoring I shouldn't have... --- .../core/security/authz/store/ReservedRolesStoreTests.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 4e633f66dce31..90f975af93a33 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -980,7 +980,7 @@ public void testMachineLearningAdminRole() { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplication, "app-reserved_ml", "reserved_ml"), "*"), is(true)); final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( @@ -1069,7 +1069,7 @@ public void testMachineLearningUserRole() { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplication, "app-reserved_ml", "reserved_ml"), "*"), is(true)); final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); From 306d6fe390181a227b004365beafe8081564df22 Mon Sep 17 00:00:00 2001 From: kobelb Date: Thu, 4 Apr 2019 17:49:13 -0700 Subject: [PATCH 5/5] And actually doing what Yogesh recommended... --- .../authz/store/ReservedRolesStoreTests.java | 24 +++---------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 90f975af93a33..c4c2ec871a548 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -453,13 +453,7 @@ public void testMonitoringUserRole() { assertNoAccessAllowed(monitoringUserRole, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibanaApplication = "kibana-.kibana"; - assertThat(monitoringUserRole.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); - assertThat(monitoringUserRole.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-reserved_monitoring", "reserved_monitoring"), "*"), is(true)); - - final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); assertThat(monitoringUserRole.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(monitoringUserRole.application().grants( @@ -976,13 +970,7 @@ public void testMachineLearningAdminRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibanaApplication = "kibana-.kibana"; - assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); - assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-reserved_ml", "reserved_ml"), "*"), is(true)); - - final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( @@ -1065,14 +1053,8 @@ public void testMachineLearningUserRole() { assertNoAccessAllowed(role, RestrictedIndicesNames.RESTRICTED_NAMES); - final String kibanaApplication = "kibana-.kibana"; - assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-foo", "foo"), "*"), is(false)); - assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplication, "app-reserved_ml", "reserved_ml"), "*"), is(true)); - - final String kibanaApplicationWithRandomIndex = "kibana-" + randomAlphaOfLengthBetween(8, 24); + final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana"); assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants(