Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation to privilege names in roles API #29703

Closed
elasticmachine opened this issue Feb 10, 2017 · 2 comments · Fixed by #46361
Closed

Add validation to privilege names in roles API #29703

elasticmachine opened this issue Feb 10, 2017 · 2 comments · Fixed by #46361
Assignees
@bizybot
Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@elasticmachine
Copy link
Collaborator

Original comment by @ppf2:

I have a feeling that we may already have this on the roadmap and it's just not in the first iteration of the API. Filing to track progress since this will likely come up in the future. Currently, there is no validation on the values of the privileges set when creating roles. So it's possible for users to have a typo on the privilege names and the role will still get added/accepted by the API.

{
  "indices": [
    {
      "names": [ "test",".kibana" ],
      "privileges": [ "al" ]
    }
  ]
}

{
  "role": {
    "created": true
  }
}

It will be nice if we can validate this and throw back and exception (or maybe even include the list of allowable values for privileges in the exception, etc..).
@elasticmachine
Copy link
Collaborator Author

elasticmachine commented Mar 4, 2018
edited by bizybot
Loading

Original comment by @tvernum:

This is still an issue in 6.2
This:

{
  "test" : {
    "cluster" : [
      "manage_index_templates",
      "no-such-priv" <- This
    ],
    "indices" : [
      {
        "names" : [
          "test*"
        ],
        "privileges" : [
          "does-not-exist" <- This
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Is considered to be a valid role.

@elasticmachine elasticmachine added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >enhancement labels Apr 25, 2018
@bizybot
Copy link
Contributor

bizybot commented Jul 19, 2019

Also, we need to add debug log here and similar other places where required.

@bizybot bizybot self-assigned this Jul 19, 2019
bizybot pushed a commit to bizybot/elasticsearch that referenced this issue Sep 5, 2019
Validate index and cluster privilege names before creating a role
b38490c 
This commit adds validation so a role cannot be created with
invalid index or cluster privilege name.

Closes elastic#29703
@bizybot bizybot mentioned this issue Sep 5, 2019
Merged
bizybot added a commit that referenced this issue Sep 24, 2019
@bizybot
Validate index and cluster privilege names when creating a role (#46361)
d1542f8 
This commit adds validation so a role cannot be created with
invalid index or cluster privilege name.

Closes #29703
bizybot added a commit to bizybot/elasticsearch that referenced this issue Sep 25, 2019
@bizybot
Validate index and cluster privilege names when creating a role (elas…
913e338 
…tic#46361)

This commit adds validation so a role cannot be created with
invalid index or cluster privilege name.

Closes elastic#29703
@bizybot bizybot mentioned this issue Sep 25, 2019
Merged
bizybot added a commit that referenced this issue Sep 25, 2019
@bizybot
Validate index and cluster privilege names when creating a role (#46361
6f453aa 
…) (#47063)

This commit adds validation so a role cannot be created with
invalid index or cluster privilege name.

Closes #29703
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bizybot bizybot

Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate index and cluster privilege names when creating a role bizybot/elasticsearch
2 participants
@bizybot @elasticmachine