Skip to content

[8.x] [Failure Store] Has Privileges API (#125329) #125932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 31, 2025
Merged

[8.x] [Failure Store] Has Privileges API (#125329) #125932

merged 3 commits into from
Mar 31, 2025

Conversation

@slobodanadamovic
Copy link
Contributor

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

@n1v0lg
[Failure Store] Has Privileges API (elastic#125329)
666f66c 
This PR adds support for checking access to the failure store via the
Has Privileges API.

To check access for a data stream `logs`, a request must query for a
concrete named privilege, `read_failure_store` or
`manage_failure_store`, e.g., a request to the HasPrivileges API by a
user with `read_failure_store` over `logs`:

```
POST /_security/user/_has_privileges
{
    "index": [
        {
            "names": ["logs"],
            "privileges": ["read_failure_store", "read", "indices:data/read/*"]
        }
    ]
}
```

Returns:
```

{     "username": "<...>",     "has_all_requested": false,
"cluster": {},     "index": {         "logs": {
"read_failure_store": true,             "read": false, <1>
"indices:data/read/*": false <2>         }     },     "application": {}
}

```
Note that `<1>` and `<2>` are both `false` since `read` is not covered by `read_failure_store` and neither are any raw actions like `indices:data/read/*` since these implicitly correspond to data access.

Selectors are not allowed in the index patterns of HasPrivileges requests to avoid ambiguities such as checking `read` on `logs::failures` as well as the ambiguity of index patterns that are regular expressions.

(cherry picked from commit 0e0214d)

# Conflicts:
#	x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
@slobodanadamovic slobodanadamovic mentioned this pull request Mar 31, 2025
Merged
@slobodanadamovic slobodanadamovic added auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) :Security/Security Security issues without another label Team:Security Meta label for security team >non-issue labels Mar 31, 2025
@elasticsearchmachine elasticsearchmachine merged commit 4cbee5d into elastic:8.x Mar 31, 2025
20 checks passed
@slobodanadamovic slobodanadamovic deleted the backport/8.x/pr-125329 branch March 31, 2025 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport >non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v8.19.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slobodanadamovic @elasticsearchmachine @n1v0lg