-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the new 'maintenance' privilege containing 4 actions (#29998) #50643
Changes from 9 commits
363f1ff
3421673
22f7588
73f5763
0ddc277
844c4b1
e1a6208
cecd284
8a9779a
746d4d7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,6 +69,10 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { | |
" indices:\n" + | ||
" - names: 'b'\n" + | ||
" privileges: [ monitor ]\n" + | ||
"maintenance_a_role:\n" + | ||
" indices:\n" + | ||
" - names: 'a'\n" + | ||
" privileges: [ maintenance ]\n" + | ||
"read_write_a_role:\n" + | ||
" indices:\n" + | ||
" - names: 'a'\n" + | ||
|
@@ -96,6 +100,7 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { | |
"read_write_all_role:u12\n" + | ||
"create_c_role:u11\n" + | ||
"monitor_b_role:u14\n" + | ||
"maintenance_a_role:u15\n" + | ||
"read_write_a_role:u12\n" + | ||
"delete_b_role:u11\n" + | ||
"index_a_role:u13\n"; | ||
|
@@ -129,7 +134,8 @@ protected String configUsers() { | |
"u11:" + usersPasswdHashed + "\n" + | ||
"u12:" + usersPasswdHashed + "\n" + | ||
"u13:" + usersPasswdHashed + "\n" + | ||
"u14:" + usersPasswdHashed + "\n"; | ||
"u14:" + usersPasswdHashed + "\n" + | ||
"u15:" + usersPasswdHashed + "\n" ; | ||
} | ||
|
||
@Override | ||
|
@@ -308,12 +314,14 @@ public void testUserU11() throws Exception { | |
assertUserIsDenied("u11", "manage", "b"); | ||
assertUserIsDenied("u11", "index", "b"); | ||
assertUserIsDenied("u11", "search", "b"); | ||
assertUserIsDenied("u11", "maintenance", "b"); | ||
assertUserIsAllowed("u11", "delete", "b"); | ||
|
||
assertAccessIsAllowed("admin", "DELETE", "/c"); | ||
assertUserIsAllowed("u11", "create_index", "c"); | ||
assertUserIsDenied("u11", "data_access", "c"); | ||
assertUserIsDenied("u11", "monitor", "c"); | ||
assertUserIsDenied("u11", "maintenance", "c"); | ||
|
||
assertAccessIsDenied("u11", | ||
"GET", "/" + randomIndex() + "/_msearch", "{}\n{ \"query\" : { \"match_all\" : {} } }\n"); | ||
|
@@ -385,6 +393,11 @@ public void testUserU14() throws Exception { | |
"GET", "/" + randomIndex() + "/_mtermvectors", "{ \"docs\" : [ { \"_id\": \"1\" }, { \"_id\": \"2\" } ] }"); | ||
} | ||
|
||
public void testUserU15() throws Exception { | ||
assertUserIsAllowed("u15", "maintenance", "a"); | ||
assertUserIsDenied("u15", "crud", "a"); | ||
} | ||
|
||
public void testThatUnknownUserIsRejectedProperly() throws Exception { | ||
try { | ||
Request request = new Request("GET", "/"); | ||
|
@@ -419,6 +432,22 @@ private void assertUserExecutes(String user, String action, String index, boolea | |
} | ||
break; | ||
|
||
case "maintenance" : | ||
if (userIsAllowed) { | ||
assertUserIsDenied(user, "crud", index); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this this is what we want. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @tvernum the first and second statement made me a bit confuse. but it looks like the explanation has precedence. so I will remove them. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, somehow I dropped a word. It should have said:
Your fix is correct. |
||
assertAccessIsAllowed(user, "POST", "/" + index + "/_refresh"); | ||
assertAccessIsAllowed(user, "POST", "/" + index + "/_flush"); | ||
assertAccessIsAllowed(user, "POST", "/" + index + "/_flush/synced"); | ||
assertAccessIsAllowed(user, "POST", "/" + index + "/_forcemerge"); | ||
} else { | ||
assertUserIsDenied(user, "crud", index); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Per above. |
||
assertAccessIsDenied(user, "POST", "/" + index + "/_refresh"); | ||
assertAccessIsDenied(user, "POST", "/" + index + "/_flush"); | ||
assertAccessIsDenied(user, "POST", "/" + index + "/_flush/synced"); | ||
assertAccessIsDenied(user, "POST", "/" + index + "/_forcemerge"); | ||
} | ||
break; | ||
|
||
case "manage" : | ||
if (userIsAllowed) { | ||
assertAccessIsAllowed(user, "DELETE", "/" + index); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: