Skip to content

Add manage_search_synonyms privilege #97853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jul 26, 2023
Merged

Add manage_search_synonyms privilege #97853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
22d10cd
Add new privilege
carlosdelest Jul 20, 2023
1205e84
Add tests
carlosdelest Jul 20, 2023
f9fac1a
Add new cluster privilege to test
carlosdelest Jul 20, 2023
e713643
Add synonym sets actions to cluster privilege
carlosdelest Jul 24, 2023
6af2d3e
PR review comments
carlosdelest Jul 25, 2023
14bef42
Spotless
carlosdelest Jul 25, 2023
68a5a61
Remove unused test user and role
carlosdelest Jul 26, 2023
c6d99cf
Merge branch 'main' into carlosdelest/synonyms-manage-privilege
carlosdelest Jul 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .../java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import org.elasticsearch.action.ingest.SimulatePipelineAction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.synonyms.SynonymsAPI;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.TransportRequest;
Expand Down Expand Up @@ -154,6 +155,11 @@ public class ClusterPrivilegeResolver {
private static final Set<String> READ_SLM_PATTERN = Set.of(GetSnapshotLifecycleAction.NAME, GetStatusAction.NAME);

private static final Set<String> MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*");
private static final Set<String> MANAGE_SEARCH_SYNONYMS_PATTERN = Set.of(
"cluster:admin/synonyms/*",
"cluster:admin/synonyms_sets/*",
"cluster:admin/synonym_rules/*"
);

private static final Set<String> CROSS_CLUSTER_SEARCH_PATTERN = Set.of(
RemoteClusterService.REMOTE_CLUSTER_HANDSHAKE_ACTION_NAME,
Expand Down Expand Up @@ -277,6 +283,10 @@ public class ClusterPrivilegeResolver {
"manage_search_application",
MANAGE_SEARCH_APPLICATION_PATTERN
);
public static final NamedClusterPrivilege MANAGE_SEARCH_SYNONYMS = new ActionClusterPrivilege(
"manage_search_synonyms",
MANAGE_SEARCH_SYNONYMS_PATTERN
);
public static final NamedClusterPrivilege MANAGE_BEHAVIORAL_ANALYTICS = new ActionClusterPrivilege(
"manage_behavioral_analytics",
MANAGE_BEHAVIORAL_ANALYTICS_PATTERN
Expand Down Expand Up @@ -343,6 +353,7 @@ public class ClusterPrivilegeResolver {
MANAGE_LOGSTASH_PIPELINES,
CANCEL_TASK,
MANAGE_SEARCH_APPLICATION,
SynonymsAPI.isEnabled() ? MANAGE_SEARCH_SYNONYMS : null,
MANAGE_BEHAVIORAL_ANALYTICS,
POST_BEHAVIORAL_ANALYTICS_EVENT,
TcpTransport.isUntrustedRemoteClusterEnabled() ? CROSS_CLUSTER_SEARCH : null,
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ setup:
# This is fragile - it needs to be updated every time we add a new cluster/index privilege
# I would much prefer we could just check that specific entries are in the array, but we don't have
# an assertion for that
- length: { "cluster" : 48 }
- length: { "cluster" : 49 }
- length: { "index" : 22 }
17 changes: 12 additions & 5 deletions x-pack/qa/core-rest-tests-with-security/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
apply plugin: 'elasticsearch.internal-yaml-rest-test'
import org.elasticsearch.gradle.internal.info.BuildParams

dependencies {
testImplementation project(':x-pack:qa')
Expand All @@ -20,9 +21,15 @@ restResources {
}

tasks.named("yamlRestTest").configure {
systemProperty 'tests.rest.blacklist',
[
'index/10_with_id/Index with ID',
'indices.get_alias/10_basic/Get alias against closed indices'
].join(',')
ArrayList<String> blacklist = [
'index/10_with_id/Index with ID',
'indices.get_alias/10_basic/Get alias against closed indices'
];
if (BuildParams.isSnapshotBuild() == false) {
blacklist += [
'synonyms_privileges/10_synonyms_with_privileges/*',
'synonyms_privileges/20_synonyms_no_privileges/*'
];
}
systemProperty 'tests.rest.blacklist', blacklist.join(',')
}
89 changes: 89 additions & 0 deletions ...RestTest/resources/rest-api-spec/test/synonyms_privileges/10_synonyms_with_privileges.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
setup:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice test organization 👍

- skip:
features: headers
version: " - 8.9.99"
reason: Introduced in 8.10.0

- do:
security.put_user:
username: "synonyms-user"
body:
password: "synonyms-user-password"
roles : [ "synonyms-role" ]

- do:
security.put_role:
name: "synonyms-role"
body:
cluster: ["manage_search_synonyms"]

---
teardown:
- do:
security.delete_user:
username: "synonyms-user"
ignore: 404
- do:
security.delete_role:
name: "synonyms-role"
ignore: 404

---
"Check synonyms set operations - with manage_search_synonyms privilege":
- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonyms.put:
synonyms_set: test-synonyms
body:
synonyms_set:
- synonyms: "hello, hi"
id: "test-id"

- match: { result: "created" }

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonyms.get:
synonyms_set: test-synonyms

- match:
count: 1

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonyms_sets.get: { }

- match:
count: 1

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonym_rule.put:
synonyms_set: "test-synonyms"
synonym_rule: "test-id-0"
body:
synonyms: "i-phone, iphone"

- match: { result: "created" }

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonym_rule.get:
synonyms_set: "test-synonyms"
synonym_rule: "test-id-0"

- match: {id: "test-id-0"}

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonym_rule.delete:
synonyms_set: test-synonyms
synonym_rule: test-id-0

- do:
headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user
synonyms.delete:
synonyms_set: test-synonyms

- match:
acknowledged: true
93 changes: 93 additions & 0 deletions ...mlRestTest/resources/rest-api-spec/test/synonyms_privileges/20_synonyms_no_privileges.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
setup:
- skip:
features: headers
version: " - 8.9.99"
reason: Introduced in 8.10.0

- do:
security.put_user:
username: "non-synonyms-user"
body:
password: "non-synonyms-user-password"
roles : [ "non-synonyms-role" ]

- do:
security.put_role:
name: "non-synonyms-role"
body:
indices:
- names: ["*"]
privileges: [ "manage", "write", "read" ]
---
teardown:
- do:
security.delete_user:
username: "non-synonyms-user"
ignore: 404
- do:
security.delete_role:
name: "non-synonyms-role"
ignore: 404

---
"Create synonyms set - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonyms.put:
synonyms_set: test-synonyms
body:
synonyms_set:
- synonyms: "hello, hi"
id: "test-id"

---
"Get synonyms set - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonyms.get:
synonyms_set: test-synonyms

---
"Delete synonyms set - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonyms.delete:
synonyms_set: test-synonyms
---
"List synonyms sets - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonyms_sets.get: { }

---
"Update a synonyms rule - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonym_rule.put:
synonyms_set: "test-synonyms"
synonym_rule: "test-id-2"
body:
synonyms: "bye, goodbye, seeya"

---
"Get a synonym rule - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonym_rule.get:
synonyms_set: "test-synonyms"
synonym_rule: "test-id-2"

---
"Delete synonym rule - no manage_search_synonyms privilege":
- do:
catch: "forbidden"
headers: { Authorization: "Basic bm9uLXN5bm9ueW1zLXVzZXI6bm9uLXN5bm9ueW1zLXVzZXItcGFzc3dvcmQ=" } # non-synonyms-user
synonym_rule.delete:
synonyms_set: test-synonyms
synonym_rule: test-id-2