buildFromRoleDescriptor uses application privilege look up#91152
buildFromRoleDescriptor uses application privilege look up#91152n1v0lg merged 13 commits intoelastic:mainfrom
buildFromRoleDescriptor uses application privilege look up#91152Conversation
n1v0lg
added
>non-issue
:Security/Security
| final Role role = future.actionGet(); | ||
| assertThat(role.names(), arrayContaining("superuser")); | ||
| assertThat(role.application().getApplicationNames(), containsInAnyOrder("*")); | ||
| assertThat( |
There was a problem hiding this comment.
We test this elsewhere (e.g., in 30_superuser) but seems like an appropriate addition here
n1v0lg
changed the title
buildFromRoleDescriptor supports application privilege looupbuildFromRoleDescriptor uses application privilege look up
|
Pinging @elastic/es-security (Team:Security) |
ywangd
left a comment
ywangd
left a comment
There was a problem hiding this comment.
LGTM thanks for working on this.
It would be great if we can exclusively use ApplicationPrivilege.get in place of the constructors. But it can be a future item.
| RESTRICTED_INDICES | ||
| RESTRICTED_INDICES, | ||
| List.of( | ||
| new ApplicationPrivilegeDescriptor("kibana-*", "reserved_monitoring", Set.of(allowedApplicationActionPattern), Map.of()) |
There was a problem hiding this comment.
Stored application privilege must have concrete application name. Are there test failures that prevent you from using something like kibana-kibana instead of kibana-*? It will be a bug if that is the case.
There was a problem hiding this comment.
Good point. I can make this work for sure. kibana-kibana doesn't do it because we randomize the application name in the assertions below, but using the randomized application name does the trick.
| new FieldPermissionsCache(Settings.EMPTY), | ||
| RESTRICTED_INDICES, | ||
| List.of( | ||
| new ApplicationPrivilegeDescriptor("kibana-*", "reserved_ml_apm_user", Set.of(allowedApplicationActionPattern), Map.of()) |
| roleDescriptor, | ||
| new FieldPermissionsCache(Settings.EMPTY), | ||
| RESTRICTED_INDICES, | ||
| List.of(new ApplicationPrivilegeDescriptor("kibana-*", "reserved_ml_admin", Set.of(allowedApplicationActionPattern), Map.of())) |
There was a problem hiding this comment.
Here as well and a few other places below. I won't be commenting for all of them since it is quite repetitive.
Yup, one more PR coming to do this 👍 |
3 participants
Building a role from a single role descriptor previously only worked
correctly for application privileges with wildcard patterns. This PR
adds support for concrete name look up and ports the relevant tests.
Relates: #91107 (comment)