From 61cd08266c25e238f2047ce05c8f4eee1a14ce80 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 15 Jan 2019 15:41:00 -0700 Subject: [PATCH] Allow system privilege to execute proxied actions Currently all proxied actions are denied for the `SystemPrivilege`. Unfortunately, there are use cases (CCR) where we would like to proxy actions to a remote node that are normally performed by the system context. This commit allows the system context to perform proxy actions if they are actions that the system context is normally allowed to execute. --- .../transport/TransportActionProxy.java | 8 +++++ .../authz/privilege/SystemPrivilege.java | 35 ++++++++++++------- .../authz/privilege/PrivilegeTests.java | 1 + 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java index a5b926249f8e2..e1e3c25f083cf 100644 --- a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java +++ b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java @@ -175,6 +175,14 @@ public static TransportRequest unwrapRequest(TransportRequest request) { return request; } + /** + * Unwraps a proxy action and returns the underlying action + */ + public static String unwrapAction(String action) { + assert isProxyAction(action) : "Attempted to unwrap non-proxy action: " + action; + return action.substring(PROXY_ACTION_PREFIX.length()); + } + /** * Returns true iff the given action is a proxy action */ diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java index c673b8ee3276c..ca8318212c9ee 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.core.security.authz.privilege; +import org.elasticsearch.transport.TransportActionProxy; import org.elasticsearch.xpack.core.security.support.Automatons; import java.util.Collections; @@ -14,19 +15,27 @@ public final class SystemPrivilege extends Privilege { public static SystemPrivilege INSTANCE = new SystemPrivilege(); - private static final Predicate PREDICATE = Automatons.predicate(Automatons. - minusAndMinimize(Automatons.patterns( - "internal:*", - "indices:monitor/*", // added for monitoring - "cluster:monitor/*", // added for monitoring - "cluster:admin/bootstrap/*", // for the bootstrap service - "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener - "indices:admin/mapping/put", // needed for recovery and shrink api - "indices:admin/template/put", // needed for the TemplateUpgradeService - "indices:admin/template/delete", // needed for the TemplateUpgradeService - "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs - "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly - ), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user! + private static final Predicate ALLOWED_ACTIONS = Automatons.predicate( + "internal:*", + "indices:monitor/*", // added for monitoring + "cluster:monitor/*", // added for monitoring + "cluster:admin/bootstrap/*", // for the bootstrap service + "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener + "indices:admin/mapping/put", // needed for recovery and shrink api + "indices:admin/template/put", // needed for the TemplateUpgradeService + "indices:admin/template/delete", // needed for the TemplateUpgradeService + "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs + "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly + ); + + private static final Predicate PREDICATE = (action) -> { + // Only allow a proxy action if the underlying action is allowed + if (TransportActionProxy.isProxyAction(action)) { + return ALLOWED_ACTIONS.test(TransportActionProxy.unwrapAction(action)); + } else { + return ALLOWED_ACTIONS.test(action); + } + }; private SystemPrivilege() { super(Collections.singleton("internal")); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java index 58432cdf6c79e..1484e7a878141 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java @@ -123,6 +123,7 @@ public void testSystem() throws Exception { assertThat(predicate.test("indices:admin/mapping/put"), is(true)); assertThat(predicate.test("indices:admin/mapping/whatever"), is(false)); assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false)); + assertThat(predicate.test("internal:transport/proxy/indices:monitor/whatever"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true)); assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));