Skip to content

Commit 170d741

Browse files
author
David Roberts
authored
[ML] Fix gaps in reserved roles tests (#37772)
Some of our newer endpoints and indices were missing from the tests.
1 parent 7692b60 commit 170d741

File tree

1 file changed

+57
-0
lines changed

1 file changed

+57
-0
lines changed

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,14 +44,21 @@
4444
import org.elasticsearch.transport.TransportRequest;
4545
import org.elasticsearch.xpack.core.ml.MlMetaIndex;
4646
import org.elasticsearch.xpack.core.ml.action.CloseJobAction;
47+
import org.elasticsearch.xpack.core.ml.action.DeleteCalendarAction;
48+
import org.elasticsearch.xpack.core.ml.action.DeleteCalendarEventAction;
4749
import org.elasticsearch.xpack.core.ml.action.DeleteDatafeedAction;
4850
import org.elasticsearch.xpack.core.ml.action.DeleteExpiredDataAction;
4951
import org.elasticsearch.xpack.core.ml.action.DeleteFilterAction;
52+
import org.elasticsearch.xpack.core.ml.action.DeleteForecastAction;
5053
import org.elasticsearch.xpack.core.ml.action.DeleteJobAction;
5154
import org.elasticsearch.xpack.core.ml.action.DeleteModelSnapshotAction;
5255
import org.elasticsearch.xpack.core.ml.action.FinalizeJobExecutionAction;
56+
import org.elasticsearch.xpack.core.ml.action.FindFileStructureAction;
5357
import org.elasticsearch.xpack.core.ml.action.FlushJobAction;
58+
import org.elasticsearch.xpack.core.ml.action.ForecastJobAction;
5459
import org.elasticsearch.xpack.core.ml.action.GetBucketsAction;
60+
import org.elasticsearch.xpack.core.ml.action.GetCalendarEventsAction;
61+
import org.elasticsearch.xpack.core.ml.action.GetCalendarsAction;
5562
import org.elasticsearch.xpack.core.ml.action.GetCategoriesAction;
5663
import org.elasticsearch.xpack.core.ml.action.GetDatafeedsAction;
5764
import org.elasticsearch.xpack.core.ml.action.GetDatafeedsStatsAction;
@@ -60,24 +67,32 @@
6067
import org.elasticsearch.xpack.core.ml.action.GetJobsAction;
6168
import org.elasticsearch.xpack.core.ml.action.GetJobsStatsAction;
6269
import org.elasticsearch.xpack.core.ml.action.GetModelSnapshotsAction;
70+
import org.elasticsearch.xpack.core.ml.action.GetOverallBucketsAction;
6371
import org.elasticsearch.xpack.core.ml.action.GetRecordsAction;
6472
import org.elasticsearch.xpack.core.ml.action.IsolateDatafeedAction;
6573
import org.elasticsearch.xpack.core.ml.action.KillProcessAction;
74+
import org.elasticsearch.xpack.core.ml.action.MlInfoAction;
6675
import org.elasticsearch.xpack.core.ml.action.OpenJobAction;
76+
import org.elasticsearch.xpack.core.ml.action.PersistJobAction;
77+
import org.elasticsearch.xpack.core.ml.action.PostCalendarEventsAction;
6778
import org.elasticsearch.xpack.core.ml.action.PostDataAction;
6879
import org.elasticsearch.xpack.core.ml.action.PreviewDatafeedAction;
80+
import org.elasticsearch.xpack.core.ml.action.PutCalendarAction;
6981
import org.elasticsearch.xpack.core.ml.action.PutDatafeedAction;
7082
import org.elasticsearch.xpack.core.ml.action.PutFilterAction;
7183
import org.elasticsearch.xpack.core.ml.action.PutJobAction;
7284
import org.elasticsearch.xpack.core.ml.action.RevertModelSnapshotAction;
7385
import org.elasticsearch.xpack.core.ml.action.StartDatafeedAction;
7486
import org.elasticsearch.xpack.core.ml.action.StopDatafeedAction;
87+
import org.elasticsearch.xpack.core.ml.action.UpdateCalendarJobAction;
7588
import org.elasticsearch.xpack.core.ml.action.UpdateDatafeedAction;
89+
import org.elasticsearch.xpack.core.ml.action.UpdateFilterAction;
7690
import org.elasticsearch.xpack.core.ml.action.UpdateJobAction;
7791
import org.elasticsearch.xpack.core.ml.action.UpdateModelSnapshotAction;
7892
import org.elasticsearch.xpack.core.ml.action.UpdateProcessAction;
7993
import org.elasticsearch.xpack.core.ml.action.ValidateDetectorAction;
8094
import org.elasticsearch.xpack.core.ml.action.ValidateJobConfigAction;
95+
import org.elasticsearch.xpack.core.ml.annotations.AnnotationIndex;
8196
import org.elasticsearch.xpack.core.ml.job.persistence.AnomalyDetectorsIndexFields;
8297
import org.elasticsearch.xpack.core.ml.notifications.AuditorField;
8398
import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
@@ -765,14 +780,21 @@ public void testMachineLearningAdminRole() {
765780

766781
Role role = Role.builder(roleDescriptor, null).build();
767782
assertThat(role.cluster().check(CloseJobAction.NAME, request), is(true));
783+
assertThat(role.cluster().check(DeleteCalendarAction.NAME, request), is(true));
784+
assertThat(role.cluster().check(DeleteCalendarEventAction.NAME, request), is(true));
768785
assertThat(role.cluster().check(DeleteDatafeedAction.NAME, request), is(true));
769786
assertThat(role.cluster().check(DeleteExpiredDataAction.NAME, request), is(true));
770787
assertThat(role.cluster().check(DeleteFilterAction.NAME, request), is(true));
788+
assertThat(role.cluster().check(DeleteForecastAction.NAME, request), is(true));
771789
assertThat(role.cluster().check(DeleteJobAction.NAME, request), is(true));
772790
assertThat(role.cluster().check(DeleteModelSnapshotAction.NAME, request), is(true));
773791
assertThat(role.cluster().check(FinalizeJobExecutionAction.NAME, request), is(false)); // internal use only
792+
assertThat(role.cluster().check(FindFileStructureAction.NAME, request), is(true));
774793
assertThat(role.cluster().check(FlushJobAction.NAME, request), is(true));
794+
assertThat(role.cluster().check(ForecastJobAction.NAME, request), is(true));
775795
assertThat(role.cluster().check(GetBucketsAction.NAME, request), is(true));
796+
assertThat(role.cluster().check(GetCalendarEventsAction.NAME, request), is(true));
797+
assertThat(role.cluster().check(GetCalendarsAction.NAME, request), is(true));
776798
assertThat(role.cluster().check(GetCategoriesAction.NAME, request), is(true));
777799
assertThat(role.cluster().check(GetDatafeedsAction.NAME, request), is(true));
778800
assertThat(role.cluster().check(GetDatafeedsStatsAction.NAME, request), is(true));
@@ -781,19 +803,26 @@ public void testMachineLearningAdminRole() {
781803
assertThat(role.cluster().check(GetJobsAction.NAME, request), is(true));
782804
assertThat(role.cluster().check(GetJobsStatsAction.NAME, request), is(true));
783805
assertThat(role.cluster().check(GetModelSnapshotsAction.NAME, request), is(true));
806+
assertThat(role.cluster().check(GetOverallBucketsAction.NAME, request), is(true));
784807
assertThat(role.cluster().check(GetRecordsAction.NAME, request), is(true));
785808
assertThat(role.cluster().check(IsolateDatafeedAction.NAME, request), is(false)); // internal use only
786809
assertThat(role.cluster().check(KillProcessAction.NAME, request), is(false)); // internal use only
810+
assertThat(role.cluster().check(MlInfoAction.NAME, request), is(true));
787811
assertThat(role.cluster().check(OpenJobAction.NAME, request), is(true));
812+
assertThat(role.cluster().check(PersistJobAction.NAME, request), is(true));
813+
assertThat(role.cluster().check(PostCalendarEventsAction.NAME, request), is(true));
788814
assertThat(role.cluster().check(PostDataAction.NAME, request), is(true));
789815
assertThat(role.cluster().check(PreviewDatafeedAction.NAME, request), is(true));
816+
assertThat(role.cluster().check(PutCalendarAction.NAME, request), is(true));
790817
assertThat(role.cluster().check(PutDatafeedAction.NAME, request), is(true));
791818
assertThat(role.cluster().check(PutFilterAction.NAME, request), is(true));
792819
assertThat(role.cluster().check(PutJobAction.NAME, request), is(true));
793820
assertThat(role.cluster().check(RevertModelSnapshotAction.NAME, request), is(true));
794821
assertThat(role.cluster().check(StartDatafeedAction.NAME, request), is(true));
795822
assertThat(role.cluster().check(StopDatafeedAction.NAME, request), is(true));
823+
assertThat(role.cluster().check(UpdateCalendarJobAction.NAME, request), is(true));
796824
assertThat(role.cluster().check(UpdateDatafeedAction.NAME, request), is(true));
825+
assertThat(role.cluster().check(UpdateFilterAction.NAME, request), is(true));
797826
assertThat(role.cluster().check(UpdateJobAction.NAME, request), is(true));
798827
assertThat(role.cluster().check(UpdateModelSnapshotAction.NAME, request), is(true));
799828
assertThat(role.cluster().check(UpdateProcessAction.NAME, request), is(false)); // internal use only
@@ -802,10 +831,12 @@ public void testMachineLearningAdminRole() {
802831
assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false));
803832

804833
assertNoAccessAllowed(role, "foo");
834+
assertNoAccessAllowed(role, AnomalyDetectorsIndexFields.CONFIG_INDEX); // internal use only
805835
assertOnlyReadAllowed(role, MlMetaIndex.INDEX_NAME);
806836
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.STATE_INDEX_PREFIX);
807837
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
808838
assertOnlyReadAllowed(role, AuditorField.NOTIFICATIONS_INDEX);
839+
assertReadWriteDocsButNotDeleteIndexAllowed(role, AnnotationIndex.INDEX_NAME);
809840

810841
assertNoAccessAllowed(role, RestrictedIndicesNames.NAMES_SET);
811842
}
@@ -819,14 +850,21 @@ public void testMachineLearningUserRole() {
819850

820851
Role role = Role.builder(roleDescriptor, null).build();
821852
assertThat(role.cluster().check(CloseJobAction.NAME, request), is(false));
853+
assertThat(role.cluster().check(DeleteCalendarAction.NAME, request), is(false));
854+
assertThat(role.cluster().check(DeleteCalendarEventAction.NAME, request), is(false));
822855
assertThat(role.cluster().check(DeleteDatafeedAction.NAME, request), is(false));
823856
assertThat(role.cluster().check(DeleteExpiredDataAction.NAME, request), is(false));
824857
assertThat(role.cluster().check(DeleteFilterAction.NAME, request), is(false));
858+
assertThat(role.cluster().check(DeleteForecastAction.NAME, request), is(false));
825859
assertThat(role.cluster().check(DeleteJobAction.NAME, request), is(false));
826860
assertThat(role.cluster().check(DeleteModelSnapshotAction.NAME, request), is(false));
827861
assertThat(role.cluster().check(FinalizeJobExecutionAction.NAME, request), is(false));
862+
assertThat(role.cluster().check(FindFileStructureAction.NAME, request), is(true));
828863
assertThat(role.cluster().check(FlushJobAction.NAME, request), is(false));
864+
assertThat(role.cluster().check(ForecastJobAction.NAME, request), is(false));
829865
assertThat(role.cluster().check(GetBucketsAction.NAME, request), is(true));
866+
assertThat(role.cluster().check(GetCalendarEventsAction.NAME, request), is(true));
867+
assertThat(role.cluster().check(GetCalendarsAction.NAME, request), is(true));
830868
assertThat(role.cluster().check(GetCategoriesAction.NAME, request), is(true));
831869
assertThat(role.cluster().check(GetDatafeedsAction.NAME, request), is(true));
832870
assertThat(role.cluster().check(GetDatafeedsStatsAction.NAME, request), is(true));
@@ -835,19 +873,26 @@ public void testMachineLearningUserRole() {
835873
assertThat(role.cluster().check(GetJobsAction.NAME, request), is(true));
836874
assertThat(role.cluster().check(GetJobsStatsAction.NAME, request), is(true));
837875
assertThat(role.cluster().check(GetModelSnapshotsAction.NAME, request), is(true));
876+
assertThat(role.cluster().check(GetOverallBucketsAction.NAME, request), is(true));
838877
assertThat(role.cluster().check(GetRecordsAction.NAME, request), is(true));
839878
assertThat(role.cluster().check(IsolateDatafeedAction.NAME, request), is(false));
840879
assertThat(role.cluster().check(KillProcessAction.NAME, request), is(false));
880+
assertThat(role.cluster().check(MlInfoAction.NAME, request), is(true));
841881
assertThat(role.cluster().check(OpenJobAction.NAME, request), is(false));
882+
assertThat(role.cluster().check(PersistJobAction.NAME, request), is(false));
883+
assertThat(role.cluster().check(PostCalendarEventsAction.NAME, request), is(false));
842884
assertThat(role.cluster().check(PostDataAction.NAME, request), is(false));
843885
assertThat(role.cluster().check(PreviewDatafeedAction.NAME, request), is(false));
886+
assertThat(role.cluster().check(PutCalendarAction.NAME, request), is(false));
844887
assertThat(role.cluster().check(PutDatafeedAction.NAME, request), is(false));
845888
assertThat(role.cluster().check(PutFilterAction.NAME, request), is(false));
846889
assertThat(role.cluster().check(PutJobAction.NAME, request), is(false));
847890
assertThat(role.cluster().check(RevertModelSnapshotAction.NAME, request), is(false));
848891
assertThat(role.cluster().check(StartDatafeedAction.NAME, request), is(false));
849892
assertThat(role.cluster().check(StopDatafeedAction.NAME, request), is(false));
893+
assertThat(role.cluster().check(UpdateCalendarJobAction.NAME, request), is(false));
850894
assertThat(role.cluster().check(UpdateDatafeedAction.NAME, request), is(false));
895+
assertThat(role.cluster().check(UpdateFilterAction.NAME, request), is(false));
851896
assertThat(role.cluster().check(UpdateJobAction.NAME, request), is(false));
852897
assertThat(role.cluster().check(UpdateModelSnapshotAction.NAME, request), is(false));
853898
assertThat(role.cluster().check(UpdateProcessAction.NAME, request), is(false));
@@ -856,10 +901,12 @@ public void testMachineLearningUserRole() {
856901
assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false));
857902

858903
assertNoAccessAllowed(role, "foo");
904+
assertNoAccessAllowed(role, AnomalyDetectorsIndexFields.CONFIG_INDEX);
859905
assertNoAccessAllowed(role, MlMetaIndex.INDEX_NAME);
860906
assertNoAccessAllowed(role, AnomalyDetectorsIndexFields.STATE_INDEX_PREFIX);
861907
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
862908
assertOnlyReadAllowed(role, AuditorField.NOTIFICATIONS_INDEX);
909+
assertReadWriteDocsButNotDeleteIndexAllowed(role, AnnotationIndex.INDEX_NAME);
863910

864911
assertNoAccessAllowed(role, RestrictedIndicesNames.NAMES_SET);
865912
}
@@ -923,6 +970,16 @@ public void testWatcherUserRole() {
923970
assertNoAccessAllowed(role, RestrictedIndicesNames.NAMES_SET);
924971
}
925972

973+
private void assertReadWriteDocsButNotDeleteIndexAllowed(Role role, String index) {
974+
assertThat(role.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
975+
assertThat(role.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true));
976+
assertThat(role.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true));
977+
assertThat(role.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
978+
assertThat(role.indices().allowedIndicesMatcher(UpdateAction.NAME).test(index), is(true));
979+
assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
980+
assertThat(role.indices().allowedIndicesMatcher(BulkAction.NAME).test(index), is(true));
981+
}
982+
926983
private void assertOnlyReadAllowed(Role role, String index) {
927984
assertThat(role.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
928985
assertThat(role.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));

0 commit comments

Comments
 (0)