elastic · elasticsearchmachine · Aug 9, 2024 · Jul 18, 2024 · Jul 18, 2024 · Jul 19, 2024
diff --git a/...rg/elasticsearch/xpack/core/security/action/apikey/CreateApiKeyRequestBuilderFactory.java b/...rg/elasticsearch/xpack/core/security/action/apikey/CreateApiKeyRequestBuilderFactory.java
@@ -10,12 +10,11 @@
 import org.elasticsearch.client.internal.Client;
 
 public interface CreateApiKeyRequestBuilderFactory {
-    CreateApiKeyRequestBuilder create(Client client, boolean restrictRequest);
+    CreateApiKeyRequestBuilder create(Client client);
 
     class Default implements CreateApiKeyRequestBuilderFactory {
         @Override
-        public CreateApiKeyRequestBuilder create(Client client, boolean restrictRequest) {
-            assert false == restrictRequest;
+        public CreateApiKeyRequestBuilder create(Client client) {
             return new CreateApiKeyRequestBuilder(client);
         }
     }

diff --git a/...icsearch/xpack/core/security/action/privilege/GetBuiltinPrivilegesResponseTranslator.java b/...icsearch/xpack/core/security/action/privilege/GetBuiltinPrivilegesResponseTranslator.java
@@ -9,11 +9,10 @@
 
 public interface GetBuiltinPrivilegesResponseTranslator {
 
-    GetBuiltinPrivilegesResponse translate(GetBuiltinPrivilegesResponse response, boolean restrictResponse);
+    GetBuiltinPrivilegesResponse translate(GetBuiltinPrivilegesResponse response);
 
     class Default implements GetBuiltinPrivilegesResponseTranslator {
-        public GetBuiltinPrivilegesResponse translate(GetBuiltinPrivilegesResponse response, boolean restrictResponse) {
-            assert false == restrictResponse;
+        public GetBuiltinPrivilegesResponse translate(GetBuiltinPrivilegesResponse response) {
             return response;
         }
     }

diff --git a/.../core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java b/.../core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java
@@ -45,7 +45,6 @@ public class PutRoleRequest extends ActionRequest {
     private Map<String, Object> metadata;
     private List<RoleDescriptor.RemoteIndicesPrivileges> remoteIndicesPrivileges = new ArrayList<>();
     private RemoteClusterPermissions remoteClusterPermissions = RemoteClusterPermissions.NONE;
-    private boolean restrictRequest = false;
     private String description;
 
     public PutRoleRequest() {}
@@ -84,14 +83,6 @@ public void addRemoteIndex(RoleDescriptor.RemoteIndicesPrivileges... privileges)
         remoteIndicesPrivileges.addAll(Arrays.asList(privileges));
     }
 
-    public void restrictRequest(boolean restrictRequest) {
-        this.restrictRequest = restrictRequest;
-    }
-
-    public boolean restrictRequest() {
-        return restrictRequest;
-    }
-
     public void putRemoteCluster(RemoteClusterPermissions remoteClusterPermissions) {
         this.remoteClusterPermissions = remoteClusterPermissions;
     }

diff --git a/.../java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequestBuilderFactory.java b/.../java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequestBuilderFactory.java
@@ -10,13 +10,11 @@
 import org.elasticsearch.client.internal.Client;
 
 public interface PutRoleRequestBuilderFactory {
-    PutRoleRequestBuilder create(Client client, boolean restrictRequest);
+    PutRoleRequestBuilder create(Client client);
 
     class Default implements PutRoleRequestBuilderFactory {
         @Override
-        public PutRoleRequestBuilder create(Client client, boolean restrictRequest) {
-            // by default, we don't apply extra restrictions to Put Role requests and don't require checks against file-based roles
-            // these dependencies are only used by our stateless implementation
+        public PutRoleRequestBuilder create(Client client) {
             return new PutRoleRequestBuilder(client);
         }
     }

diff --git a/...main/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyAction.java b/...main/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyAction.java
@@ -55,8 +55,7 @@ public String getName() {
 
     @Override
     protected RestChannelConsumer innerPrepareRequest(final RestRequest request, final NodeClient client) throws IOException {
-        CreateApiKeyRequestBuilder builder = builderFactory.create(client, request.hasParam(RestRequest.PATH_RESTRICTED))
-            .source(request.requiredContent(), request.getXContentType());
+        CreateApiKeyRequestBuilder builder = builderFactory.create(client).source(request.requiredContent(), request.getXContentType());
         String refresh = request.param("refresh");
         if (refresh != null) {
             builder.setRefreshPolicy(WriteRequest.RefreshPolicy.parse(request.param("refresh")));

diff --git a/...rg/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java b/...rg/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java
@@ -62,14 +62,13 @@ public String getName() {
 
     @Override
     public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
-        final boolean restrictResponse = request.hasParam(RestRequest.PATH_RESTRICTED);
         return channel -> client.execute(
             GetBuiltinPrivilegesAction.INSTANCE,
             new GetBuiltinPrivilegesRequest(),
             new RestBuilderListener<>(channel) {
                 @Override
                 public RestResponse buildResponse(GetBuiltinPrivilegesResponse response, XContentBuilder builder) throws Exception {
-                    final var translatedResponse = responseTranslator.translate(response, restrictResponse);
+                    final var translatedResponse = responseTranslator.translate(response);
                     builder.startObject();
                     builder.array("cluster", translatedResponse.getClusterPrivileges());
                     builder.array("index", translatedResponse.getIndexPrivileges());

diff --git a/...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/role/RestPutRoleAction.java b/...ty/src/main/java/org/elasticsearch/xpack/security/rest/action/role/RestPutRoleAction.java
@@ -55,8 +55,7 @@ public String getName() {
 
     @Override
     public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
-        final boolean restrictRequest = request.hasParam(RestRequest.PATH_RESTRICTED);
-        final PutRoleRequestBuilder requestBuilder = builderFactory.create(client, restrictRequest)
+        final PutRoleRequestBuilder requestBuilder = builderFactory.create(client)
             .source(request.param("name"), request.requiredContent(), request.getXContentType())
             .setRefreshPolicy(request.param("refresh"));
         return channel -> requestBuilder.execute(new RestBuilderListener<>(channel) {

diff --git a/...plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/40_view_role_descriptors.yml b/...plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/40_view_role_descriptors.yml
@@ -21,7 +21,7 @@ setup:
               ],
               "applications": [
                 {
-                  "application": "myapp",
+                  "application": "apm",
                   "privileges": ["*"],
                   "resources": ["*"]
                 }
@@ -497,7 +497,7 @@ teardown:
       ],
       "applications" : [
         {
-          "application" : "myapp",
+          "application" : "apm",
           "privileges" : [
             "*"
           ],

diff --git a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/60_admin_user.yml b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/60_admin_user.yml
@@ -15,14 +15,14 @@ setup:
       security.put_privileges:
         body: >
           {
-            "myapp": {
+            "apm": {
               "read": {
-                "application": "myapp",
+                "application": "apm",
                 "name": "read",
                 "actions": [ "data:read/*" ]
               },
               "write": {
-                "application": "myapp",
+                "application": "apm",
                 "name": "write",
                 "actions": [ "data:write/*" ]
               }
@@ -33,7 +33,7 @@ setup:
 teardown:
   - do:
       security.delete_privileges:
-        application: myapp
+        application: apm
         name: "read,write"
         ignore: 404
 
@@ -254,7 +254,7 @@ teardown:
                   ],
                   "applications": [
                     {
-                      "application": "myapp",
+                      "application": "apm",
                       "privileges": ["read"],
                       "resources": ["*"]
                     }
@@ -299,7 +299,7 @@ teardown:
             ],
             "application": [
               {
-                "application" : "myapp",
+                "application" : "apm",
                 "resources" : [ "*", "some-other-res" ],
                 "privileges" : [ "data:read/me", "data:write/me" ]
               }
@@ -324,7 +324,7 @@ teardown:
       }
     } }
   - match: { "application" : {
-      "myapp" : {
+      "apm" : {
         "*" : {
           "data:read/me" : true,
           "data:write/me" : false