elastic · bizybot · Oct 7, 2019 · Aug 21, 2019 · Aug 21, 2019 · Aug 21, 2019
diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
@@ -95,6 +95,7 @@ A successful call returns an object with "cluster" and "index" fields.
   ],
   "index" : [
     "all",
+    "append_only",
     "create",
     "create_index",
     "delete",

diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -45,6 +45,8 @@ public final class IndexPrivilege extends Privilege {
             ClusterSearchShardsAction.NAME);
     private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
             PutMappingAction.NAME);
+    private static final Automaton APPEND_ONLY_AUTOMATON = Automatons.minusAndMinimize(CREATE_AUTOMATON,
+        patterns("indices:data/write/index:op_type/index"));
     private static final Automaton INDEX_AUTOMATON =
             patterns("indices:data/write/index*", "indices:data/write/bulk*", "indices:data/write/update*", PutMappingAction.NAME);
     private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*");
@@ -68,6 +70,7 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege READ_CROSS_CLUSTER =  new IndexPrivilege("read_cross_cluster",  READ_CROSS_CLUSTER_AUTOMATON);
     public static final IndexPrivilege CREATE =              new IndexPrivilege("create",              CREATE_AUTOMATON);
     public static final IndexPrivilege INDEX =               new IndexPrivilege("index",               INDEX_AUTOMATON);
+    public static final IndexPrivilege APPEND_ONLY =         new IndexPrivilege("append_only",         APPEND_ONLY_AUTOMATON);
     public static final IndexPrivilege DELETE =              new IndexPrivilege("delete",              DELETE_AUTOMATON);
     public static final IndexPrivilege WRITE =               new IndexPrivilege("write",               WRITE_AUTOMATON);
     public static final IndexPrivilege MONITOR =             new IndexPrivilege("monitor",             MONITOR_AUTOMATON);
@@ -90,6 +93,7 @@ public final class IndexPrivilege extends Privilege {
             entry("delete", DELETE),
             entry("write", WRITE),
             entry("create", CREATE),
+            entry("append_only", APPEND_ONLY),
             entry("delete_index", DELETE_INDEX),
             entry("view_index_metadata", VIEW_METADATA),
             entry("read_cross_cluster", READ_CROSS_CLUSTER),

diff --git a/...n/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/...n/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -20,6 +20,7 @@
 import org.elasticsearch.action.bulk.TransportShardBulkAction;
 import org.elasticsearch.action.delete.DeleteAction;
 import org.elasticsearch.action.index.IndexAction;
+import org.elasticsearch.action.index.IndexRequest;
 import org.elasticsearch.action.support.GroupedActionListener;
 import org.elasticsearch.action.support.replication.TransportReplicationAction.ConcreteShardRequest;
 import org.elasticsearch.action.update.UpdateAction;
@@ -93,6 +94,8 @@ public class AuthorizationService {
     public static final String AUTHORIZATION_INFO_KEY = "_authz_info";
     private static final AuthorizationInfo SYSTEM_AUTHZ_INFO =
         () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { SystemUser.ROLE_NAME });
+    private static final String IMPLIED_INDEX_ACTION = IndexAction.NAME + ":op_type/index";
+    private static final String IMPLIED_CREATE_ACTION = IndexAction.NAME + ":op_type/create";
 
     private static final Logger logger = LogManager.getLogger(AuthorizationService.class);
 
@@ -536,8 +539,14 @@ private static String getAction(BulkItemRequest item) {
         final DocWriteRequest<?> docWriteRequest = item.request();
         switch (docWriteRequest.opType()) {
             case INDEX:
+                IndexRequest request = (IndexRequest) item.request();
+                if (request.getAutoGeneratedTimestamp() != IndexRequest.UNSET_AUTO_GENERATED_TIMESTAMP) {
+                    // it is auto generated so create is implied
+                    return IMPLIED_CREATE_ACTION;
+                }
+                return IMPLIED_INDEX_ACTION;
             case CREATE:
-                return IndexAction.NAME;
+                return IMPLIED_CREATE_ACTION;
             case UPDATE:
                 return UpdateAction.NAME;
             case DELETE:

diff --git a/...n/security/src/test/java/org/elasticsearch/integration/AppendOnlyIndexPrivilegeTests.java b/...n/security/src/test/java/org/elasticsearch/integration/AppendOnlyIndexPrivilegeTests.java
@@ -0,0 +1,108 @@
+/*
+ *
+ *  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ *  * or more contributor license agreements. Licensed under the Elastic License;
+ *  * you may not use this file except in compliance with the Elastic License.
+ *
+ */
+
+package org.elasticsearch.integration;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.xpack.core.security.authc.support.Hasher;
+import org.junit.Before;
+
+import java.io.IOException;
+
+public class AppendOnlyIndexPrivilegeTests extends AbstractPrivilegeTestCase {
+    private static final String INDEX_NAME = "index-1";
+    private static final String APPEND_ONLY_USER = "append_only_user";
+    private String jsonDoc = "{ \"name\" : \"elasticsearch\", \"body\": \"foo bar\" }";
+    private static final String ROLES =
+        "all_indices_role:\n" +
+            "  indices:\n" +
+            "    - names: '*'\n" +
+            "      privileges: [ all ]\n" +
+        "append_only_role:\n" +
+            "  indices:\n" +
+            "    - names: '*'\n" +
+            "      privileges: [ append_only ]\n";
+
+    private static final String USERS_ROLES =
+        "all_indices_role:admin\n" +
+        "append_only_role:" + APPEND_ONLY_USER + "\n";
+
+    @Override
+    protected boolean addMockHttpTransport() {
+        return false; // enable http
+    }
+
+    @Override
+    protected String configRoles() {
+        return super.configRoles() + "\n" + ROLES;
+    }
+
+    @Override
+    protected String configUsers() {
+        final String usersPasswdHashed = new String(Hasher.resolve(
+            randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray())));
+
+        return super.configUsers() +
+            "admin:" + usersPasswdHashed + "\n" +
+            "append_only_user:" + usersPasswdHashed + "\n";
+    }
+
+    @Override
+    protected String configUsersRoles() {
+        return super.configUsersRoles() + USERS_ROLES;
+    }
+
+    @Before
+    public void insertBaseDocumentsAsAdmin() throws Exception {
+        Request request = new Request("PUT", "/" + INDEX_NAME + "/_doc/1");
+        request.setJsonEntity(jsonDoc);
+        request.addParameter("refresh", "true");
+        assertAccessIsAllowed("admin", request);
+    }
+
+    public void testAppendOnlyUserCanIndexNewDocumentsWithAutoGeneratedId() throws IOException {
+        assertAccessIsAllowed(APPEND_ONLY_USER, "POST", "/" + INDEX_NAME + "/_doc", "{ \"foo\" : \"bar\" }");
+    }
+
+    public void testAppendOnlyUserCanIndexNewDocumentsWithExternalIdAndOpTypeIsCreate() throws IOException {
+        assertAccessIsAllowed(APPEND_ONLY_USER, "PUT", "/" + INDEX_NAME + "/_doc/2?op_type=create", "{ \"foo\" : \"bar\" }");
+    }
+
+    public void testAppendOnlyUserIsDeniedToIndexNewDocumentsWithExternalIdAndOpTypeIsIndex() throws IOException {
+        assertAccessIsDenied(APPEND_ONLY_USER, "PUT", "/" + INDEX_NAME + "/_doc/3", "{ \"foo\" : \"bar\" }");
+    }
+
+    public void testAppendOnlyUserIsDeniedToIndexUpdatesToExistingDocument() throws IOException {
+        assertAccessIsDenied(APPEND_ONLY_USER, "POST", "/" + INDEX_NAME + "/_doc/1/_update", "{ \"doc\" : { \"foo\" : \"baz\" } }");
+        assertAccessIsDenied(APPEND_ONLY_USER, "PUT", "/" + INDEX_NAME + "/_doc/1", "{ \"foo\" : \"baz\" }");
+    }
+
+    public void testAppendOnlyUserCanIndexNewDocumentsWithAutoGeneratedIdUsingBulkApi() throws IOException {
+        assertAccessIsAllowed(APPEND_ONLY_USER, randomFrom("PUT", "POST"),
+            "/" + INDEX_NAME + "/_bulk", "{ \"index\" : { } }\n{ \"foo\" : \"bar\" }\n");
+    }
+
+    public void testAppendOnlyUserCanIndexNewDocumentsWithExternalIdAndOpTypeIsCreateUsingBulkApi() throws IOException {
+        assertAccessIsAllowed(APPEND_ONLY_USER, randomFrom("PUT", "POST"),
+            "/" + INDEX_NAME + "/_bulk", "{ \"create\" : { \"_id\" : \"4\" } }\n{ \"foo\" : \"bar\" }\n");
+    }
+
+    public void testAppendOnlyUserIsDeniedToIndexNewDocumentsWithExternalIdAndOpTypeIsIndexUsingBulkApi() throws IOException {
+        assertBodyHasAccessIsDenied(APPEND_ONLY_USER, randomFrom("PUT", "POST"),
+            "/" + INDEX_NAME + "/_bulk", "{ \"index\" : { \"_id\" : \"5\" } }\n{ \"foo\" : \"bar\" }\n");
+    }
+
+    public void testAppendOnlyUserIsDeniedToIndexUpdatesToExistingDocumentUsingBulkApi() throws IOException {
+        assertBodyHasAccessIsDenied(APPEND_ONLY_USER, randomFrom("PUT", "POST"),
+            "/" + INDEX_NAME + "/_bulk", "{ \"index\" : { \"_id\" : \"1\" } }\n{ \"doc\" : {\"foo\" : \"bazbaz\"} }\n");
+        assertBodyHasAccessIsDenied(APPEND_ONLY_USER, randomFrom("PUT", "POST"),
+            "/" + INDEX_NAME + "/_bulk", "{ \"update\" : { \"_id\" : \"1\" } }\n{ \"doc\" : {\"foo\" : \"bazbaz\"} }\n");
+    }
+
+}
diff --git a/...urity/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/...urity/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -1189,16 +1189,16 @@ public void testAuthorizationOfIndividualBulkItems() throws IOException {
                 eq(DeleteAction.NAME), eq("alias-2"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail).explicitIndexAccessEvent(eq(requestId), eq(AuditLevel.ACCESS_GRANTED), eq(authentication),
-                eq(IndexAction.NAME), eq("concrete-index"), eq(BulkItemRequest.class.getSimpleName()),
+                eq(IndexAction.NAME + ":op_type/index"), eq("concrete-index"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail).explicitIndexAccessEvent(eq(requestId), eq(AuditLevel.ACCESS_GRANTED), eq(authentication),
-                eq(IndexAction.NAME), eq("alias-1"), eq(BulkItemRequest.class.getSimpleName()),
+                eq(IndexAction.NAME + ":op_type/index"), eq("alias-1"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail).explicitIndexAccessEvent(eq(requestId), eq(AuditLevel.ACCESS_DENIED), eq(authentication),
                 eq(DeleteAction.NAME), eq("alias-1"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail).explicitIndexAccessEvent(eq(requestId), eq(AuditLevel.ACCESS_DENIED), eq(authentication),
-                eq(IndexAction.NAME), eq("alias-2"), eq(BulkItemRequest.class.getSimpleName()),
+                eq(IndexAction.NAME + ":op_type/index"), eq("alias-2"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail).accessGranted(eq(requestId), eq(authentication), eq(action), eq(request),
             authzInfoRoles(new String[] { role.getName() })); // bulk request is allowed
@@ -1232,7 +1232,7 @@ public void testAuthorizationOfIndividualBulkItemsWithDateMath() throws IOExcept
                 eq(DeleteAction.NAME), Matchers.startsWith("datemath-"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         verify(auditTrail, times(2)).explicitIndexAccessEvent(eq(requestId), eq(AuditLevel.ACCESS_GRANTED), eq(authentication),
-                eq(IndexAction.NAME), Matchers.startsWith("datemath-"), eq(BulkItemRequest.class.getSimpleName()),
+                eq(IndexAction.NAME + ":op_type/index"), Matchers.startsWith("datemath-"), eq(BulkItemRequest.class.getSimpleName()),
                 eq(request.remoteAddress()), authzInfoRoles(new String[] { role.getName() }));
         // bulk request is allowed
         verify(auditTrail).accessGranted(eq(requestId), eq(authentication), eq(action), eq(request),

diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml
@@ -15,5 +15,5 @@ setup:
   # This is fragile - it needs to be updated every time we add a new cluster/index privilege
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
-  - length: { "cluster" : 30 }
-  - length: { "index" : 16 }
+  - length: { "cluster" : 31 }
+  - length: { "index" : 17 }