Skip to content

Replace superuser role for API keys (#81977)#82650

Merged
ywangd merged 5 commits intoelastic:8.0from
ywangd:api-key-superuser-role-fix-8.0
Jan 17, 2022
Merged

Replace superuser role for API keys (#81977)#82650
ywangd merged 5 commits intoelastic:8.0from
ywangd:api-key-superuser-role-fix-8.0

Conversation

@ywangd
Copy link
Member

@ywangd ywangd commented Jan 17, 2022

This PR replace superuser role of an API key with the new limited
superuser role to prevent write access to system indices.

The replacement should only happen to the builtin superuser role.
If there is a user-created role that has the exact same definition as
the superuser role, it will not be replaced because we consider users
are explicitly opt-in for ALL access in this scenario.

Relates: #81400

This PR replace superuser role of an API key with the new limited
superuser role to prevent write access to system indices.

The replacement should only happen to the builtin superuser role.
If there is a user-created role that has the exact same definition as
the superuser role, it will not be replaced because we consider users
are explicitly opt-in for ALL access in this scenario.

Relates: elastic#81400
@ywangd ywangd added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC backport labels Jan 17, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jan 17, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd merged commit df4337d into elastic:8.0 Jan 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.0.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants