Add manage_search_synonyms privilege#97853
Conversation
carlosdelest
added
>non-issue
Team:Enterprise Search
| reason: Introduced in 8.10.0 | ||
|
|
||
| - do: | ||
| security.put_user: |
There was a problem hiding this comment.
I wasn't able to use a roles.yml file / user setting for build.gradle. I'm sure I'm missing something, in the meanwhile adding users and roles via security API worked.
If you can help with another approach, that would be much appreciated 🙏
There was a problem hiding this comment.
Using APIs is fine. But it would be great if we pari the setup with a teardown part. Please see this file as an example.
There was a problem hiding this comment.
Done, thanks for the pointer!
There was a problem hiding this comment.
I created these tests in the core-rest-tests-with-security, as I haven't seen security related tests in the main rest-api-spec directory. Also, synonyms are part of the server module which has no security turned on by default on tests (as security is part of xpack).
Happy to move to a different directory structure if it makes more sense!
There was a problem hiding this comment.
I think it's fine to add it here. Again, if feature flag is still in play, we need to exclude this test for release builds. See this for an example.
There was a problem hiding this comment.
Included in the blacklist, thanks @ywangd !
elasticsearchmachine
added
needs:triage
mayya-sharipova
added
:Security/Security
elasticsearchmachine
added
Team:Search
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/es-search (Team:Search) |
kderusso
left a comment
kderusso
left a comment
There was a problem hiding this comment.
Overall LGTM with one question
| private static final Set<String> READ_SLM_PATTERN = Set.of(GetSnapshotLifecycleAction.NAME, GetStatusAction.NAME); | ||
|
|
||
| private static final Set<String> MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*"); | ||
| private static final Set<String> MANAGE_SEARCH_SYNONYMS_PATTERN = Set.of("cluster:admin/synonyms/*", "cluster:admin/synonyms_sets/*"); |
There was a problem hiding this comment.
We want to make sure that we have search in the pattern for future "manage search" privileges.
Also, does this synonyms need two different permission patterns? I would think that if you have the permission to manage synonym sets, you have the permission to manage synonym rules, and vice versa. Would it make sense to simplify this to just something like cluster:admin/search/synonyms?
There was a problem hiding this comment.
Do we need to add admin/synonym_rules/*?
There was a problem hiding this comment.
We want to make sure that we have search in the pattern for future "manage search" privileges.
Is that needed? I think we can use something like CROSS_CLUSTER_REPLICATION where we use a set of privileges, and we don't need explicit naming prefix...
I think it's better to omit the search prefix as that it's not a pattern I see in other constants, and we don't need to have it in order to create a manage_search privilege. Not a strong opinion though, happy to change it.
Also, does this synonyms need two different permission patterns? I would think that if you have the permission to manage synonym sets, you have the permission to manage synonym rules, and vice versa. Would it make sense to simplify this to just something like cluster:admin/search/synonyms?
We have three different action types, regarding synonyms, synonyms sets and synonym rules. As managing synonyms grant you access to both, that's the meaning of using the set of actions here.
Do we need to add admin/synonym_rules/*?
🤦 yes, thanks!
There was a problem hiding this comment.
@kderusso , @mayya-sharipova , anything else that you want addressed here? Hopefully my responses above and the changes to add admin/synonym_rules/* did address your concerns. Please LMK!
| MANAGE_LOGSTASH_PIPELINES, | ||
| CANCEL_TASK, | ||
| MANAGE_SEARCH_APPLICATION, | ||
| MANAGE_SEARCH_SYNONYMS, |
There was a problem hiding this comment.
Is the synonyms feature still behind a feature flag? If so, we need to gate the new privilege with the feature flag (see 3 lines below for an example).
There was a problem hiding this comment.
Updated, thanks for the catch and the example!
| reason: Introduced in 8.10.0 | ||
|
|
||
| - do: | ||
| security.put_user: |
There was a problem hiding this comment.
Using APIs is fine. But it would be great if we pari the setup with a teardown part. Please see this file as an example.
There was a problem hiding this comment.
I think it's fine to add it here. Again, if feature flag is still in play, we need to exclude this test for release builds. See this for an example.
| "Create synonyms set - with manage_search_synonyms privilege": | ||
| - do: | ||
| headers: { Authorization: "Basic c3lub255bXMtdXNlcjpzeW5vbnltcy11c2VyLXBhc3N3b3Jk" } # synonyms-user | ||
| synonyms.put: | ||
| synonyms_set: test-synonyms | ||
| body: | ||
| synonyms_set: | ||
| - synonyms: "hello, hi" | ||
| id: "test-id" | ||
|
|
||
| - match: { result: "created" } |
There was a problem hiding this comment.
I think we should have more tests for the synonyms-user to show it can excercise most (if not all) actions similar to how non-synonyms-user is tested?
There was a problem hiding this comment.
Makes sense. I've split into two test files, one for testing unprivileged access and another for privileged access. LMKWYT!
| @@ -0,0 +1,111 @@ | |||
| setup: | |||
| - do: | ||
| security.put_user: | ||
| username: "non-synonyms-user" | ||
| body: | ||
| password: "non-synonyms-user-password" | ||
| roles : [ "non-synonyms-role" ] | ||
|
|
||
| - do: | ||
| security.put_role: | ||
| name: "non-synonyms-role" | ||
| body: | ||
| indices: | ||
| - names: ["*"] | ||
| privileges: [ "manage", "write", "read" ] |
There was a problem hiding this comment.
Nit: I think these user non-synonyms user and role can be removed since we now split the tests into 2 files? The same goes for the teardown part.
There was a problem hiding this comment.
🤦 Removing them, thanks for the catch!
|
@elasticsearchmachine update branch |
5 participants
Adds a
manage_search_synonymsprivilege for synonyms related actions.