Skip to content

Commit

Permalink
minor updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@jakelandis
jakelandis committed May 16, 2024
1 parent f0a7633 commit d27f2aa
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 12 deletions.
2 changes: 0 additions & 2 deletions ...k/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Automatons.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,6 @@ public static void addSettings(List<Setting<?>> settingsList) {
settingsList.add(CACHE_TTL);
}

// for testing only
private static Automaton maybeRecordPatterns(Automaton automaton, Collection<String> patterns) {
if (recordPatterns) {
patternsMap.put(
Expand All @@ -361,7 +360,6 @@ private static Automaton maybeRecordPatterns(Automaton automaton, Collection<Str
return automaton;
}

// for testing only
public static List<String> getPatterns(Automaton automaton) {
if (recordPatterns) {
return patternsMap.get(automaton);
Expand Down
24 changes: 14 additions & 10 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,16 +152,16 @@ public void testCrossClusterReplicationPrivileges() {
}

/**
* RCS 2.0 allows a single API key to define replication and search blocks. If both are defined, this results in an API key with 2
* RCS 2.0 allows a single API key to define "replication" and "search" blocks. If both are defined, this results in an API key with 2
* sets of indices permissions. Due to the way API keys (and roles) work across the multiple index permission, the set of index
* patterns allowed are effectively the most generous of the sets of index patterns since the index patterns are OR'ed together. For
* example, `foo` OR `*` results in access to `*`. So, if you have a search access defined as `foo`, but replication access defined
* as `*`, the API key effectively allows access to index pattern `*`. This means that across search and replication access, the action
* names used are the primary means by which we can constrain CCS to the set of search index patterns. For example, if replication
* allowed access to `indices:data/read/get` for `*` , then the replication permissions would effectively bleed over to search
* permissions since search allows `indices:data/read/*`. In that contrived example CCS could read documents thanks to the CCR
* privileges, irrespective of the expected search privileges. This obviously is not desirable and in practice when both search and
* replication are defined the isolation between CCS and CCR is only achieved because the action names for the workflows do not
* example, `foo` OR `*` results in access to `*`. So, if you have "search" access defined as `foo`, but replication access defined
* as `*`, the API key effectively allows access to index pattern `*`. This means that the access for API keys that define both
* "search" and "replication", the action names used are the primary means by which we can constrain CCS to the set of "search" indices
* as well as how we constrain CCR to the set "replication" indices. For example, if "replication" ever allowed access to
* `indices:data/read/get` for `*` , then the "replication" permissions would effectively enable users of CCS to get documents,
* even if "search" is never defined in the RCS 2.0 API key. This obviously is not desirable and in practice when both "search" and
* "replication" are defined the isolation between CCS and CCR is only achieved because the action names for the workflows do not
* overlap. This test helps to ensure that the actions names used for RCS 2.0 do not bleed over between search and replication.
*/
public void testRemoteClusterPrivsDoNotOverlap() {
Expand All @@ -171,6 +171,8 @@ public void testRemoteClusterPrivsDoNotOverlap() {
Arrays.stream(CCS_INDICES_PRIVILEGE_NAMES).forEach(ccsPrivilege -> {
Automaton ccsAutomaton = IndexPrivilege.get(Set.of(ccsPrivilege)).getAutomaton();
Automatons.getPatterns(ccsAutomaton).forEach(ccsPattern -> {
// emulate an action name that could be allowed by a CCS privilege
String actionName = ccsPattern.replaceAll("\\*", randomAlphaOfLengthBetween(1, 8));
Arrays.stream(CCR_INDICES_PRIVILEGE_NAMES).forEach(ccrPrivileges -> {
String errorMessage = String.format(
Locale.ROOT,
Expand All @@ -179,14 +181,16 @@ public void testRemoteClusterPrivsDoNotOverlap() {
ccrPrivileges,
ccsPattern
);
assertFalse(errorMessage, IndexPrivilege.get(Set.of(ccrPrivileges)).predicate.test(ccsPattern));
assertFalse(errorMessage, IndexPrivilege.get(Set.of(ccrPrivileges)).predicate.test(actionName));
});
});

// check that the action patterns for remote CCR are not allowed by remote CCS privileges
Arrays.stream(CCR_INDICES_PRIVILEGE_NAMES).forEach(ccrPrivilege -> {
Automaton ccrAutomaton = IndexPrivilege.get(Set.of(ccrPrivilege)).getAutomaton();
Automatons.getPatterns(ccrAutomaton).forEach(ccrPattern -> {
// emulate an action name that could be allowed by a CCR privilege
String actionName = ccrPattern.replaceAll("\\*", randomAlphaOfLengthBetween(1, 8));
Arrays.stream(CCS_INDICES_PRIVILEGE_NAMES).forEach(ccsPrivileges -> {
if ("indices:data/read/xpack/ccr/shard_changes*".equals(ccrPattern)) {
// do nothing, this action is only applicable to CCR workflows and is a moot point if CCS technically has
Expand All @@ -199,7 +203,7 @@ public void testRemoteClusterPrivsDoNotOverlap() {
ccsPrivileges,
ccrPattern
);
assertFalse(errorMessage, IndexPrivilege.get(Set.of(ccsPrivileges)).predicate.test(ccrPattern));
assertFalse(errorMessage, IndexPrivilege.get(Set.of(ccsPrivileges)).predicate.test(actionName));
}
});
});
Expand Down

0 comments on commit d27f2aa

Please sign in to comment.