Skip to content

Support roles with application privileges against wildcard applications#40398

Merged
tvernum merged 6 commits intoelastic:masterfrom
tvernum:app-priv-wildcard
Mar 29, 2019
Merged

Support roles with application privileges against wildcard applications#40398
tvernum merged 6 commits intoelastic:masterfrom
tvernum:app-priv-wildcard

Conversation

@tvernum
Copy link
Copy Markdown
Contributor

@tvernum tvernum commented Mar 25, 2019

This commit introduces 2 changes to application privileges:

  1. The validation rules now accept a wildcard in the "suffix" of an application name.
    Wildcards were always accepted in the application name, but the "valid filename" check
    for the suffix incorrectly prevented the use of wildcards there.

  2. A role may now be defined against a wildcard application (e.g. kibana-*) and this will
    be correctly treated as granting the named privileges against all named applications.
    This does not allow wildcard application names in the body of a "has-privileges" check, but the
    "has-privileges" check can test concrete application names against roles with wildcards.

@tvernum tvernum added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.2.0 labels Mar 25, 2019
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Mar 25, 2019

Pinging @elastic/es-security

@tvernum
Copy link
Copy Markdown
Contributor Author

tvernum commented Mar 25, 2019

@kobelb
Can you give this a spin and check it covers all the use cases you needed.

@kobelb kobelb mentioned this pull request Mar 26, 2019
Closed
albertzaharovits
albertzaharovits approved these changes Mar 27, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kobelb
Copy link
Copy Markdown
Contributor

kobelb commented Mar 27, 2019

Can you give this a spin and check it covers all the use cases you needed.

This is working great for our use-cases, I created elastic/kibana#33892 which consumes these changes and CI is looking good.

@tvernum
Copy link
Copy Markdown
Contributor Author

tvernum commented Mar 29, 2019

Ping @bizybot

bizybot
bizybot approved these changes Mar 29, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thank you.

@tvernum tvernum merged commit 1f392a7 into elastic:master Mar 29, 2019
@tvernum tvernum deleted the app-priv-wildcard branch March 29, 2019 07:07
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Mar 29, 2019
@jasontedor
Merge remote-tracking branch 'elastic/master' into bundled-usage
1694311 
* elastic/master: (77 commits)
  Update ingest jdocs that a null return value will drop the current document. (elastic#40359)
  Remove -Xlint exclusions in the ingest-common module. (elastic#40505)
  Update docs for the DFR similarity (elastic#40579)
  Fix merging of search_as_you_type field mapper (elastic#40593)
  Support roles with application privileges against wildcard applications (elastic#40398)
  Remove obsolete security settings (elastic#40496)
  Remove Gradle deprecation warnings (elastic#40449)
  Run the build integ test in parallel (elastic#39788)
  Fix 3rd pary S3 tests (elastic#40588)
  lower bwc skip for search as you type (elastic#40599)
  Muting XContentParserTests#testSubParserArray
  Fixing typo in test error message (elastic#40611)
  Update max dims for vectors to 1024. (elastic#40597)
  Add start and stop time to cat recovery API (elastic#40378)
  [DOCS] Correct keystore commands for Email and Jira actions in Watcher (elastic#40417)
  [DOCS] Document common settings for snapshot repository plugins (elastic#40475)
  Remove with(out)-system-key tests (elastic#40547)
  Geo Point parse error fix (elastic#40447)
  Handle null retention leases in WaitForNoFollowersStep (elastic#40477)
  [DOCS] Adds anchors for ruby client (elastic#39867)
  ...
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Mar 29, 2019
@jasontedor
Merge remote-tracking branch 'elastic/master' into cat-recovery-bytes
f999a77 
* elastic/master: (129 commits)
  Update ingest jdocs that a null return value will drop the current document. (elastic#40359)
  Remove -Xlint exclusions in the ingest-common module. (elastic#40505)
  Update docs for the DFR similarity (elastic#40579)
  Fix merging of search_as_you_type field mapper (elastic#40593)
  Support roles with application privileges against wildcard applications (elastic#40398)
  Remove obsolete security settings (elastic#40496)
  Remove Gradle deprecation warnings (elastic#40449)
  Run the build integ test in parallel (elastic#39788)
  Fix 3rd pary S3 tests (elastic#40588)
  lower bwc skip for search as you type (elastic#40599)
  Muting XContentParserTests#testSubParserArray
  Fixing typo in test error message (elastic#40611)
  Update max dims for vectors to 1024. (elastic#40597)
  Add start and stop time to cat recovery API (elastic#40378)
  [DOCS] Correct keystore commands for Email and Jira actions in Watcher (elastic#40417)
  [DOCS] Document common settings for snapshot repository plugins (elastic#40475)
  Remove with(out)-system-key tests (elastic#40547)
  Geo Point parse error fix (elastic#40447)
  Handle null retention leases in WaitForNoFollowersStep (elastic#40477)
  [DOCS] Adds anchors for ruby client (elastic#39867)
  ...
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Apr 1, 2019
@tvernum
Support roles with application privileges against wildcard applications
0fbd63a 
This commit introduces 2 changes to application privileges:

- The validation rules now accept a wildcard in the "suffix" of an application name.
  Wildcards were always accepted in the application name, but the "valid filename" check
  for the suffix incorrectly prevented the use of wildcards there.

- A role may now be defined against a wildcard application (e.g. kibana-*) and this will
  be correctly treated as granting the named privileges against all named applications.
  This does not allow wildcard application names in the body of a "has-privileges" check, but the
  "has-privileges" check can test concrete application names against roles with wildcards.

Backport of: elastic#40398
@tvernum tvernum mentioned this pull request Apr 1, 2019
Merged
tvernum added a commit that referenced this pull request Apr 2, 2019
@tvernum
Support roles with application privileges against wildcard applicatio…
7bdd413 
…ns (#40675)

This commit introduces 2 changes to application privileges:

- The validation rules now accept a wildcard in the "suffix" of an application name.
  Wildcards were always accepted in the application name, but the "valid filename" check
  for the suffix incorrectly prevented the use of wildcards there.

- A role may now be defined against a wildcard application (e.g. kibana-*) and this will
  be correctly treated as granting the named privileges against all named applications.
  This does not allow wildcard application names in the body of a "has-privileges" check, but the
  "has-privileges" check can test concrete application names against roles with wildcards.

Backport of: #40398
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

+1 more reviewer

@bizybot bizybot bizybot approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v7.2.0 v8.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tvernum @elasticmachine @kobelb @bizybot @albertzaharovits @jakelandis