Add manage_slm and read_slm roles (#41607)

* Add `manage_slm` and `read_slm` roles This adds two more built in roles - `manage_slm` which has permission to perform any of the SLM actions, as well as stopping, starting, and retrieving the operation status of ILM. `read_slm` which has permission to retrieve snapshot lifecycle policies as well as retrieving the operation status of ILM. Relates to #38461 * Add execute to the test * Fix ilm -> slm typo in test
elastic · Apr 29, 2019 · acc3749 · acc3749
1 parent d63d521
commit acc3749
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/...src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java b/...src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilege.java
@@ -14,10 +14,13 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.core.indexlifecycle.action.GetLifecycleAction;
 import org.elasticsearch.xpack.core.indexlifecycle.action.GetStatusAction;
+import org.elasticsearch.xpack.core.indexlifecycle.action.StartILMAction;
+import org.elasticsearch.xpack.core.indexlifecycle.action.StopILMAction;
 import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
 import org.elasticsearch.xpack.core.security.support.Automatons;
+import org.elasticsearch.xpack.core.snapshotlifecycle.action.GetSnapshotLifecycleAction;
 
 import java.util.Collections;
 import java.util.HashSet;
@@ -60,6 +63,9 @@ public final class ClusterPrivilege extends Privilege {
     private static final Automaton READ_CCR_AUTOMATON = patterns(ClusterStateAction.NAME, HasPrivilegesAction.NAME);
     private static final Automaton MANAGE_ILM_AUTOMATON = patterns("cluster:admin/ilm/*");
     private static final Automaton READ_ILM_AUTOMATON = patterns(GetLifecycleAction.NAME, GetStatusAction.NAME);
+    private static final Automaton MANAGE_SLM_AUTOMATON =
+        patterns("cluster:admin/slm/*", StartILMAction.NAME, StopILMAction.NAME, GetStatusAction.NAME);
+    private static final Automaton READ_SLM_AUTOMATON = patterns(GetSnapshotLifecycleAction.NAME, GetStatusAction.NAME);
 
     public static final ClusterPrivilege NONE =                  new ClusterPrivilege("none",                Automatons.EMPTY);
     public static final ClusterPrivilege ALL =                   new ClusterPrivilege("all",                 ALL_CLUSTER_AUTOMATON);
@@ -90,6 +96,8 @@ public final class ClusterPrivilege extends Privilege {
     public static final ClusterPrivilege CREATE_SNAPSHOT =       new ClusterPrivilege("create_snapshot", CREATE_SNAPSHOT_AUTOMATON);
     public static final ClusterPrivilege MANAGE_ILM =            new ClusterPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON);
     public static final ClusterPrivilege READ_ILM =              new ClusterPrivilege("read_ilm", READ_ILM_AUTOMATON);
+    public static final ClusterPrivilege MANAGE_SLM =            new ClusterPrivilege("manage_slm", MANAGE_SLM_AUTOMATON);
+    public static final ClusterPrivilege READ_SLM =              new ClusterPrivilege("read_slm", READ_SLM_AUTOMATON);
 
     public static final Predicate<String> ACTION_MATCHER = ClusterPrivilege.ALL.predicate();
 
@@ -118,7 +126,9 @@ public final class ClusterPrivilege extends Privilege {
             entry("read_ccr", READ_CCR),
             entry("create_snapshot", CREATE_SNAPSHOT),
             entry("manage_ilm", MANAGE_ILM),
-            entry("read_ilm", READ_ILM));
+            entry("read_ilm", READ_ILM),
+            entry("manage_slm", MANAGE_SLM),
+            entry("read_slm", READ_SLM));
 
     private static final ConcurrentHashMap<Set<String>, ClusterPrivilege> CACHE = new ConcurrentHashMap<>();
 

diff --git a/...e/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/...e/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java
@@ -204,4 +204,34 @@ public void testIlmPrivileges() {
             assertThat(predicate.test("indices:admin/whatever"), is(false));
         }
     }
+
+    public void testSlmPriviledges() {
+        {
+            Predicate<String> predicate = ClusterPrivilege.MANAGE_SLM.predicate();
+            // check cluster actions
+            assertThat(predicate.test("cluster:admin/slm/delete"), is(true));
+            assertThat(predicate.test("cluster:admin/slm/put"), is(true));
+            assertThat(predicate.test("cluster:admin/slm/get"), is(true));
+            assertThat(predicate.test("cluster:admin/ilm/start"), is(true));
+            assertThat(predicate.test("cluster:admin/ilm/stop"), is(true));
+            assertThat(predicate.test("cluster:admin/slm/execute"), is(true));
+            assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true));
+            // check non-slm action
+            assertThat(predicate.test("cluster:admin/whatever"), is(false));
+        }
+
+        {
+            Predicate<String> predicate = ClusterPrivilege.READ_SLM.predicate();
+            // check cluster actions
+            assertThat(predicate.test("cluster:admin/slm/delete"), is(false));
+            assertThat(predicate.test("cluster:admin/slm/put"), is(false));
+            assertThat(predicate.test("cluster:admin/slm/get"), is(true));
+            assertThat(predicate.test("cluster:admin/ilm/start"), is(false));
+            assertThat(predicate.test("cluster:admin/ilm/stop"), is(false));
+            assertThat(predicate.test("cluster:admin/slm/execute"), is(false));
+            assertThat(predicate.test("cluster:admin/ilm/operation_mode/get"), is(true));
+            // check non-slm action
+            assertThat(predicate.test("cluster:admin/whatever"), is(false));
+        }
+    }
 }