Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CCR] create_and_follow api and follow api should check if user has sufficient privileges before executing #33553

Closed
martijnvg opened this issue Sep 10, 2018 · 1 comment
Assignees
Labels
>bug :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features

Comments

@martijnvg
Copy link
Member

Today if a user invokes the create_and_follow api for a leader index it does not have privileges for then the create_and_follow api does not follow the leader index, but the follow index does get created. This an unexpected outcome.

The expected outcome is that the follow index should have been created if the user did not have the privileges to follow the leader index.

Both the create and follow api and follow api should return with a failure if the user does not have sufficient privileges. Both apis can internally use the has_privilege api to determine if the current user has sufficient privileges in the leader cluster before creating follow index or try to follow a leader index.

@martijnvg martijnvg added >bug :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features labels Sep 10, 2018
@martijnvg martijnvg self-assigned this Sep 10, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-distributed

martijnvg added a commit to martijnvg/elasticsearch that referenced this issue Sep 17, 2018
Prior to following an index in the follow API, check whether current
user has sufficient privileges in the leader cluster to read and
monitor the leader index.

Also check this in the create and follow API prior to creating the
follow index.

Also introduced READ_CCR cluster privilege that include the minimal
cluster level actions that are required for ccr in the leader cluster.
So a user can follow indices in a cluster, but not use the ccr admin APIs.

Closes elastic#33553
martijnvg added a commit that referenced this issue Sep 28, 2018
Prior to following an index in the follow API, check whether current
user has sufficient privileges in the leader cluster to read and
monitor the leader index.

Also check this in the create and follow API prior to creating the
follow index.

Also introduced READ_CCR cluster privilege that include the minimal
cluster level actions that are required for ccr in the leader cluster.
So a user can follow indices in a cluster, but not use the ccr admin APIs.

Closes #33553

Co-authored-by: Jason Tedor <jason@tedor.me>
martijnvg added a commit that referenced this issue Sep 28, 2018
Prior to following an index in the follow API, check whether current
user has sufficient privileges in the leader cluster to read and
monitor the leader index.

Also check this in the create and follow API prior to creating the
follow index.

Also introduced READ_CCR cluster privilege that include the minimal
cluster level actions that are required for ccr in the leader cluster.
So a user can follow indices in a cluster, but not use the ccr admin APIs.

Closes #33553

Co-authored-by: Jason Tedor <jason@tedor.me>
kcm pushed a commit that referenced this issue Oct 30, 2018
Prior to following an index in the follow API, check whether current
user has sufficient privileges in the leader cluster to read and
monitor the leader index.

Also check this in the create and follow API prior to creating the
follow index.

Also introduced READ_CCR cluster privilege that include the minimal
cluster level actions that are required for ccr in the leader cluster.
So a user can follow indices in a cluster, but not use the ccr admin APIs.

Closes #33553

Co-authored-by: Jason Tedor <jason@tedor.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features
Projects
None yet
Development

No branches or pull requests

2 participants