Add read_failures privilege for authorizing failure store
#119915
+354
−172
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the `read_failures` privilege and the logic supporting that privilege. The `read_failures` privilege enables read access to failure store indices owned by data streams named in the `indices` field of an indices privileges group, without implying `read` access to that data stream's "normal" backing indices. This is a bit of a mismatch with the existing privilege model, which authorizes actions and indices orthogonally. As of this change, in order to fully authorize an action, *both* action name and requested indices must be considered. Non-read actions to failure store indices, such as management calls, are authorized the same as backing indices; authorization will be granted to manage failure store indices if the user has permission to manage the owning data stream. It is only data visibility that is gated behind the new permission.
|
Documentation preview: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds the
read_failuresprivilege and the logic supporting that privilege. Theread_failuresprivilege enables read access to failure store indices owned by data streams named in theindicesfield of an indices privileges group, without implyingreadaccess to that data stream's "normal" backing indices.This is a bit of a mismatch with the existing privilege model, which authorizes actions and indices orthogonally. As of this change, in order to fully authorize an action, both action name and requested indices must be considered.
Non-read actions to failure store indices, such as management calls, are authorized the same as backing indices; authorization will be granted to manage failure store indices if the user has permission to manage the owning data stream. It is only data visibility that is gated behind the new permission.
Draft because:
I changed tactics in response to finding a bug and everything is still a bit of a mess. I think I also might have lost some things in the git shuffle. Basically don't look at this yet, give me another day to get things cleaned up.