@@ -186,7 +186,7 @@ public class IndexAuthorizationReadWriteIntTests {
186186 .on ("index_bw*" )//
187187 .indexPermissions ("manage" )
188188 .on ("index_bw*" )//
189- .indexPermissions ("manage_aliases" )
189+ .indexPermissions ("crud" , "manage" , " manage_aliases"
190190 .on ("alias_bwx*" )
191191 )//
192192 .indexMatcher ("read" , limitedTo (index_br1 , index_br2 , index_bw1 , index_bw2 , index_bwx1 , index_bwx2 ))//
@@ -196,6 +196,29 @@ public class IndexAuthorizationReadWriteIntTests {
196196 .indexMatcher ("manage_alias" , limitedTo (index_bw1 , index_bw2 , index_bwx1 , index_bwx2 , alias_bwx ))//
197197 .indexMatcher ("get_alias" , limitedTo (alias_bwx ));
198198
199+ /**
200+ * This user differs from LIMITED_USER_B_MANAGE_INDEX_ALIAS the way that it does not give any direct
201+ * write privileges to index_bw*; rather, it gives write privileges to alias_bxw. Any index which happens
202+ * to be member of that alias then gains these write privileges.
203+ */
204+ static TestSecurityConfig .User LIMITED_USER_B_READ_ONLY_MANAGE_INDEX_ALIAS = new TestSecurityConfig .User ("limited_user_B_index_read_only_manage_index_alias" )//
205+ .description ("index_b* r/o, alias_bwx* r/w with manage privs" )//
206+ .roles (
207+ //
208+ new Role ("r1" )//
209+ .clusterPermissions ("cluster_composite_ops" , "cluster_monitor" )//
210+ .indexPermissions ("read" , "indices_monitor" , "indices:admin/refresh*" )
211+ .on ("index_b*" )//
212+ .indexPermissions ("crud" , "manage" , "manage_aliases" )
213+ .on ("alias_bwx*" )
214+ )//
215+ .indexMatcher ("read" , limitedTo (index_br1 , index_br2 ))//
216+ .indexMatcher ("write" , limitedToNone ())//
217+ .indexMatcher ("create_index" , limitedToNone ())//
218+ .indexMatcher ("manage_index" , limitedTo (alias_bwx ))//
219+ .indexMatcher ("manage_alias" , limitedTo (alias_bwx ))//
220+ .indexMatcher ("get_alias" , limitedTo (alias_bwx ));
221+
199222 static TestSecurityConfig .User LIMITED_USER_B_HIDDEN_MANAGE_INDEX_ALIAS = new TestSecurityConfig .User (
200223 "limited_user_B_hidden_manage_index_alias"
201224 )//
@@ -210,7 +233,7 @@ public class IndexAuthorizationReadWriteIntTests {
210233 .on ("index_bw*" , "index_hidden*" )//
211234 .indexPermissions ("manage" )
212235 .on ("index_bw*" , "index_hidden*" )//
213- .indexPermissions ("manage_aliases" )
236+ .indexPermissions ("crud" , "manage" , " manage_aliases"
214237 .on ("alias_bwx*" )
215238 )//
216239 .indexMatcher ("read" , limitedTo (index_ar1 , index_ar2 , index_aw1 , index_aw2 , index_br1 , index_br2 , index_bw1 , index_bw2 , index_bwx1 , index_bwx2 , index_hidden ))//
@@ -568,6 +591,7 @@ public class IndexAuthorizationReadWriteIntTests {
568591 LIMITED_USER_B_CREATE_INDEX ,
569592 LIMITED_USER_B_MANAGE_INDEX ,
570593 LIMITED_USER_B_MANAGE_INDEX_ALIAS ,
594+ LIMITED_USER_B_READ_ONLY_MANAGE_INDEX_ALIAS ,
571595 LIMITED_USER_B_HIDDEN_MANAGE_INDEX_ALIAS ,
572596 LIMITED_USER_B_SYSTEM_INDEX_MANAGE ,
573597 LIMITED_USER_C ,
@@ -866,10 +890,10 @@ public void deleteIndex() throws Exception {
866890 createInitialTestObjects (index_bwx1 );
867891
868892 HttpResponse httpResponse = restClient .delete ("index_bwx1" );
869- if (user .indexMatcher ("manage_index" ).isEmpty ()) {
870- assertThat (httpResponse , isForbidden ());
871- } else {
893+ if (user .indexMatcher ("manage_index" ).covers (index_bwx1 )) {
872894 assertThat (httpResponse , isOk ());
895+ } else {
896+ assertThat (httpResponse , isForbidden ());
873897 }
874898 } finally {
875899 delete (index_bwx1 );
@@ -935,7 +959,7 @@ public void deleteAlias_staticIndex() throws Exception {
935959 HttpResponse httpResponse = restClient .delete ("index_bw1/_aliases/alias_bwx" );
936960
937961 if (clusterConfig .legacyPrivilegeEvaluation ) {
938- if (user .indexMatcher ("manage_alias" ).covers (index_bw1 )) {
962+ if (user .indexMatcher ("manage_alias" ).covers (index_bw1 ) || user . indexMatcher ( "manage_alias" ). covers ( alias_bwx ) ) {
939963 assertThat (httpResponse , isOk ());
940964 } else {
941965 assertThat (httpResponse , isForbidden ());
@@ -1037,7 +1061,7 @@ public void aliases_createAlias_indexPattern() throws Exception {
10371061 assertThat (httpResponse , isForbidden ());
10381062 }
10391063 } else {
1040- if (user .indexMatcher ("manage_alias" ).coversAll (alias_bwx )) {
1064+ if (user .indexMatcher ("manage_alias" ).coversAll (alias_bwx , index_bw1 , index_bw2 )) {
10411065 assertThat (httpResponse , isOk ());
10421066 } else {
10431067 assertThat (httpResponse , isForbidden ());
@@ -1061,13 +1085,13 @@ public void aliases_deleteAlias_staticIndex() throws Exception {
10611085 }""" );
10621086
10631087 if (clusterConfig .legacyPrivilegeEvaluation ) {
1064- if (user .indexMatcher ("manage_alias" ).covers (index_bw1 )) {
1088+ if (user .indexMatcher ("manage_alias" ).covers (index_bw1 ) || user . indexMatcher ( "manage_alias" ). covers ( alias_bwx ) ) {
10651089 assertThat (httpResponse , isOk ());
10661090 } else {
10671091 assertThat (httpResponse , isForbidden ());
10681092 }
10691093 } else {
1070- if (user .indexMatcher ("manage_alias" ).coversAll ( index_bw1 , alias_bwx )) {
1094+ if (user .indexMatcher ("manage_alias" ).covers ( alias_bwx )) {
10711095 assertThat (httpResponse , isOk ());
10721096 } else {
10731097 assertThat (httpResponse , isForbidden ());
@@ -1230,21 +1254,24 @@ public void closeIndex_wildcard() throws Exception {
12301254 assertThat (httpResponse , isForbidden ());
12311255 }
12321256 } else {
1233- assertThat (
1234- httpResponse ,
1235- containsExactly (
1236- index_ar1 ,
1237- index_ar2 ,
1238- index_aw1 ,
1239- index_aw2 ,
1240- index_br1 ,
1241- index_br2 ,
1242- index_bw1 ,
1243- index_bw2 ,
1244- index_cr1 ,
1245- index_cw1
1246- ).at ("indices.keys()" ).reducedBy (user .indexMatcher ("manage_index" )).whenEmpty (isForbidden ())
1247- );
1257+ if (!user .indexMatcher ("manage_index" ).isEmpty ()) {
1258+ assertThat (
1259+ httpResponse ,
1260+ containsExactly (
1261+ index_ar1 ,
1262+ index_ar2 ,
1263+ index_aw1 ,
1264+ index_aw2 ,
1265+ index_br1 ,
1266+ index_br2 ,
1267+ index_bw1 ,
1268+ index_bw2 ,
1269+ index_cr1 ,
1270+ index_cw1
1271+ ).at ("indices.keys()" ).reducedBy (user .indexMatcher ("manage_index" )).whenEmpty (isOk ()));
1272+ } else {
1273+ assertThat (httpResponse , isForbidden ());
1274+ }
12481275 }
12491276 } finally {
12501277 cluster .getInternalNodeClient ().admin ().indices ().open (new OpenIndexRequest ("*" )).actionGet ();
@@ -1274,44 +1301,32 @@ public void closeIndex_openIndex() throws Exception {
12741301 @ Test
12751302 public void rollover_explicitTargetIndex () throws Exception {
12761303 try (TestRestClient restClient = cluster .getRestClient (user )) {
1277- createInitialTestObjects (alias_bwx .on (index_bw1 , index_bw2 ));
1304+ createInitialTestObjects (alias_bwx .on (index_bw1 ). writeIndex ( index_bw1 ));
12781305
1279- HttpResponse httpResponse = restClient .postJson ("_aliases" , """
1280- {
1281- "actions": [
1282- { "remove": { "index": "*", "alias": "alias_bwx" } }
1283- ]
1284- }""" );
1306+ HttpResponse httpResponse = restClient .postJson ("alias_bwx/_rollover/index_bwx1" , """
1307+ {
1308+ "conditions": {
1309+ "max_age": "0s"
1310+ }
1311+ }""" );
1312+
1313+ System .out .println (httpResponse .getBody ());
12851314
12861315 if (clusterConfig .legacyPrivilegeEvaluation ) {
1287- // This is only allowed if we have privileges for all indices, even if not all indices are member of alias_bwx
1288- if (user .indexMatcher ("manage_alias" )
1289- .coversAll (
1290- index_ar1 ,
1291- index_ar2 ,
1292- index_aw1 ,
1293- index_aw2 ,
1294- index_br1 ,
1295- index_br2 ,
1296- index_bw1 ,
1297- index_bw1 ,
1298- index_cr1 ,
1299- index_cw1
1300- )) {
1316+ if (user .indexMatcher ("manage_alias" ).covers (index_bw1 ) && user .indexMatcher ("manage_index" ).covers (index_bw2 )) {
13011317 assertThat (httpResponse , isOk ());
13021318 } else {
13031319 assertThat (httpResponse , isForbidden ());
13041320 }
13051321 } else {
1306- if (user .indexMatcher ("manage_alias" ).coversAll (alias_bwx )) {
1322+ if (user .indexMatcher ("manage_alias" ).covers (alias_bwx ) && user . indexMatcher ( "manage_index" ). covers ( index_bw2 )) {
13071323 assertThat (httpResponse , isOk ());
13081324 } else {
13091325 assertThat (httpResponse , isForbidden ());
13101326 }
13111327 }
1312-
13131328 } finally {
1314- delete (alias_bwx );
1329+ delete (alias_bwx , index_bwx1 );
13151330 }
13161331 }
13171332
0 commit comments