Skip to content

Bugfix: Prevent invalid privileges in manage roles privilege #128532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elasticsearchmachine merged 14 commits into from
May 29, 2025
Merged

Bugfix: Prevent invalid privileges in manage roles privilege #128532

elasticsearchmachine merged 14 commits into from
May 29, 2025

Conversation

@gmjehovich
Copy link
Contributor

@gmjehovich gmjehovich commented May 27, 2025

This PR addresses the bug reported in #127496

Changes:

  • Added validation logic in ConfigurableClusterPrivileges to ensure privileges defined for a global cluster manage role privilege are valid
  • Added unit test to ManageRolePrivilegesTest to ensure invalid privilege is caught during role creation
  • Updated BulkPutRoleRestIT to assert that an error is thrown and that the role is not created.

Both existing and new unit/integration tests passed locally.

@gmjehovich gmjehovich added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :Security/Security Security issues without another label Team:Security Meta label for security team labels May 27, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 27, 2025

Hi @gmjehovich, I've created a changelog YAML for you.

@n1v0lg n1v0lg self-requested a review May 28, 2025 08:49
@n1v0lg n1v0lg assigned gmjehovich and unassigned gmjehovich and n1v0lg May 28, 2025
@n1v0lg n1v0lg added v8.19.0 auto-backport Automatically create backport pull requests when merged and removed :Security/Security Security issues without another label labels May 28, 2025
n1v0lg
n1v0lg approved these changes May 28, 2025
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Nice work 🚀 A couple comments but nothing that requires another round of review.

gmjehovich and others added 8 commits May 28, 2025 18:31
@gmjehovich
Prevent invalid privileges in manage roles privilege
f6064fe
@gmjehovich
Update docs/changelog/128532.yaml
fdc6df0
@gmjehovich
[CI] Auto commit changes from spotless
454cf11
@gmjehovich @n1v0lg
Update docs/changelog/128532.yaml
578fef6 
Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
@gmjehovich @n1v0lg
Update docs/changelog/128532.yaml
8a23b5f 
Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
@gmjehovich @n1v0lg
Update docs/changelog/128532.yaml
f62c1e0 
Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
@gmjehovich @n1v0lg
Update x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/…
d23f275 
…security/authz/privilege/ManageRolesPrivilegesTests.java

Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
@gmjehovich
Address review comments for PR-128532
33b17cd
@gmjehovich gmjehovich added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label May 28, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 28, 2025

Hi @gmjehovich, I've updated the changelog YAML for you.

@gmjehovich gmjehovich marked this pull request as ready for review May 28, 2025 22:42
@gmjehovich gmjehovich requested a review from a team as a code owner May 28, 2025 22:42
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 28, 2025

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine merged commit 57d4e15 into elastic:main May 29, 2025
23 checks passed
@gmjehovich gmjehovich deleted the managed-role-bug branch May 29, 2025 16:15
@gmjehovich gmjehovich mentioned this pull request May 29, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 29, 2025

💔 Backport failed

Status Branch Result
8.19
9.0 Commit could not be cherrypicked due to conflicts
8.17 Commit could not be cherrypicked due to conflicts
8.18 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 128532

joshua-adams-1 pushed a commit to joshua-adams-1/elasticsearch that referenced this pull request Jun 3, 2025
@gmjehovich @joshua-adams-1
Bugfix: Prevent invalid privileges in manage roles privilege (elastic…
e89957f 
…#128532)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 3, 2025
@gmjehovich
Bugfix: Prevent invalid privileges in manage roles privilege (elastic…
8fc6adc 
…#128532)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
@gmjehovich gmjehovich mentioned this pull request Jun 3, 2025
Merged
Samiul-TheSoccerFan pushed a commit to Samiul-TheSoccerFan/elasticsearch that referenced this pull request Jun 5, 2025
@gmjehovich @Samiul-TheSoccerFan
Bugfix: Prevent invalid privileges in manage roles privilege (elastic…
469571c 
…#128532)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
gmjehovich added a commit that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (#128532) (#128847)
96df3a9 
This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
This was referenced Jun 9, 2025
Merged
Merged
gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (elastic#128532) (
1c9ee18 
…elastic#128847)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (elastic#128532) (
53350ec 
…elastic#128847)

This PR addresses the bug reported in
[elastic#127496](elastic#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
elasticsearchmachine pushed a commit that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (#128532) (#128847
57921fb 
…) (#129155)

This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
elasticsearchmachine pushed a commit that referenced this pull request Jun 9, 2025
@gmjehovich
Prevent invalid privileges in manage roles privilege (#128532) (#128847
4464e17 
…) (#129156)

This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.
elasticsearchmachine pushed a commit that referenced this pull request Jun 9, 2025
@gmjehovich @joegallo
Bugfix: Prevent invalid privileges in manage roles privilege (#128532) (
3108cd8 
#128626)

This PR addresses the bug reported in
[#127496](#127496)

**Changes:** - Added validation logic in `ConfigurableClusterPrivileges`
to ensure privileges defined for a global cluster manage role privilege
are valid  - Added unit test to `ManageRolePrivilegesTest` to ensure
invalid privilege is caught during role creation - Updated
`BulkPutRoleRestIT` to assert that an error is thrown and that the role
is not created.

Both existing and new unit/integration tests passed locally.

Co-authored-by: Joe Gallo <joe.gallo@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

@gmjehovich gmjehovich

Labels

auto-backport Automatically create backport pull requests when merged auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.17.8 v8.18.3 v8.19.0 v9.0.2 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gmjehovich @elasticsearchmachine @n1v0lg