Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Connector APIs to manage/monitor_connector privileges #119863

Merged
merged 7 commits into from
Jan 10, 2025
Merged

Restrict Connector APIs to manage/monitor_connector privileges #119863

merged 7 commits into from
Jan 10, 2025

Conversation

jedrazb
Copy link
Member

@jedrazb jedrazb commented Jan 9, 2025
edited
Loading

Reapply "Restrict Connector APIs to manage/monitor_connector privileg…es (#119389)" (#119833)

Merge again: #119389 after fixing FTR test in Kibana that would cause issues for serverless viewer role this is the fix elastic/kibana#206067

Changes

  • Use monitor/manage_connector privilege for access control to Connector APIs
  • Use client with origin (CONNECTORS_ORIGIN) in index service logic
  • Remove index-level permission logic
  • Update Yaml e2e permission tests

Related dev issue: Restrict Connector APIs to manage/monitor_connector privileges

@elasticsearchmachine elasticsearchmachine added the Team:SearchOrg Meta label for the Search Org (Enterprise Search) label Jan 9, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/search-eng (Team:SearchOrg)

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/search-extract-and-transform (Team:Search - Extract & Transform)

@elasticsearchmachine
Copy link
Collaborator

Hi @jedrazb, I've created a changelog YAML for you.

@elasticsearchmachine
Copy link
Collaborator

Hi @jedrazb, I've updated the changelog YAML for you. Note that since this PR is labelled >breaking, you need to update the changelog YAML to fill out the extended information sections.

@jedrazb jedrazb mentioned this pull request Jan 9, 2025
Merged
@jedrazb
Copy link
Member Author

jedrazb commented Jan 9, 2025

@elasticmachine merge upstream

jedrazb added a commit to elastic/kibana that referenced this pull request Jan 9, 2025
@jedrazb
[Search serverless / Connectors FTRs] Update test role to developer (#…
542a56b 
…206067)

## Summary

`viewer` role is not sufficient to call Connector APIs with new change
elastic/elasticsearch#119863

Update the FTR tests to use developer role for testing
Zacqary pushed a commit to Zacqary/kibana that referenced this pull request Jan 9, 2025
@jedrazb @Zacqary
[Search serverless / Connectors FTRs] Update test role to developer (e…
5a2a6a2 
…lastic#206067)

## Summary

`viewer` role is not sufficient to call Connector APIs with new change
elastic/elasticsearch#119863

Update the FTR tests to use developer role for testing
seanstory
seanstory reviewed Jan 9, 2025
View reviewed changes
...earch/src/main/java/org/elasticsearch/xpack/application/connector/ConnectorIndexService.java

public static final String CONNECTOR_INDEX_NAME = ConnectorTemplateRegistry.CONNECTOR_INDEX_NAME_PATTERN;

/**
* @param client A client for executing actions on the connector index
*/
public ConnectorIndexService(Client client) {
this.client = client;
this.clientWithOrigin = new OriginSettingClient(client, CONNECTORS_ORIGIN);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you make this variable reuse the old name, a LOT of the diff goes away

this.client = new OriginSettingClient(client, CONNECTORS_ORIGIN);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(same note for the ConnectorSyncJobIndexService.java)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like naming OriginSettingClient as clientWithOrigin is established patter in ES https://github.com/search?q=repo%3Aelastic%2Felasticsearch+clientWithOrigin&type=code therefore I prefer to keep it like this so that we are explicit how we access the soon to be system indices

@jedrazb jedrazb merged commit 79713f5 into elastic:main Jan 10, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seanstory seanstory seanstory left review comments

@navarone-feekery navarone-feekery navarone-feekery approved these changes

Assignees
No one assigned
Labels
>breaking >feature :SearchOrg/Extract&Transform Label for the Search E&T team Team:Search - Extract & Transform Team:SearchOrg Meta label for the Search Org (Enterprise Search) v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jedrazb @elasticsearchmachine @seanstory @navarone-feekery @jimczi @elasticmachine