Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add read_failures privilege for authorizing failure store #119915

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

gwbrown
Copy link
Contributor

@gwbrown gwbrown commented Jan 10, 2025

This commit adds the read_failures privilege and the logic supporting that privilege. The read_failures privilege enables read access to failure store indices owned by data streams named in the indices field of an indices privileges group, without implying read access to that data stream's "normal" backing indices.

This is a bit of a mismatch with the existing privilege model, which authorizes actions and indices orthogonally. As of this change, in order to fully authorize an action, both action name and requested indices must be considered.

Non-read actions to failure store indices, such as management calls, are authorized the same as backing indices; authorization will be granted to manage failure store indices if the user has permission to manage the owning data stream. It is only data visibility that is gated behind the new permission.


Draft because:
I changed tactics in response to finding a bug and everything is still a bit of a mess. I think I also might have lost some things in the git shuffle. Basically don't look at this yet, give me another day to get things cleaned up.

This commit adds the `read_failures` privilege and the logic supporting
that privilege. The `read_failures` privilege enables read access to
failure store indices owned by data streams named in the `indices` field
of an indices privileges group, without implying `read` access to that
data stream's "normal" backing indices.

This is a bit of a mismatch with the existing privilege model, which
authorizes actions and indices orthogonally. As of this change, in order
to fully authorize an action, *both* action name and requested indices
must be considered.

Non-read actions to failure store indices, such as management calls,
are authorized the same as backing indices; authorization will be
granted to manage failure store indices if the user has permission to
manage the owning data stream. It is only data visibility that is gated
behind the new permission.
Copy link
Contributor

Documentation preview:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants