Disallow mapping updates for doc ingestion privileges

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -10,6 +10,7 @@
 import org.apache.lucene.util.automaton.Operations;
 import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
 import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.common.Nullable;
@@ -46,14 +47,29 @@ public final class IndicesPermission {
 
     public static final IndicesPermission NONE = new IndicesPermission();
 
-    private final ConcurrentMap<String, Predicate<String>> allowedIndicesMatchersForAction = new ConcurrentHashMap<>();
+    private final ConcurrentMap<String, Predicate<IndexAbstraction>> allowedIndicesMatchersForAction = new ConcurrentHashMap<>();
 
     private final Group[] groups;
 
     public IndicesPermission(Group... groups) {
         this.groups = groups;
     }
 
+    public static Predicate<String> indexMatcher(Collection<String> ordinaryIndices, Collection<String> restrictedIndices) {
+        final Predicate<String> namePredicate;
+        if (restrictedIndices.isEmpty()) {
+            namePredicate = indexMatcher(ordinaryIndices)
+                    .and(index -> false == RestrictedIndicesNames.isRestricted(index));
+        } else if (ordinaryIndices.isEmpty()) {
+            namePredicate = indexMatcher(restrictedIndices);
+        } else {
+            namePredicate = indexMatcher(restrictedIndices)
+                    .or(indexMatcher(ordinaryIndices)
+                            .and(index -> false == RestrictedIndicesNames.isRestricted(index)));
+        }
+        return namePredicate;
+    }
+
     public static Predicate<String> indexMatcher(Collection<String> indices) {
         Set<String> exactMatch = new HashSet<>();
         List<String> nonExactMatch = new ArrayList<>();
@@ -105,7 +121,7 @@ public Group[] groups() {
      * @return A predicate that will match all the indices that this permission
      * has the privilege for executing the given action on.
      */
-    public Predicate<String> allowedIndicesMatcher(String action) {
+    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
         return allowedIndicesMatchersForAction.computeIfAbsent(action, a -> Group.buildIndexMatcherPredicateForAction(a, groups));
     }
 
@@ -117,7 +133,7 @@ public Predicate<String> allowedIndicesMatcher(String action) {
      */
     public boolean check(String action) {
         for (Group group : groups) {
-            if (group.check(action)) {
+            if (group.checkAction(action) || authorizeMappingUpdateBwcSpecialCase(group, action)) {
                 return true;
             }
         }
@@ -213,7 +229,9 @@ public Map<String, IndicesAccessControl.IndexAccessControl> authorize(String act
             }
 
             for (Group group : groups) {
-                if (group.check(action, indexOrAlias)) {
+                if (group.checkIndex(indexOrAlias) &&
+                        (group.checkAction(action) || (authorizeMappingUpdateBwcSpecialCase(group, action) &&
+                                (indexAbstraction == null || indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM)))) {
                     granted = true;
                     for (String index : concreteIndices) {
                         Set<FieldPermissions> fieldPermissions = fieldPermissionsByIndex.computeIfAbsent(index, (k) -> new HashSet<>());
@@ -276,6 +294,14 @@ private boolean isConcreteRestrictedIndex(String indexPattern) {
         return RestrictedIndicesNames.isRestricted(indexPattern);
     }
 
+    private static boolean authorizeMappingUpdateBwcSpecialCase(Group group, String action) {
+        return action.equals(PutMappingAction.NAME) ||
+                (group.privilege().name().containsAll(IndexPrivilege.CREATE_DOC.name()) ||
+                        group.privilege().name().containsAll(IndexPrivilege.CREATE.name()) ||
+                        group.privilege().name().containsAll(IndexPrivilege.INDEX.name()) ||
+                        group.privilege().name().containsAll(IndexPrivilege.WRITE.name()));
+    }
+
     public static class Group {
         private final IndexPrivilege privilege;
         private final Predicate<String> actionMatcher;
@@ -317,14 +343,13 @@ public FieldPermissions getFieldPermissions() {
             return fieldPermissions;
         }
 
-        private boolean check(String action) {
+        private boolean checkAction(String action) {
             return actionMatcher.test(action);
         }
 
-        private boolean check(String action, String index) {
+        private boolean checkIndex(String index) {
             assert index != null;
-            return check(action) && indexNameMatcher.test(index)
-                    && (allowRestrictedIndices || (false == RestrictedIndicesNames.isRestricted(index)));
+            return indexNameMatcher.test(index) && (allowRestrictedIndices || (false == RestrictedIndicesNames.isRestricted(index)));
         }
 
         boolean hasQuery() {
@@ -344,30 +369,36 @@ public static Automaton buildIndexMatcherAutomaton(boolean allowRestrictedIndice
             }
         }
 
-        private static Predicate<String> buildIndexMatcherPredicateForAction(String action, Group... groups) {
+        private static Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(String action, Group... groups) {
             final Set<String> ordinaryIndices = new HashSet<>();
             final Set<String> restrictedIndices = new HashSet<>();
+            final Set<String> grantMappingUpdatesOnIndices = new HashSet<>();
+            final Set<String> grantMappingUpdatesOnRestrictedIndices = new HashSet<>();
             for (final Group group : groups) {
                 if (group.actionMatcher.test(action)) {
                     if (group.allowRestrictedIndices) {
                         restrictedIndices.addAll(Arrays.asList(group.indices()));
                     } else {
                         ordinaryIndices.addAll(Arrays.asList(group.indices()));
                     }
+                } else if (authorizeMappingUpdateBwcSpecialCase(group, action)) {
+                    // special BWC case for certain privileges: allow put mapping on indices and aliases (but not on data streams), even if
+                    // the privilege definition does not currently allow it
+                    if (group.allowRestrictedIndices) {
+                        grantMappingUpdatesOnRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                    } else {
+                        grantMappingUpdatesOnIndices.addAll(Arrays.asList(group.indices()));
+                    }
                 }
             }
-            final Predicate<String> predicate;
-            if (restrictedIndices.isEmpty()) {
-                predicate = indexMatcher(ordinaryIndices)
-                    .and(index -> false == RestrictedIndicesNames.isRestricted(index));
-            } else if (ordinaryIndices.isEmpty()) {
-                predicate = indexMatcher(restrictedIndices);
-            } else {
-                predicate = indexMatcher(restrictedIndices)
-                    .or(indexMatcher(ordinaryIndices)
-                         .and(index -> false == RestrictedIndicesNames.isRestricted(index)));
-            }
-            return predicate;
+            final Predicate<String> namePredicate = indexMatcher(ordinaryIndices, restrictedIndices);
+            final Predicate<String> bwcSpecialCaseNamePredicate = indexMatcher(grantMappingUpdatesOnIndices,
+                    grantMappingUpdatesOnRestrictedIndices);
+            return indexAbstraction -> {
+                return namePredicate.test(indexAbstraction.getName()) ||
+                        (indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM &&
+                                bwcSpecialCaseNamePredicate.test(indexAbstraction.getName()));
+            };
         }
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -77,8 +77,8 @@ public IndicesAccessControl authorize(String action, Set<String> requestedIndice
      * action on.
      */
     @Override
-    public Predicate<String> allowedIndicesMatcher(String action) {
-        Predicate<String> predicate = super.indices().allowedIndicesMatcher(action);
+    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
+        Predicate<IndexAbstraction> predicate = super.indices().allowedIndicesMatcher(action);
         predicate = predicate.and(limitedBy.indices().allowedIndicesMatcher(action));
         return predicate;
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -83,7 +83,7 @@ public static Builder builder(RoleDescriptor rd, FieldPermissionsCache fieldPerm
      * @return A predicate that will match all the indices that this role
      * has the privilege for executing the given action on.
      */
-    public Predicate<String> allowedIndicesMatcher(String action) {
+    public Predicate<IndexAbstraction> allowedIndicesMatcher(String action) {
         return indices.allowedIndicesMatcher(action);
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -49,14 +49,13 @@ public final class IndexPrivilege extends Privilege {
     private static final Automaton READ_CROSS_CLUSTER_AUTOMATON = patterns("internal:transport/proxy/indices:data/read/*",
             ClusterSearchShardsAction.NAME);
     private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
-            PutMappingAction.NAME, AutoPutMappingAction.NAME);
+            AutoPutMappingAction.NAME);
     private static final Automaton CREATE_DOC_AUTOMATON = patterns("indices:data/write/index", "indices:data/write/index[*",
-        "indices:data/write/index:op_type/create", "indices:data/write/bulk*", PutMappingAction.NAME, AutoPutMappingAction.NAME);
+        "indices:data/write/index:op_type/create", "indices:data/write/bulk*", AutoPutMappingAction.NAME);
     private static final Automaton INDEX_AUTOMATON = patterns("indices:data/write/index*", "indices:data/write/bulk*",
-        "indices:data/write/update*", PutMappingAction.NAME, AutoPutMappingAction.NAME);
+        "indices:data/write/update*", AutoPutMappingAction.NAME);
     private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*");
-    private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME,
-        AutoPutMappingAction.NAME);
+    private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", AutoPutMappingAction.NAME);
     private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*");
     private static final Automaton MANAGE_AUTOMATON =
             unionAndMinimize(Arrays.asList(MONITOR_AUTOMATON, patterns("indices:admin/*")));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -501,17 +501,16 @@ GetUserPrivilegesResponse buildUserPrivilegesResponseObject(Role userRole) {
     }
 
     static List<String> resolveAuthorizedIndicesFromRole(Role role, String action, Map<String, IndexAbstraction> aliasAndIndexLookup) {
-        Predicate<String> predicate = role.allowedIndicesMatcher(action);
+        Predicate<IndexAbstraction> predicate = role.allowedIndicesMatcher(action);
 
-        List<String> indicesAndAliases = new ArrayList<>();
+        List<String> authorizedIndicesForAction = new ArrayList<>();
         // TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?
         for (Map.Entry<String, IndexAbstraction> entry : aliasAndIndexLookup.entrySet()) {
-            String aliasOrIndex = entry.getKey();
-            if (predicate.test(aliasOrIndex)) {
-                indicesAndAliases.add(aliasOrIndex);
+            if (predicate.test(entry.getValue())) {
+                authorizedIndicesForAction.add(entry.getValue().getName());
             }
         }
-        return Collections.unmodifiableList(indicesAndAliases);
+        return Collections.unmodifiableList(authorizedIndicesForAction);
     }
 
     private void buildIndicesAccessControl(Authentication authentication, String action,