Switch XPackSecurity user to have own role

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/XPackSecurityUser.java

@@ -6,6 +6,11 @@
  */
 package org.elasticsearch.xpack.core.security.user;
 
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.support.MetadataUtils;
+
+import java.util.Map;
+
 /**
  * internal user that manages xpack security. Has all cluster/indices permissions.
  */
@@ -14,6 +19,17 @@ public class XPackSecurityUser extends User {
     public static final String NAME = UsernamesField.XPACK_SECURITY_NAME;
     public static final XPackSecurityUser INSTANCE = new XPackSecurityUser();
     private static final String ROLE_NAME = UsernamesField.XPACK_SECURITY_ROLE;
+    public static final RoleDescriptor ROLE_DESCRIPTOR = new RoleDescriptor(
+        ROLE_NAME,
+        new String[] { "all" },
+        new RoleDescriptor.IndicesPrivileges[] {
+            RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(true).build() },
+        null,
+        null,
+        new String[] { "*" },
+        MetadataUtils.DEFAULT_RESERVED_METADATA,
+        Map.of()
+    );
 
     private XPackSecurityUser() {
         super(NAME, ROLE_NAME);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java

@@ -100,6 +100,7 @@ public class CompositeRolesStore {
     private final AtomicLong numInvalidation = new AtomicLong();
     private final RoleDescriptorStore roleReferenceResolver;
     private final Role superuserRole;
+    private final Role xpackSecurityRole;
     private final Role xpackUserRole;
     private final Role asyncSearchUserRole;
     private final Automaton restrictedIndicesAutomaton;
@@ -149,6 +150,7 @@ public void providersChanged() {
         this.restrictedIndicesAutomaton = resolver.getSystemNameAutomaton();
         this.superuserRole = Role.builder(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, restrictedIndicesAutomaton)
             .build();
+        xpackSecurityRole = Role.builder(XPackSecurityUser.ROLE_DESCRIPTOR, fieldPermissionsCache, restrictedIndicesAutomaton).build();
         xpackUserRole = Role.builder(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, restrictedIndicesAutomaton).build();
         asyncSearchUserRole = Role.builder(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, restrictedIndicesAutomaton).build();
 
@@ -211,11 +213,14 @@ public void getRole(Subject subject, ActionListener<Role> roleActionListener) {
         }, roleActionListener::onFailure));
     }
 
-    private Role tryGetRoleForInternalUser(Subject subject) {
+    // Accessible by tests
+    Role tryGetRoleForInternalUser(Subject subject) {
         // we need to special case the internal users in this method, if we apply the anonymous roles to every user including these system
         // user accounts then we run into the chance of a deadlock because then we need to get a role that we may be trying to get as the
-        // internal user. The SystemUser is special cased as it has special privileges to execute internal actions and should never be
-        // passed into this method. The XPackSecurityUser has the Superuser role and we can simply return that
+        // internal user.
+        // The SystemUser is special cased as it has special privileges to execute internal actions and should never be passed into this
+        // method.
+        // The other internal users have directly assigned roles that are handled with special cases here
         final User user = subject.getUser();
         if (SystemUser.is(user)) {
             throw new IllegalArgumentException(
@@ -227,7 +232,7 @@ private Role tryGetRoleForInternalUser(Subject subject) {
             return xpackUserRole;
         }
         if (XPackSecurityUser.is(user)) {
-            return superuserRole;
+            return xpackSecurityRole;
         }
         if (AsyncSearchUser.is(user)) {
             return asyncSearchUserRole;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java

@@ -79,6 +79,7 @@
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
 import org.elasticsearch.xpack.core.security.user.XPackUser;
 import org.elasticsearch.xpack.core.watcher.transport.actions.get.GetWatchAction;
 import org.elasticsearch.xpack.security.Security;
@@ -127,6 +128,7 @@
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyCollection;
@@ -1697,6 +1699,21 @@ private Authentication createAuthentication() {
         );
     }
 
+    public void testXPackSecurityUserCanAccessAnyIndex() {
+        for (String action : Arrays.asList(GetAction.NAME, DeleteAction.NAME, SearchAction.NAME, IndexAction.NAME)) {
+            Predicate<IndexAbstraction> predicate = getXPackSecurityRole().indices().allowedIndicesMatcher(action);
+
+            IndexAbstraction index = mockIndexAbstraction(randomAlphaOfLengthBetween(3, 12));
+            assertThat(predicate.test(index), Matchers.is(true));
+
+            index = mockIndexAbstraction("." + randomAlphaOfLengthBetween(3, 12));
+            assertThat(predicate.test(index), Matchers.is(true));
+
+            index = mockIndexAbstraction(".security-" + randomIntBetween(1, 16));
+            assertThat(predicate.test(index), Matchers.is(true));
+        }
+    }
+
     public void testXPackUserCanAccessNonRestrictedIndices() {
         CharacterRunAutomaton restrictedAutomaton = new CharacterRunAutomaton(TestRestrictedIndices.RESTRICTED_INDICES_AUTOMATON);
         for (String action : Arrays.asList(GetAction.NAME, DeleteAction.NAME, SearchAction.NAME, IndexAction.NAME)) {
@@ -1802,23 +1819,19 @@ private void getRoleForRoleNames(CompositeRolesStore rolesStore, Collection<Stri
         rolesStore.getRole(subject, listener);
     }
 
+    private Role getXPackSecurityRole() {
+        return getInternalUserRole(XPackSecurityUser.INSTANCE);
+    }
+
     private Role getXPackUserRole() {
-        CompositeRolesStore compositeRolesStore = buildCompositeRolesStore(
-            SECURITY_ENABLED_SETTINGS,
-            null,
-            null,
-            null,
-            null,
-            null,
-            null,
-            null,
-            null,
-            null
-        );
-        return compositeRolesStore.getXpackUserRole();
+        return getInternalUserRole(XPackUser.INSTANCE);
     }
 
     private Role getAsyncSearchUserRole() {
+        return getInternalUserRole(AsyncSearchUser.INSTANCE);
+    }
+
+    private Role getInternalUserRole(User internalUser) {
         CompositeRolesStore compositeRolesStore = buildCompositeRolesStore(
             SECURITY_ENABLED_SETTINGS,
             null,
@@ -1831,7 +1844,10 @@ private Role getAsyncSearchUserRole() {
             null,
             null
         );
-        return compositeRolesStore.getAsyncSearchUserRole();
+        final Subject subject = new Subject(internalUser, new RealmRef("__attach", "__attach", randomAlphaOfLength(8)));
+        final Role role = compositeRolesStore.tryGetRoleForInternalUser(subject);
+        assertThat("Role for " + subject, role, notNullValue());
+        return role;
     }
 
     private CompositeRolesStore buildCompositeRolesStore(