Phase 1 support for operator privileges (#65256) (#65802)

In some Elastic Stack environments, there is a distinction between the operator
of the cluster infrastructure and the administrator of the cluster. This
distinction cannot be supported currently because the "administrator" often has
the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the
"administrator" even when it is a highly privileged user such as superuser. It
enhances the Elasticsearch security model to have an additional layer of
restriction in addition to the RBAC.

Co-authored-by: Tim Vernum <[email protected]>

Author: ywangd

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -104,7 +104,9 @@ public enum Feature {
 
         AGGREGATE_METRIC(OperationMode.MISSING, true),
 
-        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true);
+        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true),
+
+        OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true);
 
         final OperationMode minimumOperationMode;
         final boolean needsActive;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackField.java

@@ -65,6 +65,8 @@ public final class XPackField {
     public static final String DATA_TIERS = "data_tiers";
     /** Name constant for the aggregate_metric plugin. */
     public static final String AGGREGATE_METRIC = "aggregate_metric";
+    /** Name constant for the operator privileges feature. */
+    public static final String OPERATOR_PRIVILEGES = "operator_privileges";
 
     private XPackField() {}
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java

@@ -28,6 +28,7 @@ public class SecurityFeatureSetUsage extends XPackFeatureSet.Usage {
     private static final String IP_FILTER_XFIELD = "ipfilter";
     private static final String ANONYMOUS_XFIELD = "anonymous";
     private static final String FIPS_140_XFIELD = "fips_140";
+    private static final String OPERATOR_PRIVILEGES_XFIELD = XPackField.OPERATOR_PRIVILEGES;
 
     private Map<String, Object> realmsUsage;
     private Map<String, Object> rolesStoreUsage;
@@ -39,6 +40,7 @@ public class SecurityFeatureSetUsage extends XPackFeatureSet.Usage {
     private Map<String, Object> anonymousUsage;
     private Map<String, Object> roleMappingStoreUsage;
     private Map<String, Object> fips140Usage;
+    private Map<String, Object> operatorPrivilegesUsage;
 
     public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         super(in);
@@ -60,14 +62,17 @@ public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         if (in.getVersion().onOrAfter(Version.V_7_5_0)) {
             fips140Usage = in.readMap();
         }
+        if (in.getVersion().onOrAfter(Version.V_7_11_0)) {
+            operatorPrivilegesUsage = in.readMap();
+        }
     }
 
     public SecurityFeatureSetUsage(boolean available, boolean enabled, Map<String, Object> realmsUsage,
                                    Map<String, Object> rolesStoreUsage, Map<String, Object> roleMappingStoreUsage,
                                    Map<String, Object> sslUsage, Map<String, Object> auditUsage,
                                    Map<String, Object> ipFilterUsage, Map<String, Object> anonymousUsage,
                                    Map<String, Object> tokenServiceUsage, Map<String, Object> apiKeyServiceUsage,
-                                   Map<String, Object> fips140Usage) {
+                                   Map<String, Object> fips140Usage, Map<String, Object> operatorPrivilegesUsage) {
         super(XPackField.SECURITY, available, enabled);
         this.realmsUsage = realmsUsage;
         this.rolesStoreUsage = rolesStoreUsage;
@@ -79,6 +84,7 @@ public SecurityFeatureSetUsage(boolean available, boolean enabled, Map<String, O
         this.ipFilterUsage = ipFilterUsage;
         this.anonymousUsage = anonymousUsage;
         this.fips140Usage = fips140Usage;
+        this.operatorPrivilegesUsage = operatorPrivilegesUsage;
     }
 
     @Override
@@ -107,6 +113,9 @@ public void writeTo(StreamOutput out) throws IOException {
         if (out.getVersion().onOrAfter(Version.V_7_5_0)) {
             out.writeMap(fips140Usage);
         }
+        if (out.getVersion().onOrAfter(Version.V_7_11_0)) {
+            out.writeMap(operatorPrivilegesUsage);
+        }
     }
 
     @Override
@@ -123,6 +132,7 @@ protected void innerXContent(XContentBuilder builder, Params params) throws IOEx
             builder.field(IP_FILTER_XFIELD, ipFilterUsage);
             builder.field(ANONYMOUS_XFIELD, anonymousUsage);
             builder.field(FIPS_140_XFIELD, fips140Usage);
+            builder.field(OPERATOR_PRIVILEGES_XFIELD, operatorPrivilegesUsage);
         } else if (sslUsage.isEmpty() == false) {
             // A trial (or basic) license can have SSL without security.
             // This is because security defaults to disabled on that license, but that dynamic-default does not disable SSL.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java

@@ -10,6 +10,8 @@ public final class AuthenticationField {
     public static final String AUTHENTICATION_KEY = "_xpack_security_authentication";
     public static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     public static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
+    public static final String PRIVILEGE_CATEGORY_KEY = "_security_privilege_category";
+    public static final String PRIVILEGE_CATEGORY_VALUE_OPERATOR = "operator";
 
     private AuthenticationField() {}
 }

x-pack/plugin/security/qa/operator-privileges-tests/build.gradle

@@ -0,0 +1,33 @@
+apply plugin: 'elasticsearch.esplugin'
+apply plugin: 'elasticsearch.java-rest-test'
+
+esplugin {
+  name 'operator-privileges-test'
+  description 'An test plugin for testing hard to get internals'
+  classname 'org.elasticsearch.xpack.security.operator.OperatorPrivilegesTestPlugin'
+}
+
+dependencies {
+  compileOnly project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':client:rest-high-level')
+  javaRestTestImplementation project(':x-pack:plugin:security')
+  // let the javaRestTest see the classpath of main
+  javaRestTestImplementation project.sourceSets.main.runtimeClasspath
+}
+
+testClusters.all {
+  testDistribution = 'DEFAULT'
+  numberOfNodes = 3
+
+  extraConfigFile 'operator_users.yml', file('src/javaRestTest/resources/operator_users.yml')
+  extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml')
+
+  setting 'xpack.license.self_generated.type', 'trial'
+  setting 'xpack.security.enabled', 'true'
+  setting 'xpack.security.http.ssl.enabled', 'false'
+  setting 'xpack.security.operator_privileges.enabled', "true"
+
+  user username: "test_admin", password: 'x-pack-test-password', role: "superuser"
+  user username: "test_operator", password: 'x-pack-test-password', role: "limited_operator"
+}