Skip to content

Bugfix: Prevent invalid privileges in manage roles privilege #128532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
May 29, 2025
Merged

Bugfix: Prevent invalid privileges in manage roles privilege #128532

merged 14 commits into from
May 29, 2025

Conversation

gmjehovich
Copy link
Contributor

This PR addresses the bug reported in #127496

Changes:

  • Added validation logic in ConfigurableClusterPrivileges to ensure privileges defined for a global cluster manage role privilege are valid
  • Added unit test to ManageRolePrivilegesTest to ensure invalid privilege is caught during role creation
  • Updated BulkPutRoleRestIT to assert that an error is thrown and that the role is not created.

Both existing and new unit/integration tests passed locally.

@gmjehovich gmjehovich added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :Security/Security Security issues without another label Team:Security Meta label for security team labels May 27, 2025
@elasticsearchmachine
Copy link
Collaborator

Hi @gmjehovich, I've created a changelog YAML for you.

@n1v0lg n1v0lg self-requested a review May 28, 2025 08:49
@n1v0lg n1v0lg assigned gmjehovich and unassigned gmjehovich and n1v0lg May 28, 2025
@n1v0lg n1v0lg added v8.19.0 auto-backport Automatically create backport pull requests when merged and removed :Security/Security Security issues without another label labels May 28, 2025
n1v0lg
n1v0lg approved these changes May 28, 2025
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Nice work 🚀 A couple comments but nothing that requires another round of review.

@gmjehovich gmjehovich added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label May 28, 2025
@elasticsearchmachine
Copy link
Collaborator

Hi @gmjehovich, I've updated the changelog YAML for you.

@gmjehovich gmjehovich marked this pull request as ready for review May 28, 2025 22:42
@gmjehovich gmjehovich requested a review from a team as a code owner May 28, 2025 22:42
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine merged commit 57d4e15 into elastic:main May 29, 2025
23 checks passed
@gmjehovich gmjehovich deleted the managed-role-bug branch May 29, 2025 16:15
@gmjehovich gmjehovich mentioned this pull request May 29, 2025
Open
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
8.19
9.0 Commit could not be cherrypicked due to conflicts
8.17 Commit could not be cherrypicked due to conflicts
8.18 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 128532

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

@gmjehovich gmjehovich

Labels
auto-backport Automatically create backport pull requests when merged auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport pending >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.17.8 v8.18.3 v8.19.0 v9.0.2 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gmjehovich @elasticsearchmachine @n1v0lg