add kibana roles to match Searchguard suggestions

Author: jcantrill

src/main/java/io/fabric8/elasticsearch/plugin/acl/BaseRolesSyncStrategy.java

@@ -16,6 +16,7 @@
 
 package io.fabric8.elasticsearch.plugin.acl;
 
+import static io.fabric8.elasticsearch.plugin.acl.SearchGuardRoles.USER_KIBANA_PREFIX;
 import static io.fabric8.elasticsearch.plugin.acl.SearchGuardRoles.USER_PREFIX;
 
 import java.util.Iterator;
@@ -74,4 +75,8 @@ public static String formatUserRoleName(String username) {
         return String.format("%s_%s", USER_PREFIX, OpenshiftRequestContextFactory.getUsernameHash(username));
     }
 
+    public static String formatUserKibanaRoleName(String username) {
+        return String.format("%s_%s", USER_KIBANA_PREFIX, OpenshiftRequestContextFactory.getUsernameHash(username));
+    }
+
 }

src/main/java/io/fabric8/elasticsearch/plugin/acl/RoleBuilder.java

@@ -50,6 +50,10 @@ public RoleBuilder setClusters(String[] clusters) {
         return setClusters(Arrays.asList(clusters));
     }
 
+    public RoleBuilder setClusterActions(String [] clusterActions) {
+        return setClusters(clusterActions);
+    }
+
     public RoleBuilder addIndex(String index) {
         indices.put(index, new HashMap<String, HashSet<String>>());
         return this;

src/main/java/io/fabric8/elasticsearch/plugin/acl/RolesSyncStrategy.java

@@ -22,6 +22,8 @@
  */
 public interface RolesSyncStrategy {
 
+    static final String[] USER_ALL_INDEX_ACTIONS = { "USER_ALL_INDEX_OPS" };
+    static final String[] USER_KIBANA_ROLE_CLUSTER_ACTIONS = { "USER_KIBANA_CLUSTER_OPERATIONS" };
     static final String[] USER_ROLE_CLUSTER_ACTIONS = { "USER_CLUSTER_OPERATIONS" };
     static final String[] PROJECT_ROLE_ACTIONS = { "INDEX_PROJECT" };
     static final String[] KIBANA_ROLE_ALL_INDEX_ACTIONS = { "INDEX_ANY_KIBANA" };

src/main/java/io/fabric8/elasticsearch/plugin/acl/SearchGuardRoles.java

@@ -44,6 +44,7 @@ public class SearchGuardRoles
     public static final String ROLE_PREFIX = "gen";
     public static final String PROJECT_PREFIX = ROLE_PREFIX + "_project";
     public static final String USER_PREFIX = ROLE_PREFIX + "_user";
+    public static final String USER_KIBANA_PREFIX = ROLE_PREFIX + "_kibana";
 
     private static final String CLUSTER_HEADER = "cluster";
     private static final String INDICES_HEADER = "indices";

src/main/java/io/fabric8/elasticsearch/plugin/acl/UserRolesMappingSyncStrategy.java

@@ -31,6 +31,8 @@
  *   users: [user1, user3]
  * gen_user_user2:
  *   users: [user2]
+ * gen_kibana_user2:
+ *   users: [user2]
  */
 public class UserRolesMappingSyncStrategy extends BaseRolesMappingSyncStrategy {
 
@@ -49,6 +51,8 @@ protected void syncFromImpl(UserProjectCache cache, RolesMappingBuilder builder)
             if (cache.isOperationsUser(username, token)) {
                 opsUsers.add(username);
             } else {
+                String kibanaRoleName = BaseRolesSyncStrategy.formatUserKibanaRoleName(username);
+                builder.addUser(kibanaRoleName, username);
                 String roleName = BaseRolesSyncStrategy.formatUserRoleName(username);
                 builder.addUser(roleName, username);
             }

src/main/java/io/fabric8/elasticsearch/plugin/acl/UserRolesSyncStrategy.java

@@ -45,10 +45,18 @@ protected void syncFromImpl(UserProjectCache cache, RolesBuilder builder) {
             if (cache.isOperationsUser(user, token)) {
                 foundAnOpsUser = true;
             } else {
-                String roleName = formatUserRoleName(user);
 
-                //permissions for kibana Index
                 String kibIndexName = formatKibanaIndexName(cache, user, token, kibanaIndexMode);
+
+                //specific permissions for kibana index
+                RoleBuilder kibRole = new RoleBuilder(formatUserKibanaRoleName(user))
+                        .setClusterActions(USER_KIBANA_ROLE_CLUSTER_ACTIONS)
+                        .setActions(kibIndexName, ALL, KIBANA_ROLE_INDEX_ACTIONS)
+                        .setActions(ALL, ALL, USER_ALL_INDEX_ACTIONS);
+                builder.addRole(kibRole.build());
+                
+                //permissions for kibana Index
+                String roleName = formatUserRoleName(user);
                 RoleBuilder role = new RoleBuilder(roleName)
                         .setClusters(USER_ROLE_CLUSTER_ACTIONS)
                         .setActions(kibIndexName, ALL, KIBANA_ROLE_INDEX_ACTIONS);

src/main/java/io/fabric8/elasticsearch/plugin/filter/FieldStatsResponseFilter.java

@@ -71,7 +71,6 @@ public void onResponse(ActionResponse response) {
                             ElasticsearchException err = new ElasticsearchException("The index returned an empty result. "
                                     + "You can use the Time Picker to change the time filter or select a higher time interval",
                                     RestStatus.NO_CONTENT);
-                            
                             listener.onFailure(err);
                             return;
                         }

src/test/resources/io/fabric8/elasticsearch/plugin/user_role_with_shared_kibana_index_with_unique.yml

@@ -1,3 +1,17 @@
+gen_kibana_4c54bf89fe913f39fc22d76309f80cdc6192928f:
+  cluster: [USER_KIBANA_CLUSTER_OPERATIONS]
+  indices:
+    '*':
+      '*': [USER_ALL_INDEX_OPS]
+    ?kibana?4c54bf89fe913f39fc22d76309f80cdc6192928f:
+      '*': [INDEX_KIBANA]
+gen_kibana_994a33f6a157ba4a286395f81a4333db1e6cefb6:
+  cluster: [USER_KIBANA_CLUSTER_OPERATIONS]
+  indices:
+    '*':
+      '*': [USER_ALL_INDEX_OPS]
+    ?kibana?994a33f6a157ba4a286395f81a4333db1e6cefb6:
+      '*': [INDEX_KIBANA]
 gen_ocp_kibana_shared:
   cluster: [CLUSTER_MONITOR_KIBANA]
   indices:

src/test/resources/io/fabric8/elasticsearch/plugin/user_rolesmapping_shared_ops_kibana_index_with_unique.yml

@@ -1,3 +1,7 @@
+gen_kibana_4c54bf89fe913f39fc22d76309f80cdc6192928f:
+  users: ['CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com']
+gen_kibana_994a33f6a157ba4a286395f81a4333db1e6cefb6:
+  users: [[email protected]]
 gen_ocp_kibana_shared:
   users: [user1, user3]
 gen_project_operations: