Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE][ML] User config appropriate permission checks on creating/running analytics #38928

Conversation

benwtrent
Copy link
Member

This PR adds headers to the DataFrameAnalyticsConfig and utilizes those headers when running the analysis.

NOTE:
CreateIndexAction.NAME != create_index permission. Had a long chat with the security folks and apparently CreateIndexAction.NAME is treated as a prefix wildcard, where as create_index is that specific permission for that index pattern.

When creating a role via the UI, the permission that auto-populates is create_index, and since that permission is enough (verified through testing), I opted to use it instead of the more expansive one.

There were many calls that were simply client.execute but these will all fail when security is turned on due to the default user not having any perms. I used the user's headers where I thought appropriate and changed the calls to be from the ML_ORIGIN

@benwtrent benwtrent added >feature :ml Machine learning labels Feb 14, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/ml-core

Copy link
Contributor

@dimitris-athanasiou dimitris-athanasiou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me apart from a couple of minor comments. But I would also prefer for this to be reviewed by @droberts195 as well as Dave is has better understanding of the security framework.

Copy link
Contributor

@droberts195 droberts195 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I just left a few minor comments.

@@ -32,6 +33,10 @@ public DataFrameAnalysisConfig(Map<String, Object> config) {
}
}

public DataFrameAnalysisConfig(DataFrameAnalysisConfig config) {
this.config = new HashMap<>(config.config);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we also use this.config = Collections.unmodifiableMap(config.config)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid the nested wrapping problem with Collections.unmodifiableMap we would have to use this.config = Collections.unmodifiableMap(new HashMap<>(config.config)).

However, it would be better to use Collections.unmodifiableMap in the two other constructors instead, and then this one can simply copy the reference safe in the knowledge that the other map is unmodifiable. If we make the class immutable like this then there's actually no need for this copy constructor at all...

Copy link
Contributor

@dimitris-athanasiou dimitris-athanasiou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@benwtrent benwtrent merged commit a2ab55b into elastic:feature-ml-data-frame-analytics Feb 15, 2019
@benwtrent benwtrent deleted the feature/ml-data-frame-analytics-use-headers-for-query branch February 15, 2019 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>feature :ml Machine learning
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants