Add "_storage" internal user #95694
Add "_storage" internal user #95694
Conversation
This commit adds a new internal user to security. The "_storage" user (`StorageInternalUser`) is used to perform refreshes (and, in the future, similar actions) that may not be permitted by the authenticated user.
tvernum added >enhancement :Security/Security 
| Pinging @elastic/es-security (Team:Security) |
| Hi @tvernum, I've created a changelog YAML for you. |
| public static final String APM_ROLE = "apm_system"; | ||
| public static final String ASYNC_SEARCH_NAME = "_async_search"; | ||
| public static final String ASYNC_SEARCH_ROLE = "_async_search"; | ||
| public static final String STORAGE_USER_NAME = "_storage"; |
There was a problem hiding this comment.
Nit: Is this name a bit too generic? I don't quite get what it should be used for by just looking at the name. Maybe it is just due to my lack of context. Feel free to ignore since naming discussion can rather subjective.
There was a problem hiding this comment.
I assume it will be a generic user for any actions that are needed in order to "write to the backing store"
We may have some existing actions that run as _system that ought to be switched over to this user.
I don't love the name, and would be happy with an alternative, but I don't think that's specifically because it's generic in the sense of "could mean many things", but because it's not a term that has an obvious meaning withini the ES code.
There was a problem hiding this comment.
Just to say that #95506 where we first intend to use this user is targeted for serverless. So another option (at least for now) could be to rename this to _serverless. But I do like the generality of _storage as well.
There was a problem hiding this comment.
I don't think we want to have internal users that only exist for serverless (even if the thing they do is currently only needed on serverless). It means we need to create a new user if we want to follow the same pattern on stateful code paths.
| | ||
| assertThat(role.cluster().privileges(), Matchers.hasSize(0)); | ||
| assertThat(role.runAs(), is(RunAsPermission.NONE)); | ||
| assertThat(role.application(), is(ApplicationPermission.NONE)); |
There was a problem hiding this comment.
Nit: we could also assert remote indices is None, i.e.
assertThat(role.remoteIndices(), is(RemoteIndicesPermission.NONE)); 
| public static final String APM_ROLE = "apm_system"; | ||
| public static final String ASYNC_SEARCH_NAME = "_async_search"; | ||
| public static final String ASYNC_SEARCH_ROLE = "_async_search"; | ||
| public static final String STORAGE_USER_NAME = "_storage"; |
There was a problem hiding this comment.
Just to say that #95506 where we first intend to use this user is targeted for serverless. So another option (at least for now) could be to rename this to _serverless. But I do like the generality of _storage as well.
tvernum added the auto-merge-without-approval 
4 participants
This commit adds a new internal user to security. The "_storage" user (
StorageInternalUser) is intended for use when performing automatic refreshes (and, in the future, similar actions) that may not be permitted by the authenticated user.Relates: #95506