diff --git a/core/security/validate.go b/core/security/validate.go index c132c9cc..490d6c05 100644 --- a/core/security/validate.go +++ b/core/security/validate.go @@ -153,7 +153,10 @@ func ValidateIndex(req IndexRequest, userRole RolePermission) (err error) { } } if _, ok := userRole.ElasticPrivilege.Index[req.Cluster]; !ok { - return fmt.Errorf("no permission of cluster [%s]", req.Cluster) + if !hasAllCluster { + return fmt.Errorf("no permission of cluster [%s]", req.Cluster) + } + return fmt.Errorf("no index permission %s of cluster [%s]", req.Privilege, req.Cluster) } allowed = validateIndexPermission(req.Index, apiPrivileges, userRole.ElasticPrivilege.Index[req.Cluster]) if allowed { diff --git a/modules/elastic/api/discover.go b/modules/elastic/api/discover.go index 23f1af8e..92b03ff8 100644 --- a/modules/elastic/api/discover.go +++ b/modules/elastic/api/discover.go @@ -28,6 +28,7 @@ import ( "fmt" "github.com/buger/jsonparser" log "github.com/cihub/seelog" + "infini.sh/console/core/security" httprouter "infini.sh/framework/core/api/router" "infini.sh/framework/core/elastic" "infini.sh/framework/core/orm" @@ -65,6 +66,26 @@ func (h *APIHandler) HandleEseSearchAction(w http.ResponseWriter, req *http.Requ h.WriteError(w, err.Error(), http.StatusInternalServerError) return } + //validate index search api permission + reqUser, err := security.FromUserContext(req.Context()) + if err != nil { + log.Error(err) + h.WriteError(w, err.Error(), http.StatusInternalServerError) + return + } + newRole := security.CombineUserRoles(reqUser.Roles) + indexReq := security.IndexRequest{ + Cluster: targetClusterID, + Index: reqParams.Index, + Privilege: []string{"indices.search"}, + } + + err = security.ValidateIndex(indexReq, newRole) + if err != nil { + log.Error(err) + h.WriteError(w, err.Error(), http.StatusForbidden) + return + } ver := client.GetVersion() if _, ok := reqParams.Body["track_total_hits"]; ok { diff --git a/modules/elastic/api/init.go b/modules/elastic/api/init.go index c013de31..59cc41e1 100644 --- a/modules/elastic/api/init.go +++ b/modules/elastic/api/init.go @@ -74,7 +74,7 @@ func init() { api.HandleAPIMethod(api.GET, "/elasticsearch/:id/saved_objects/view/:view_id", clusterAPI.RequireClusterPermission(clusterAPI.HandleGetViewAction)) api.HandleAPIMethod(api.POST, "/elasticsearch/:id/view/:view_id/_set_default_layout", clusterAPI.RequireClusterPermission(clusterAPI.SetDefaultLayout)) - api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireClusterPermission(clusterAPI.HandleEseSearchAction)) + api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireLogin(clusterAPI.HandleEseSearchAction)) api.HandleAPIMethod(api.GET, "/elasticsearch/:id/search/trace_id", clusterAPI.HandleTraceIDSearchAction) api.HandleAPIMethod(api.POST, "/elasticsearch/:id/suggestions/values/:index", clusterAPI.RequireClusterPermission(clusterAPI.HandleValueSuggestionAction)) api.HandleAPIMethod(api.POST, "/elasticsearch/:id/setting", clusterAPI.RequireClusterPermission(clusterAPI.HandleSettingAction))