Skip to content

Fix unsupported privileges error message during role and API key crea…#128858

Merged
gmjehovich merged 7 commits intoelastic:mainfrom
gmjehovich:fix/unsupported-privilege-error-msg
Jun 4, 2025
Merged

Fix unsupported privileges error message during role and API key crea…#128858
gmjehovich merged 7 commits intoelastic:mainfrom
gmjehovich:fix/unsupported-privilege-error-msg

Conversation

@gmjehovich
Copy link
Contributor

@gmjehovich gmjehovich commented Jun 3, 2025

This PR resolves an issue where Elasticsearch's error message for unknown index privileges was verbose and unclear.

Previously, when a role or API key was created with an unrecognized index privilege, the resulting error message listed valid privileges using a privilege_name1=[privilege_name1], privilege_name2=[privilege_name2]... format (e.g., read=[read], write=[write]...).

This change ensures that names of valid index privileges are displayed only once instead of in that repeated format. They are also displayed alphabetically for testability and improved readability.

This change was validated with a unit test in IndexPrivilegeTest as well as a modification to an integration test I recently added in PutRoleRestIT.

Example of new error message:

 unknown index privilege [<invalid_privilege>]. a privilege must be either one of the predefined fixed indices privileges [all,auto_configure,create,create_doc,create_index,cross_cluster_replication,cross_cluster_replication_internal,delete,delete_index,index,maintenance,manage,manage_data_stream_lifecycle,manage_failure_store,manage_follow_index,manage_ilm,manage_leader_index,monitor,none,read,read_cross_cluster,read_failure_store,view_index_metadata,write] or a pattern over one of the available index actions

Closes #128132
@gmjehovich gmjehovich requested a review from jfreden June 3, 2025 18:59
@gmjehovich gmjehovich self-assigned this Jun 3, 2025
@gmjehovich gmjehovich requested a review from a team as a code owner June 3, 2025 18:59
@gmjehovich gmjehovich added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team auto-backport Automatically create backport pull requests when merged v8.19.0 v9.1.0 v9.0.2 v8.17.8 v8.18.3 labels Jun 3, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 3, 2025

Pinging @elastic/es-security (Team:Security)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 3, 2025

Hi @gmjehovich, I've created a changelog YAML for you.
jfreden
jfreden approved these changes Jun 4, 2025
View reviewed changes
Copy link
Contributor

@jfreden jfreden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job! LGTM! Can you change the label to enhancement instead of bug and update the change log to reflect that?
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 4, 2025

Hi @gmjehovich, I've updated the changelog YAML for you.
@gmjehovich gmjehovich merged commit 64460df into elastic:main Jun 4, 2025
23 checks passed
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 4, 2025

💔 Backport failed

Status Branch Result
8.19 Commit could not be cherrypicked due to conflicts
9.0 Commit could not be cherrypicked due to conflicts
8.17 Commit could not be cherrypicked due to conflicts
8.18 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 128858
@gmjehovich gmjehovich mentioned this pull request Jun 9, 2025
Merged
gmjehovich added a commit that referenced this pull request Jun 11, 2025
@gmjehovich
[9.0] Fix unsupported privileges error message during role and API ke…
e649019 
…y creation (#128858) (#129158)

* Fix unsupported privileges error message during role and API key creation

* [CI] Auto commit changes from spotless

* Add changelog file

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
This was referenced Jun 11, 2025
Merged
Merged
gmjehovich added a commit to gmjehovich/elasticsearch that referenced this pull request Jun 11, 2025
@gmjehovich
[9.0] Fix unsupported privileges error message during role and API ke…
491bb74 
…y creation (elastic#128858) (elastic#129158)

* Fix unsupported privileges error message during role and API key creation

* [CI] Auto commit changes from spotless

* Add changelog file

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
elasticsearchmachine pushed a commit that referenced this pull request Jun 11, 2025
@gmjehovich
[9.0] Fix unsupported privileges error message during role and API ke…
5d7bdfd 
…y creation (#128858) (#129158) (#129276)

* Fix unsupported privileges error message during role and API key creation

* [CI] Auto commit changes from spotless

* Add changelog file

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
elasticsearchmachine pushed a commit that referenced this pull request Jun 11, 2025
@gmjehovich
[9.0] Fix unsupported privileges error message during role and API ke…
3509cbb 
…y creation (#128858) (#129158) (#129274)

* Fix unsupported privileges error message during role and API key creation

* [CI] Auto commit changes from spotless

* Add changelog file

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-backport Automatically create backport pull requests when merged backport pending >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.17.8 v8.18.3 v8.19.0 v9.0.2 v9.1.0

3 participants

@gmjehovich @elasticsearchmachine @jfreden