Prevent invalid named privileges in manage roles privilege

[n1v0lg]

Elasticsearch Version

8.16 and up

Installed Plugins

No response

Java Version

bundled

OS Version

irrelevant

Problem Description

#110633 introduced the global cluster manage role privilege. This privilege allows limiting the resources and privileges an Elasticsearch user can grant permissions to.

Currently, it's possible to include invalid named privileges in its definition, e.g.,:

POST /_security/role/bad-role
{
    "global": {
        "role": {
            "manage": {
                "indices": [
                    {
                        "names": ["allowed-index-prefix-*"],
                        "privileges":["foobar"] <- not a valid named privilege
                    }
                ]
            }
        }
    }
}

This results in a broken role -- a user assigned with this role will receive failures at runtime when attempting to authenticate.

We can instead prevent this by adding a validation step during role creation, here-abouts.

Steps to Reproduce

Create a role with the global manage role permission that includes an unknown named privilege:

POST /_security/role/bad-role
{
    "global": {
        "role": {
            "manage": {
                "indices": [
                    {
                        "names": ["allowed-index-prefix-*"],
                        "privileges":["foobar"] <- not a valid named privilege
                    }
                ]
            }
        }
    }
}

Create a user with that role:

POST /_security/user/bad-user
{
   "password": "so-secure",
   "roles": ["bad-role"]
}

Call an Elasticsearch API with that user:

GET /_security/_authenticate

Logs (if relevant)

No response

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[gmjehovich]

Met with @n1v0lg today to walk through this issue and relevant context.

Confirmed that there is a list of valid privilege names that we can use to validate named privileges.

Tasks on my end for now:

1. Set up tool for easy API testing as recommended by both Joe and Nikolaj (Possibly Insomnia? Postman?)
2. Reproduce the bug locally
3. Dive into the code, figure out where this validation list exists (will reach out if I cannot find it)

[gmjehovich]

Since my last comment, I've successfully set up Insomnia and reproduced the bug locally.

I've added a null check on this variable, where I throw an exception if namedPrivilege is null.

Now this test response:

{
    "global": {
        "role": {
            "manage": {
                "indices": [
                    {
                        "names": ["allowed-index-prefix-*"],
                        "privileges": ["foobar"]
                    }
                ]
            }
        }
    }
}

returns the following

{
	"error": {
		"root_cause": [
			{
				"type": "illegal_argument_exception",
				"reason": "Unknown index privilege [foobar]"
			}
		],
		"type": "illegal_argument_exception",
		"reason": "Unknown index privilege [foobar]"
	},
	"status": 400
}