Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyze and get templates index action privileges #47500

Open
albertzaharovits opened this issue Oct 3, 2019 · 5 comments
Open

Analyze and get templates index action privileges #47500

albertzaharovits opened this issue Oct 3, 2019 · 5 comments
Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team team-discuss

Comments

@albertzaharovits
Copy link
Contributor

The indices:admin/analyze and indices:admin/template/get actions currently require the manage index privilege. manage is too broad and it would be more desirable that callers of these actions require a much more restricted privilege. Given the current structure, I suggest we move them under view_index_metadata.

For reference here are all the actions of an indices admin client:

# monitor
indices:monitor/stats
indices:monitor/recovery
indices:monitor/segments
indices:monitor/shard_stores
indices:monitor/upgrade

# view_index_metadata
indices:monitor/settings/get
indices:admin/aliases/get
indices:admin/get
indices:admin/mapping/get
indices:admin/mappings/fields/get
indices:admin/validate/query
indices:admin/ilm/explain (not an indices admin client operation, yet?)

# manage
indices:admin/create
indices:admin/delete
indices:admin/close
indices:admin/open
indices:admin/aliases
indices:admin/upgrade
indices:admin/template/put
indices:admin/resize
indices:admin/settings/update
indices:admin/mapping/put
indices:admin/template/delete
indices:admin/rollover
indices:admin/cache/clear

indices:admin/refresh
indices:admin/flush
indices:admin/synced_flush
indices:admin/forcemerge

indices:admin/analyze
indices:admin/template/get

Related #29998
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@tdmalone
Copy link

Possibly also related: #53110

@kunisen
Copy link
Contributor

kunisen commented Jul 3, 2020

any updates here?

@tvernum
Copy link
Contributor

tvernum commented Jul 6, 2020

@kunisen No. If the issue is unassigned and has no recent comment or a link to a PR, then it is generally safe to assume that nothing has changed.

@andrassy
Copy link

andrassy commented Feb 8, 2021

👍

Also relates to elastic/kibana#36635 - it's hard to make a read-only Kibana user where autocomplete works properly in Kibana Dev Tools. The Kibana POST to `/api/console/proxy?path=_template&method=GET' results in a security exception and all autocomplete fails to operate:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/template/get] is unauthorized for user [...]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/template/get] is unauthorized for user [...]"
  },
  "status" : 403
}

@andrassy andrassy mentioned this issue Feb 8, 2021
Closed
@111andre111 111andre111 mentioned this issue Feb 18, 2021
Closed
@andrassy andrassy mentioned this issue Apr 7, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team team-discuss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rjernst @andrassy @tdmalone @tvernum @albertzaharovits @elasticmachine @kunisen