Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth error for index template APIs doesn't include manage_index_templates cluster priv #68144

Closed
jrodewig opened this issue Jan 28, 2021 · 3 comments · Fixed by #68260
Closed

Auth error for index template APIs doesn't include manage_index_templates cluster priv #68144

jrodewig opened this issue Jan 28, 2021 · 3 comments · Fixed by #68260
Assignees
@tvernum
Labels
>bug :Data Management/Indices APIs APIs to create and manage indices and templates :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Data Management Meta label for data/management team Team:Security Meta label for security team

Comments

@jrodewig
Copy link
Contributor

jrodewig commented Jan 28, 2021
edited
Loading

Elasticsearch version (bin/elasticsearch --version): Latest elasticsearch-8.0.0-SNAPSHOT-darwin-x86_64.tar.gz

Plugins installed: []

JVM version (java -version):

openjdk version "15.0.1" 2020-10-20
OpenJDK Runtime Environment AdoptOpenJDK (build 15.0.1+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 15.0.1+9, mixed mode, sharing)

OS version (uname -a if on a Unix-like system):
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

The manage_index_templates cluster privilege lets a user run the following APIs:

However, the authorization error returned by these APIs does not list manage_index_templates as a privilege.

Steps to reproduce:

  1. As the elastic user, create a mytest role with no cluster privileges:
POST _security/role/mytest
{
  "cluster": [
  ],
  "indices": [ ]
}
  1. As the elastic user, create a test user with the mytest role:
POST _security/user/test
{
  "password" : "...",
  "roles" : [ "mytest" ]
}
  1. Use one of the above APIs as the test user. For example, use the put composable index template API:
PUT _index_template/template_1
{
  "index_patterns" : ["te*"],
  "priority" : 1
}

The request returns the following error message. manage_index_templates should be in the list of privileges but is not included. Only manage,all are listed.

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
  },
  "status" : 403
}
  1. As the elastic user, add the manage_index_templates cluster privilege to the mytest role :
POST _security/role/mytest
{
  "cluster": [
    "manage_index_templates"
  ],
  "indices": [ ]
}
  1. As the test user, use the above API again. This time, the attempt will succeed.
PUT _index_template/template_1
{
  "index_patterns" : ["te*"],
  "priority" : 1
}
@jrodewig jrodewig added >bug :Data Management/Indices APIs APIs to create and manage indices and templates :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jan 28, 2021
@elasticmachine elasticmachine added Team:Security Meta label for security team Team:Data Management Meta label for data/management team labels Jan 28, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-features (Team:Core/Features)

@jrodewig jrodewig changed the title Auth error for index template APIs don't include manage_index_templates cluster priv Auth error for index template APIs doesn't include manage_index_templates cluster priv Jan 28, 2021
@tvernum tvernum self-assigned this Jan 28, 2021
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jan 31, 2021
@tvernum
Fix identification of action type in error message
5e5e66c 
Some actions that start with "indices:" are actually handled by
cluster privileges in ES security (e.g. indices:admin/template/*)
In elastic#60357 and elastic#66900 we added better context information for the
error messages that are generated when an action is denied, but the
generation of that message did not correctly classify actions between
cluster and index level privileges.

This change does 2 things:
1. It fixes the code that determines whether an action is handled by a
   cluster privilege or an index privilege
2. Includes the words "cluster" and "index" in the error message so
   that classification is clear to the reader

The latter change is not directly related to the issue being resolved,
but in the course of fixing the issue it became evident that the
message lacked clarity because it did not tell the reader what type of
privilege would be needed to resolve the access denied issue.

Resolves: elastic#68144
@tvernum
Copy link
Contributor

tvernum commented Jan 31, 2021

Relates: #42166, #60357, #66900

@tvernum tvernum mentioned this issue Jan 31, 2021
Merged
tvernum added a commit that referenced this issue Feb 3, 2021
@tvernum
Fix identification of action type in error message (#68260)
fa9c4bb 
Some actions that start with "indices:" are actually handled by
cluster privileges in ES security (e.g. indices:admin/template/*)
In #60357 and #66900 we added better context information for the
error messages that are generated when an action is denied, but the
generation of that message did not correctly classify actions between
cluster and index level privileges.

This change does 2 things:
1. It fixes the code that determines whether an action is handled by a
   cluster privilege or an index privilege
2. Includes the words "cluster" and "index" in the error message so
   that classification is clear to the reader

The latter change is not directly related to the issue being resolved,
but in the course of fixing the issue it became evident that the
message lacked clarity because it did not tell the reader what type of
privilege would be needed to resolve the access denied issue.

Resolves: #68144
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
>bug :Data Management/Indices APIs APIs to create and manage indices and templates :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Data Management Meta label for data/management team Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix identification of action type in error message tvernum/elasticsearch
3 participants
@tvernum @elasticmachine @jrodewig