Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator privileges do not work properly in a mixed version cluster #79354

Closed
ywangd opened this issue Oct 18, 2021 · 1 comment · Fixed by #79412
Closed

Operator privileges do not work properly in a mixed version cluster #79354

ywangd opened this issue Oct 18, 2021 · 1 comment · Fixed by #79412
Assignees
@ywangd
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team

Comments

@ywangd
Copy link
Member

ywangd commented Oct 18, 2021

The operator privilege feature works by settng a special header in authenticating user's threadContext. This header is not preserved in a mixed version cluster when the request must be rerouted from a local node to a remote node of different version:

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java

Lines 104 to 107 in 6895511

// re-write the authentication since we want the authentication version to match the version of the connection
securityContext.executeAfterRewritingAuthentication(original -> sendWithUser(connection, action, request, options,
new ContextRestoreResponseHandler<>(threadPool.getThreadContext().wrapRestorable(original), handler), sender),
minVersion);

When sending request across nodes of different version, only the authentication object of the original request is preserved and other security related information is dropped. This leads to the remote node not recognising the user as an operator and in turns fails with and "unauthorized" (403) error.
@ywangd ywangd added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Oct 18, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Oct 18, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd self-assigned this Oct 18, 2021
ywangd added a commit to ywangd/elasticsearch that referenced this issue Oct 19, 2021
@ywangd
Preserve request headers in a mixed version cluster
b8fac3a 
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: elastic#79354
@ywangd ywangd mentioned this issue Oct 19, 2021
Merged
ywangd added a commit that referenced this issue Oct 19, 2021
@ywangd
Preserve request headers in a mixed version cluster (#79412)
75319f4 
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: #79354
ywangd added a commit to ywangd/elasticsearch that referenced this issue Oct 19, 2021
@ywangd
Preserve request headers in a mixed version cluster (elastic#79412)
79e42a4 
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: elastic#79354
@ywangd ywangd mentioned this issue Oct 19, 2021
Merged
ywangd added a commit to ywangd/elasticsearch that referenced this issue Oct 19, 2021
@ywangd
Preserve request headers in a mixed version cluster (elastic#79412)
1d46bbb 
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: elastic#79354
@ywangd ywangd mentioned this issue Oct 19, 2021
Merged
elasticsearchmachine pushed a commit that referenced this issue Oct 19, 2021
@ywangd
Preserve request headers in a mixed version cluster (#79412) (#79441)
c77b0ea 
* Preserve request headers in a mixed version cluster (#79412)

When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: #79354

* for for 7.x quirks
elasticsearchmachine pushed a commit that referenced this issue Oct 19, 2021
@ywangd @elasticmachine
Preserve request headers in a mixed version cluster (#79412) (#79439)
74ba6fb 
When rewriting authentication for requests crossing nodes of different
versions, we now preserve all request headers except the authentication
one which needs to be rewritten. Previously all other request headers
were dropped and it caused issue like an operator user not being
recognised on the remote node. Other now preserved headers include audit
and system index access. This new behaviour is more correct because we
would never drop these headers if the nodes are on the same version.

Resolves: #79354

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Preserve request headers in a mixed version cluster ywangd/elasticsearch
2 participants
@ywangd @elasticmachine