Add include_data_streams flag for authorization #58154
Conversation
danhermann
added
>non-issue
:Security/Authorization
|
Pinging @elastic/es-core-features (:Core/Features/Data streams) |
elasticmachine
added
the
Team:Data Management
|
I'll resolve the test failures. I'm still interested in feedback on the general approach. |
There was a problem hiding this comment.
The general approach looks good to me. A number of other requests classes
would need to implement this method as well.
I think we should also make sure that the includeDataStreams() method is used in
IndexNameExpressionResolver#concreteIndexNames(...) and IndexNameExpressionResolver#concreteIndices(...) then the overloaded method that
also accepts includeDataStreams boolean parameter can be removed.
| /** | ||
| * Determines whether the action should be applied to data streams | ||
| */ | ||
| default boolean includeDataStreams() { |
There was a problem hiding this comment.
I think we can move this method to IndicesRequest?
|
@elasticmachine run elasticsearch-ci/bwc |
|
@elasticmachine update branch |
|
@elasticmachine run elasticsearch-ci/default-distro |
| * Determines whether the action should be applied to data streams | ||
| */ | ||
| default boolean includeDataStreams() { | ||
| return false; |
There was a problem hiding this comment.
I think we should change the default here, because most indices based action will be supporting data streams.
There was a problem hiding this comment.
Let's keep the default to false. After all apis that need to support data stream resolution have been changed to do that, we can revisit what the default should be.
| @@ -65,11 +65,6 @@ | |||
| indices.create: | |||
| index: logs-foobarbaz | |||
|
|
|||
| - do: | |||
There was a problem hiding this comment.
I'll mute that portion of the test for now since that one call has different behavior when security is enabled or not. Once this PR and #57900 land, its behavior will be the same.
| @@ -457,8 +457,8 @@ private void executeLocalSearch(Task task, SearchTimeProvider timeProvider, Sear | |||
| if (localIndices == null) { | |||
| return Index.EMPTY_ARRAY; //don't search on any local index (happens when only remote indices were specified) | |||
| } | |||
| return indexNameExpressionResolver.concreteIndices(clusterState, indicesOptions, true, | |||
| timeProvider.getAbsoluteStartMillis(), localIndices.indices()); | |||
| return indexNameExpressionResolver.concreteIndices(clusterState, indicesOptions, localIndices, | |||
There was a problem hiding this comment.
I think we should change this resolveLocalIndices() method here. I think we should change the indicesOptions parameter to request (and pass down the request from where it is being invoked).
Then change the concreteIndices() method this method invokes. Remove the options and indexExpressions parameters and add request parameter (of type IndicesRequest). Then
in the body of this method derive the indicesOptions and indices from the request parameter.
| indicesAndAliases.add(aliasOrIndex); | ||
| if (entry.getValue().getType() != IndexAbstraction.Type.DATA_STREAM || includeDataStreams) { | ||
| indicesAndAliases.add(aliasOrIndex); | ||
| } | ||
| } |
There was a problem hiding this comment.
I gave it more thought than it probably warrants.
Overall I am OK with the change, but I would suggest we move this whole logic( if (entry.getValue().getType() != IndexAbstraction.Type.DATA_STREAM || includeDataStreams) {) to
This is the place where we deal with the entities (open/close indices and aliases) behind the "authorised" names, and I believe it would help us to keep complexity under control in an already messy spaghetti.
There was a problem hiding this comment.
Would moving the logic to IndicesAndAliasesResolver still achieve the desired result? The problem is that all requests that implement IndicesRequest.Replaceable have their requested indices replaced with the result of the loadAuthorizedIndices call and this causes problems for the requests such as GET /_alias that do not (and should not) operate on data streams.
There was a problem hiding this comment.
What I mean is to move the whole processing on loadAuthorizedIndices, as you've proposed, over to the method in IndicesAndAliasesResolver. I think the outcome is the same, but it feels to me like a better place for these kind of processing on index names based on requests. Makes sense?
There was a problem hiding this comment.
Ah, thanks for the clarification. I will make that change.
|
This is likely to be included in #58381 since the two concerns are tightly related. |
danhermann
force-pushed
the
include_ds_flag_for_authorization
branch
from
d11c6c9 to
279f4f4
Compare
danhermann
force-pushed
the
include_ds_flag_for_authorization
branch
from
9950d0a to
9125043
Compare
Most of the work around the addition of an
includeDataStreamsflag was done in #58381. The remainder of this PR adds the flag to the appropriate request classes, updatesIndexNameExpressionResolverto rely on the flag rather than a separate boolean flag, and updates tests.This PR adds anincludeDataStreamsflag to theIndicesRequestinterface so that it is available whenAuthorizationEngine::loadAuthorizedIndicesis called. This is necessary to avoid different behaviors when security is enabled and disabled.The disparate behavior is described in the referenced issue. When aGET */_aliasrequest (or any other request that does not operate on data streams) is sent without security enabled, any data streams present are ignored by theIndexNameExpressionResolverclass and the correct HTTP 200 response is returned.When security is enabled, the star inGET */_aliasis first resolved to all authorized indices, aliases, and data streams. Because the_aliasendpoint does not understand data streams, the first data stream it encounters among the list of authorized indices is treated as an alias and an incorrect 404 for "unknown alias" is returned.This PR changesAuthorizationServiceto selectively exclude (in the case of most requests) or include (and the case ofResolveIndexAction.Requestand other requests that opt in) data streams during the authorized index resolution phase.Especially interested in feedback from @elastic/es-security.Fixes #57712
Relates to #53100