Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: Add actual index to 403 logs #74157

Closed
wants to merge 1 commit into from
Closed

refactor: Add actual index to 403 logs #74157

wants to merge 1 commit into from

Conversation

rodrigo-sp17
Copy link

Implements actual index debug logging. The functionality is achieved by parsing the request description and making a separate debug message to avoid leaking unnecessary details to the client.

Fixes #29714

@elasticsearchmachine elasticsearchmachine added the external-contributor Pull request authored by a developer outside the Elasticsearch team label Jun 15, 2021
@mark-vieira mark-vieira added the :Security/Security Security issues without another label label Jun 25, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jun 25, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@tvernum
Copy link
Contributor

tvernum commented Jul 7, 2021

Hi @rodrigo-sp17

This problem was resolved last year in #60357, and since ES 7.12.0 authorization service errors should include the index name when it is relevant.
For example

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:data/read/search] is unauthorized for user [test] on indices [foo], this action is granted by the index privileges [read,all]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:data/read/search] is unauthorized for user [test] on indices [foo], this action is granted by the index privileges [read,all]"
  },
  "status": 403
}

However, if the user does not have access to perform the action on any index, and the request contains wildcards, then the action may fail before we resolve indices. In that case, the message will not list indices (because in fact the error is not index specific - the user cannot perform that action regardless of the index specified).

@tvernum tvernum closed this Jul 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Security Security issues without another label Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Log REST target with 403
5 participants
@rodrigo-sp17 @elasticmachine @tvernum @mark-vieira @elasticsearchmachine