-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth error for index template APIs doesn't include manage_index_templates
cluster priv
#68144
Labels
>bug
:Data Management/Indices APIs
APIs to create and manage indices and templates
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Data Management
Meta label for data/management team
Team:Security
Meta label for security team
Comments
jrodewig
added
>bug
:Data Management/Indices APIs
APIs to create and manage indices and templates
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
labels
Jan 28, 2021
elasticmachine
added
Team:Security
Meta label for security team
Team:Data Management
Meta label for data/management team
labels
Jan 28, 2021
Pinging @elastic/es-security (Team:Security) |
Pinging @elastic/es-core-features (Team:Core/Features) |
jrodewig
changed the title
Auth error for index template APIs don't include
Auth error for index template APIs doesn't include Jan 28, 2021
manage_index_templates
cluster privmanage_index_templates
cluster priv
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this issue
Jan 31, 2021
Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In elastic#60357 and elastic#66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Resolves: elastic#68144
tvernum
added a commit
that referenced
this issue
Feb 3, 2021
Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In #60357 and #66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Resolves: #68144
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
>bug
:Data Management/Indices APIs
APIs to create and manage indices and templates
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Data Management
Meta label for data/management team
Team:Security
Meta label for security team
Elasticsearch version (
bin/elasticsearch --version
): Latestelasticsearch-8.0.0-SNAPSHOT-darwin-x86_64.tar.gz
Plugins installed: []
JVM version (
java -version
):openjdk version "15.0.1" 2020-10-20
OpenJDK Runtime Environment AdoptOpenJDK (build 15.0.1+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 15.0.1+9, mixed mode, sharing)
OS version (
uname -a
if on a Unix-like system):Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
Description of the problem including expected versus actual behavior:
The
manage_index_templates
cluster privilege lets a user run the following APIs:However, the authorization error returned by these APIs does not list
manage_index_templates
as a privilege.Steps to reproduce:
elastic
user, create amytest
role with no cluster privileges:elastic
user, create atest
user with themytest
role:test
user. For example, use the put composable index template API:The request returns the following error message.
manage_index_templates
should be in the list of privileges but is not included. Onlymanage,all
are listed.elastic
user, add themanage_index_templates
cluster privilege to themytest
role :test
user, use the above API again. This time, the attempt will succeed.The text was updated successfully, but these errors were encountered: