also prevent direct access to backing failure indices with FLS/DLS

Author: slobodanadamovic

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java

@@ -17,6 +17,7 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.Maps;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.support.XContentMapValues;
@@ -1448,7 +1449,21 @@ public void testDlsFls() throws Exception {
 
         assertSearchResponseContainsExpectedIndicesAndFields(
             performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp", "document", "error"))
+            Map.of(
+                failureIndexName,
+                Set.of(
+                    "@timestamp",
+                    "document.id",
+                    "document.index",
+                    "document.source.@timestamp",
+                    "document.source.age",
+                    "document.source.email",
+                    "document.source.name",
+                    "error.message",
+                    "error.stack_trace",
+                    "error.type"
+                )
+            )
         );
 
         // DLS
@@ -1502,6 +1517,40 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS does not apply because there is a section without DLS
         expectSearch(user, new Search(randomFrom("test1", "test1::data")), dataIndexDocId);
+
+        // check that direct access to backing failure store indices is not allowed
+        upsertRole(Strings.format("""
+            {
+                 "cluster": ["all"],
+                 "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "field_security": {
+                            "grant": ["@timestamp", "document.source.name"]
+                        }
+                     }
+                 ]
+             }""", failureIndexName), role);
+        // FLS is not applicable to backing failure store indices
+        expectFlsDlsError(() -> performRequest(user, new Search(failureIndexName).toSearchRequest()));
+        expectFlsDlsError(() -> performRequest(user, new Search(".fs-*").toSearchRequest()));
+
+        // DLS is not applicable to backing failure store, even when granted directly
+        upsertRole(Strings.format("""
+            {
+                 "cluster": ["all"],
+                 "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "query":{"term":{"name":{"value":"jack"}}}
+                     }
+                 ]
+             }""", failureIndexName), role);
+        expectFlsDlsError(() -> performRequest(user, new Search(failureIndexName).toSearchRequest()));
+        expectFlsDlsError(() -> performRequest(user, new Search(".fs-*").toSearchRequest()));
+
     }
 
     private static void expectThrows(ThrowingRunnable runnable, int statusCode) {
@@ -1792,7 +1841,7 @@ protected void assertSearchResponseContainsExpectedIndicesAndFields(
                 assertThat(searchResult.keySet(), equalTo(expectedIndicesAndFields.keySet()));
                 for (String index : expectedIndicesAndFields.keySet()) {
                     Set<String> expectedFields = expectedIndicesAndFields.get(index);
-                    assertThat(searchResult.get(index).keySet(), equalTo(expectedFields));
+                    assertThat(Maps.flatten(searchResult.get(index), false, true).keySet(), equalTo(expectedFields));
                 }
             } finally {
                 response.decRef();

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1142,7 +1142,7 @@ Collection<Object> createComponents(
                 )
             );
             if (DataStream.isFailureStoreFeatureFlagEnabled()) {
-                requestInterceptors.add(new FailureStoreRequestInterceptor(threadPool, getLicenseState()));
+                requestInterceptors.add(new FailureStoreRequestInterceptor(clusterService, projectResolver, threadPool, getLicenseState()));
             }
         }
         requestInterceptors = Collections.unmodifiableSet(requestInterceptors);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FailureStoreRequestInterceptor.java

@@ -11,7 +11,11 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.cluster.metadata.DataStreamFailureStoreDefinition;
+import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.project.ProjectResolver;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.threadpool.ThreadPool;
@@ -21,8 +25,18 @@
 
 public class FailureStoreRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor {
 
-    public FailureStoreRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) {
+    private final ClusterService clusterService;
+    private final ProjectResolver projectResolver;
+
+    public FailureStoreRequestInterceptor(
+        ClusterService clusterService,
+        ProjectResolver projectResolver,
+        ThreadPool threadPool,
+        XPackLicenseState licenseState
+    ) {
         super(threadPool.getThreadContext(), licenseState);
+        this.clusterService = clusterService;
+        this.projectResolver = projectResolver;
     }
 
     @Override
@@ -32,7 +46,8 @@ void disableFeatures(
         ActionListener<Void> listener
     ) {
         for (var indexAccessControl : indicesAccessControlByIndex.entrySet()) {
-            if (hasFailuresSelectorSuffix(indexAccessControl.getKey()) && hasDlsFlsPermissions(indexAccessControl.getValue())) {
+            if ((hasFailuresSelectorSuffix(indexAccessControl.getKey()) || isBackingFailureStoreIndex(indexAccessControl.getKey()))
+                && hasDlsFlsPermissions(indexAccessControl.getValue())) {
                 listener.onFailure(
                     new ElasticsearchSecurityException(
                         "Failure store access is not allowed for users who have "
@@ -50,7 +65,7 @@ void disableFeatures(
     boolean supports(IndicesRequest request) {
         if (request.indicesOptions().allowSelectors()) {
             for (String index : request.indices()) {
-                if (hasFailuresSelectorSuffix(index)) {
+                if (hasFailuresSelectorSuffix(index) || isBackingFailureStoreIndex(index)) {
                     return true;
                 }
             }
@@ -70,4 +85,12 @@ private boolean hasDlsFlsPermissions(IndicesAccessControl.IndexAccessControl ind
             || indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
     }
 
+    private boolean isBackingFailureStoreIndex(String index) {
+        IndexMetadata indexMetadata = clusterService.state().metadata().getProject(projectResolver.getProjectId()).index(index);
+        if (indexMetadata == null) {
+            return false;
+        }
+        return indexMetadata.getSettings().hasValue(DataStreamFailureStoreDefinition.INDEX_FAILURE_STORE_VERSION_SETTING_NAME);
+    }
+
 }