Prevent privilege checks

n1v0lg · n1v0lg · commit fb599ca19853 · 2025-03-10T11:57:31.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
@@ -366,6 +366,14 @@ public ActionRequestValidationException validate(ActionRequestValidationExceptio
                 && application.length == 0) {
                 validationException = addValidationError("must specify at least one privilege", validationException);
             }
+            if (index != null) {
+                for (RoleDescriptor.IndicesPrivileges indexPrivilege : index) {
+                    if (Arrays.stream(indexPrivilege.getPrivileges())
+                        .anyMatch(p -> "read_failure_store".equals(p) || "manage_failure_store".equals(p))) {
+                        validationException = addValidationError("checking failure store privileges is not supported", validationException);
+                    }
+                }
+            }
             return validationException;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -366,6 +366,14 @@ public ActionRequestValidationException validate(ActionRequestValidationExceptio`
`366`	`366`	`&& application.length == 0) {`
`367`	`367`	`validationException = addValidationError("must specify at least one privilege", validationException);`
`368`	`368`	`}`
	`369`	`+ if (index != null) {`
	`370`	`+ for (RoleDescriptor.IndicesPrivileges indexPrivilege : index) {`
	`371`	`+ if (Arrays.stream(indexPrivilege.getPrivileges())`
	`372`	`+ .anyMatch(p -> "read_failure_store".equals(p) \|\| "manage_failure_store".equals(p))) {`
	`373`	`+ validationException = addValidationError("checking failure store privileges is not supported", validationException);`
	`374`	`+ }`
	`375`	`+ }`
	`376`	`+ }`
`369`	`377`	`return validationException;`
`370`	`378`	`}`
`371`	`379`