Prevent access for users with DLS/FLS to the failure store #124634
Conversation
Failure store collects ingestion and mapping related failures when documents are written to a data stream. Indexing can fail and be captured in the failure store at any point in the ingest process. The fields may not have been dropped or sanitized during ingestion processing, or the document may not be in the form expected by document/field-level security rules, either of which may lead to the document exposing sensitive information that would otherwise not be exposed if the document was successfully processed and ingested. Since the DLS/FLS may not be applicable in the expected way, we here prevent access to the failure store for all users that have DLS/FLS restrictions.
slobodanadamovic
added
>non-issue
:Security/Security
slobodanadamovic
added
backport
v8.19.0
auto-backport
|
Pinging @elastic/es-security (Team:Security) |
| Map.of(failureIndexName, Set.of("@timestamp")) | ||
| ); | ||
| // FLS does not apply to failure store | ||
| expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest())); |
There was a problem hiding this comment.
I've hit the ready button too soon. I still want to test cover the case when users have direct access to .fs-* indices and accessing without ::failures selector.
…re-store-dls-fls-interceptor
| failureIndexName, | ||
| Set.of( | ||
| "@timestamp", | ||
| "document.id", |
There was a problem hiding this comment.
Interesting, do you know why this changed? I.e., why are we getting flattened fields now, instead of top-level field?
There was a problem hiding this comment.
I've changed the test assertion to flatten the results in order to make sure that FLS is properly respected for nested fields. Previously we were only asserting the top level fields.
I had a test which granted document.source.name over .fs* indices that was succeeding. This was before the change to prevent direct access as well. I can revert that if you think it's not necessary.
There was a problem hiding this comment.
Ah sorry, this was an old comment I forgot to delete -- plz ignore, this is a good improvement
|
|
||
| @Override | ||
| boolean supports(IndicesRequest request) { | ||
| if (request.indicesOptions().allowSelectors()) { |
There was a problem hiding this comment.
I'm not sure we want request.indicesOptions().allowSelectors() here as there may be cases where you can access the failure index but selectors are not allowed.
There was a problem hiding this comment.
Good catch! This started with intention to prevent access with ::failures selector but turned into "let's prevent access to failure indices regardless if selectors are used or not". I'll adjust this.
| } | ||
|
|
||
| private boolean hasFailuresSelectorSuffix(String name) { | ||
| return IndexNameExpressionResolver.hasSelectorSuffix(name) |
There was a problem hiding this comment.
Can use IndexNameExpressionResolver.hasSelector(name, IndexComponentSelector.FAILURES) here instead, to avoid splitting.
There was a problem hiding this comment.
(Fine to include the bigger check with splitting as an assertion since it does additional validation, but hasSelector should be faster so better suited for prod-code)
There was a problem hiding this comment.
Agreed. Will make the change.
| ) { | ||
| for (var indexAccessControl : indicesAccessControlByIndex.entrySet()) { | ||
| if ((hasFailuresSelectorSuffix(indexAccessControl.getKey()) || isBackingFailureStoreIndex(indexAccessControl.getKey())) | ||
| && hasDlsFlsPermissions(indexAccessControl.getValue())) { |
There was a problem hiding this comment.
I'd consider flipping this since most roles won't have FLS/DLS so we'll short-circuit quicker
3 participants
Failure store collects ingestion and mapping related failures when documents are written to a data stream. Indexing can fail and be captured in the failure store at any point in the ingest process.
The fields may not have been dropped or sanitized during ingestion processing, or the document may not be in the form expected by document/field-level security rules, either of which may lead to the document exposing sensitive information that would otherwise not be exposed if the document was successfully processed and ingested.
Since the DLS/FLS may not be applicable in the expected way, we here prevent access to the failure store for all users that have DLS/FLS restrictions and are accessing failure store using the
::failuresselector (e.g.logs-*::failures). The direct access to the backing failure store indices (.fs-*) is also not allowed.