Skip to content

Improve error handling during index expressions resolving #126018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Apr 6, 2025
Merged

Improve error handling during index expressions resolving #126018

merged 8 commits into from
Apr 6, 2025

Conversation

slobodanadamovic
Copy link
Contributor

@slobodanadamovic slobodanadamovic commented Apr 1, 2025
edited
Loading

The InvalidIndexNameException exception was wrapped in a ElasticsearchSecurityException, which returns HTTP 403 status.

This exception (along with newly introduced InvalidSelectorException and UnsupportedSelectorException) can be raised during index expression resolving due to an invalid user input and should result in HTTP 400 response instead.

This PR changes exception handling to avoid wrapping them in the ElasticsearchSecurityException.

@slobodanadamovic
Improve error handling during index expressions resolving
c285c8c 
The `InvalidIndexNameException` and `IllegalArgumentException`
exceptions were wrapped in a `ElasticsearchSecurityException`, which
returns HTTP `403` status. These exceptions can be raised during index
expression resolving, due to an invalid user input, and should result in
HTTP `400` response.

This PR changes exception handling to avoid wrapping them in the
`ElasticsearchSecurityException`.
@slobodanadamovic slobodanadamovic added >non-issue :Security/Security Security issues without another label Team:Security Meta label for security team auto-backport Automatically create backport pull requests when merged v8.19.0 v9.1.0 labels Apr 1, 2025
@slobodanadamovic slobodanadamovic self-assigned this Apr 1, 2025
slobodanadamovic
slobodanadamovic commented Apr 1, 2025
View reviewed changes
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java Outdated
indicesAndAliasesResolver.resolve(action, request, projectMetadata, authorizedIndices)
),
e -> {
if (e instanceof InvalidIndexNameException) {
Copy link
Contributor Author

@slobodanadamovic slobodanadamovic Apr 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another exception I've considered was InvalidArgumentException but decided to skip it since it's not guaranteed that it's caused by the user's invalid input (sometimes it hides internal errors). I think we need clearer error handling overall or to be very specific which exceptions we consider client errors (e.g. analyze exception messages) .

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, InvalidArgumentException feels too broad to catch here...

WDYT about adding InvalidSelectorException (extend InvalidArgumentException) and throw that in getByKeyOrThrow and also throw either InvalidSelectorException or InvalidIndexNameException inside ensureNoSelectorsProvided? I think that would cover a decent amount of other cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good suggestion. Using a dedicated exception is a way to go. I'll adjust that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed 601d8f7, which introduces InvalidSelectorException and UnsupportedSelectorException. Let me know what you think.

@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-impro…
0428284 
…ve-error-handling

# Conflicts:
#	x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@slobodanadamovic slobodanadamovic marked this pull request as ready for review April 2, 2025 06:27
@slobodanadamovic slobodanadamovic requested a review from n1v0lg April 2, 2025 06:27
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

n1v0lg
n1v0lg approved these changes Apr 4, 2025
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once CI passes 🚀

@slobodanadamovic slobodanadamovic merged commit 0b09506 into elastic:main Apr 6, 2025
22 checks passed
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
8.x Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 126018

@slobodanadamovic
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Questions ?

Please refer to the Backport tool documentation

@slobodanadamovic slobodanadamovic mentioned this pull request Apr 6, 2025
Merged
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this pull request Apr 6, 2025
@slobodanadamovic
Improve error handling during index expressions resolving (elastic#12…
8543a67 
…6018)

The `InvalidIndexNameException` exception was wrapped in a `ElasticsearchSecurityException`, which returns HTTP `403` status.

This exception (along with newly introduced `InvalidSelectorException` and `UnsupportedSelectorException`) can be raised during index expression resolving due to an invalid user input and should result in HTTP `400` response instead.

This PR changes exception handling to avoid wrapping them in the `ElasticsearchSecurityException`.

(cherry picked from commit 0b09506)

# Conflicts:
#	x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
elasticsearchmachine pushed a commit that referenced this pull request Apr 6, 2025
@slobodanadamovic
[8.x] Improve error handling during index expressions resolving (#126018
d0363fb 
) (#126373)

* Improve error handling during index expressions resolving (#126018)

The `InvalidIndexNameException` exception was wrapped in a `ElasticsearchSecurityException`, which returns HTTP `403` status.

This exception (along with newly introduced `InvalidSelectorException` and `UnsupportedSelectorException`) can be raised during index expression resolving due to an invalid user input and should result in HTTP `400` response instead.

This PR changes exception handling to avoid wrapping them in the `ElasticsearchSecurityException`.

(cherry picked from commit 0b09506)

# Conflicts:
#	x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

* [CI] Auto commit changes from spotless

---------

Co-authored-by: elasticsearchmachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

@slobodanadamovic slobodanadamovic

Labels

auto-backport Automatically create backport pull requests when merged >non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v8.19.0 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slobodanadamovic @elasticsearchmachine @n1v0lg