record security exceptions in resolved index expressions #135630
Conversation
richard-dennehy
added
>non-issue
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
| if (e instanceof IndexNotFoundException) { | ||
| listener.onFailure(e); | ||
| } else { | ||
| listener.onFailure(actionDenied(authentication, authzInfo, action, request, e)); |
There was a problem hiding this comment.
We need to set security exceptions in the case where the action actually succeeded (due to ignore_unavailable=true) instead of when it failed. When it failed, the recorded expressions are irrelevant since we will throw directly. So we need to take the request post resolution and see if:
- it has resolved expressions recorded
- if any of those have
CONCRETE_RESOURCE_UNAUTHORIZEDset
If the above is true, we need to set an actionDenied exception as you do below
|
Sorry, only got to this late! @richard-dennehy could you update the branch, address this bit, and the req a review from @ywangd when it's ready? If my comment doesn't make sense I hope Yang can provide guidance. The Jira, for reference is ES-13005. |
|
I am bit unsure about the need of this change. Is there a JIRA ticket for it that might provide some more context. We record |
|
Nikolaj mentioned the Jira ticket in his last comment: ES-13005 But there's not a great deal of context provided there, tbh |
|
OK thanks for the clarification. I think I understand it better now. In CPS, we defer security exception for unauthorized concrete index so that when Therefore, in addition to call PS: There is a question about how auditing should behave in this case. But we can defer it for this work. |
| equalTo( | ||
| "action [indices:data/read/search] is unauthorized for user [user] with effective roles [partial-access-role], " | ||
| + "this action is granted by the index privileges [read,all]" | ||
| ) |
There was a problem hiding this comment.
We should assert the index name is included in the error message
…ession-record-exceptions
…ession-record-exceptions
ywangd
left a comment
ywangd
left a comment
There was a problem hiding this comment.
I have a few comments. Could you also raise a linked serverless PR to update CrossProjectSearchIT with error message assertions for 403 cases in the section of "missing and unauthorized concrete resources -- strict indices options -- errors"?
| : "If the local resolution result is SUCCESS, exception must be null"; | ||
| Objects.requireNonNull(exception); | ||
|
|
||
| this.exception = exception; |
There was a problem hiding this comment.
We should also assert this.exception is null before set it
There was a problem hiding this comment.
This is causing the CPS Rest IT to fail - I need to figure out why that's happening
There was a problem hiding this comment.
Ah OK. I think this is the same double security filtering issue which required the method setResolvedIndexExpressionsIfUnset.
We can do something similar, i.e. set the exception when this.exception is null. If this.exception is already set, assert the two exceptions have the same type and error message (stacktraces are not necessarily the same).
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
Outdated
Show resolved
Hide resolved
| when(crossProjectModeDecider.crossProjectEnabled()).thenReturn(true); | ||
| when(crossProjectModeDecider.resolvesCrossProject(any())).thenReturn(true); | ||
|
|
||
| mockMetadataWithIndex("available-index"); |
There was a problem hiding this comment.
The deciding factor here is that the user has no access to the index regardless whether it exists or not. So I'd suggest:
- rename
available-indexandnot-available-indextoaccessible-indexandnot-accessible-index. - Randomly also add
not-accessible-indexto the project metadata. The behaviour should not change whether this index exists or not - random between indices request between
accessible-index,not-accessible-indexand justnot-accessible-index. The behaviour should be the same.
|
Btw, updating |
richard-dennehy
force-pushed
the
resolved-index-expression-record-exceptions
branch
from
3753285 to
b81d263
Compare
elasticsearchmachine
added
the
serverless-linked
ywangd
left a comment
ywangd
left a comment
There was a problem hiding this comment.
Only a small comment. Could you please make sure CI is green? The serverless side PR is having formatting issue.
| } else { | ||
| this.exception = exception; | ||
| } |
There was a problem hiding this comment.
This violates what the method name says, i.e. set if unset, since this can happen when it is already set but the newer exception has identical message.
richard-dennehy
deleted the
resolved-index-expression-record-exceptions
branch
) * record security exceptions in resolved index expressions * [CI] Auto commit changes from spotless * override equality in LocalExpressions * [CI] Auto commit changes from spotless * record exception for unresolved index when ignore_unavailable is true * clean up * spotless * enable CPS mode in test * include index name in exception message * [CI] Auto commit changes from spotless * address review comments * [CI] Auto commit changes from spotless * assert exception is not set twice * use recorded exception in CrossProjectIndexResolutionValidator * [CI] Auto commit changes from spotless * actually only set exception if unset --------- Co-authored-by: elasticsearchmachine <[email protected]>
4 participants
Record security exception for resolved index expressions with
CONCRETE_RESOURCE_UNAUTHORIZEDresults