Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: fix dynamic mapping updates with aliases #30787

Merged
merged 2 commits into from
May 24, 2018
Merged

Security: fix dynamic mapping updates with aliases #30787

merged 2 commits into from
May 24, 2018

Conversation

jaymode
Copy link
Member

@jaymode jaymode commented May 22, 2018

This commit fixes an issue with dynamic mapping updates when an index
operation is performed against an alias and when the user only has
permissions to the alias. Dynamic mapping updates resolve the concrete
index early to prevent issues so the information about the alias that
the triggering operation was being executed against is lost. When
security is enabled and a user only has privileges to the alias, this
dynamic mapping update would be rejected as it is executing against the
concrete index and not the alias. In order to handle this situation,
the security code needs to look at the concrete index and the
authorized indices of the user; if the concrete index is not authorized
the code will attempt to find an alias that the user has permissions to
update the mappings of.

Closes #30597

@jaymode
Security: fix dynamic mapping updates with aliases
8d655de 
This commit fixes an issue with dynamic mapping updates when an index
operation is performed against an alias and when the user only has
permissions to the alias. Dynamic mapping updates resolve the concrete
index early to prevent issues so the information about the alias that
the triggering operation was being executed against is lost. When
security is enabled and a user only has privileges to the aias, this
dynamic mapping update would be rejected as it is executing against the
concrete index and not the alias. In order to handle this situation,
the security code needs to look at the concrete index and the
authorized indices of the user; if the concrete index is not authorized
the code will attempt to find an alias that the user has permissions to
update the mappings of.

Closes elastic#30597
@jaymode jaymode requested a review from tvernum May 22, 2018 16:20
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

tvernum
tvernum approved these changes May 23, 2018
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java Outdated
if (aliasOrIndex == null) {
resolvedAliasOrIndex = concreteIndexName;
} else if (aliasOrIndex.isAlias()) {
throw new IllegalStateException("concrete index should never be an alias!");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we provide more details in this message (e.g. the name of the index/alias)

@jaymode jaymode merged commit 2b8d3e8 into elastic:master May 24, 2018
@jaymode jaymode deleted the put_mapping_alias branch May 24, 2018 16:28
jaymode added a commit that referenced this pull request May 24, 2018
@jaymode
Security: fix dynamic mapping updates with aliases (#30787)
d1c0d41 
This commit fixes an issue with dynamic mapping updates when an index
operation is performed against an alias and when the user only has
permissions to the alias. Dynamic mapping updates resolve the concrete
index early to prevent issues so the information about the alias that
the triggering operation was being executed against is lost. When
security is enabled and a user only has privileges to the alias, this
dynamic mapping update would be rejected as it is executing against the
concrete index and not the alias. In order to handle this situation,
the security code needs to look at the concrete index and the
authorized indices of the user; if the concrete index is not authorized
the code will attempt to find an alias that the user has permissions to
update the mappings of.

Closes #30597
jaymode added a commit that referenced this pull request May 24, 2018
@jaymode
Security: fix dynamic mapping updates with aliases (#30787)
2b33703 
This commit fixes an issue with dynamic mapping updates when an index
operation is performed against an alias and when the user only has
permissions to the alias. Dynamic mapping updates resolve the concrete
index early to prevent issues so the information about the alias that
the triggering operation was being executed against is lost. When
security is enabled and a user only has privileges to the alias, this
dynamic mapping update would be rejected as it is executing against the
concrete index and not the alias. In order to handle this situation,
the security code needs to look at the concrete index and the
authorized indices of the user; if the concrete index is not authorized
the code will attempt to find an alias that the user has permissions to
update the mappings of.

Closes #30597
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request May 24, 2018
@jasontedor
Merge branch 'master' into verify-official-plugin-signature
9d40715 
* master:
  Update the version checks around ip_range bucket keys, now that the change was backported.
  Mute IndexMasterFailoverIT.testMasterFailoverDuringIndexingWithMappingChanges
  Use geohash cell instead of just a corner in geo_bounding_box (elastic#30698)
  Limit user to single concurrent auth per realm (elastic#30794)
  [Tests] Move templated _rank_eval tests (elastic#30679)
  Security: fix dynamic mapping updates with aliases (elastic#30787)
  Ensure that ip_range aggregations always return bucket keys. (elastic#30701)
  Use remote client in TransportFieldCapsAction (elastic#30838)
  Move Watcher versioning setting to meta field (elastic#30832)
  [Docs] Explain incomplete dates in range queries (elastic#30689)
  Move persistent task registrations to core (elastic#30755)
  Decouple ClusterStateTaskListener & ClusterApplier (elastic#30809)
  Send client headers from TransportClient (elastic#30803)
  Packaging: Ensure upgrade_is_oss flag file is always deleted (elastic#30732)
  Force stable file modes for built packages (elastic#30823)
  [DOCS] Fixes typos in security settings
  Fix GeoShapeQueryBuilder serialization after backport
martijnvg added a commit that referenced this pull request May 25, 2018
@martijnvg
Merge remote-tracking branch 'es/master' into ccr
e6dd414 
* es/master:
  Move score script context from SearchScript to its own class (#30816)
  Fix bad version check writing Repository nodes (#30846)
  [docs] explainer for java packaging tests (#30825)
  Remove Throwable usage from transport modules (#30845)
  REST high-level client: add put ingest pipeline API (#30793)
  Update the version checks around ip_range bucket keys, now that the change was backported.
  Mute IndexMasterFailoverIT.testMasterFailoverDuringIndexingWithMappingChanges
  Use geohash cell instead of just a corner in geo_bounding_box (#30698)
  Limit user to single concurrent auth per realm (#30794)
  [Tests] Move templated _rank_eval tests (#30679)
  Security: fix dynamic mapping updates with aliases (#30787)
  Ensure that ip_range aggregations always return bucket keys. (#30701)
  Use remote client in TransportFieldCapsAction (#30838)
  Move Watcher versioning setting to meta field (#30832)
  [Docs] Explain incomplete dates in range queries (#30689)
  Move persistent task registrations to core (#30755)
  Decouple ClusterStateTaskListener & ClusterApplier (#30809)
  Send client headers from TransportClient (#30803)
  Packaging: Ensure upgrade_is_oss flag file is always deleted (#30732)
  Force stable file modes for built packages (#30823)
martijnvg added a commit that referenced this pull request May 25, 2018
@martijnvg
Merge remote-tracking branch 'es/6.x' into ccr-6.x
545ed87 
* es/6.x:
  Move score script context from SearchScript to its own class (#30816)
  Fix bad version check writing Repository nodes (#30846)
  Modify state of VerifyRepositoryResponse for bwc (#30762)
  QA: Fix tribe tests when running default zip
  Use remote client in TransportFieldCapsAction (#30838)
  Mute IndexMasterFailoverIT.testMasterFailoverDuringIndexingWithMappingChanges
  Ensure that ip_range aggregations always return bucket keys. (#30701)
  Limit user to single concurrent auth per realm (#30794)
  Security: fix dynamic mapping updates with aliases (#30787)
  [Tests] Move templated _rank_eval tests (#30679)
  Move Watcher versioning setting to meta field (#30832)
  Restore "Add more yaml tests for get alias API " (#30814)
  Send client headers from TransportClient (#30803)
  [Docs] Explain incomplete dates in range queries (#30689)
  Move persistent task registrations to core (#30755)
  Decouple ClusterStateTaskListener & ClusterApplier (#30809)
  Packaging: Ensure upgrade_is_oss flag file is always deleted (#30732)
  Force stable file modes for built packages (#30823)
@droberts195 droberts195 mentioned this pull request Jun 4, 2018
Closed
@jpountz jpountz added v6.3.0 and removed v6.3.1 labels Jun 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v6.3.0 v6.4.0 v7.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authorization failure when indexing document with new mappings to alias.
5 participants
@jaymode @elasticmachine @tvernum @colings86 @jpountz