Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]Currently /_plugins/_query/settings API can act as backdoor for any kind of cluster settings. #2382

Closed
vamsi-amazon opened this issue Oct 26, 2023 · 0 comments
Closed

[BUG]Currently /_plugins/_query/settings API can act as backdoor for any kind of cluster settings. #2382

vamsi-amazon opened this issue Oct 26, 2023 · 0 comments
Assignees
@vamsi-amazon
Labels
bug Something isn't working Flint v2.11.1 Issues targeting release v2.11.1

Comments

@vamsi-amazon
Copy link
Member

vamsi-amazon commented Oct 26, 2023
edited
Loading

What is the bug?
Currently /_plugins/_query/settings API can act as backdoor to change any kind of cluster settings.

  • Validate if the above assumption is true.
  • Restrict the above API to only settings required.

New Settings Introduced, we need to deny all the settings below.

  • plugins.query.datasources.encryption.masterkey
  • plugins.query.datasources.uri.hosts.denylist
  • plugins.query.executionengine.spark.config
  • plugins.query.executionengine.spark.session.limit
  • plugins.query.executionengine.spark.refresh_job.limit
  • plugins.query.executionengine.spark.session.index.ttl
  • plugins.query.executionengine.spark.result.index.ttl
  • plugins.query.executionengine.spark.auto_index_management.enabled
@vamsi-amazon vamsi-amazon added bug Something isn't working untriaged Flint v2.11.0 Issues targeting release v2.11.0 v2.11.1 Issues targeting release v2.11.1 and removed untriaged v2.11.0 Issues targeting release v2.11.0 labels Oct 26, 2023
@anirudha anirudha assigned anirudha and vamsi-amazon and unassigned anirudha Oct 30, 2023
@vamsi-amazon vamsi-amazon mentioned this issue Nov 1, 2023
Merged
6 tasks
@penghuo penghuo closed this as completed Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vamsi-amazon vamsi-amazon

Labels
bug Something isn't working Flint v2.11.1 Issues targeting release v2.11.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anirudha @penghuo @vamsi-amazon