Skip to content

Commit

Permalink
Do not rewrite aliases on remove-index from aliases requests (elastic…
Browse files Browse the repository at this point in the history
…#46989) (elastic#47020)

When we rewrite alias requests, after filtering down to only those that
the user is authorized to see, it can be that there are no aliases
remaining in the request. However, core Elasticsearch interprets this as
_all so the user would see more than they are authorized for. To address
this, we previously rewrote all such requests to have aliases `"*"`,
`"-*"`, which would be interpreted when aliases are resolved as
nome. Yet, this is only needed for get aliases requests and we were
applying it to all alias requests, including remove index requests. If
such a request was sent to a coordinating node that is not the master
node, the request would be rewritten to include `"*"` and `"-*"`, and
then the master would authorize the user for these. If the user had
limited permissions, the request would fail, even if they were
authorized on the index that the remove index action was over. This
commit addresses this by rewriting for get aliases and remove
aliases request types but not for the remove index.

Co-authored-by: Albert Zaharovits <[email protected]>
Co-authored-by: Tim Vernum <[email protected]>
  • Loading branch information
albertzaharovits and tvernum authored Sep 24, 2019
1 parent c642425 commit 89f4299
Show file tree
Hide file tree
Showing 3 changed files with 129 additions and 54 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -210,11 +210,15 @@ ResolvedIndices resolveIndicesAndAliases(IndicesRequest indicesRequest, MetaData
} else {
resolvedIndicesBuilder.addLocal(aliasesRequest.aliases());
}
// if no aliases are authorized, then fill in an expression that
// MetaData#findAliases evaluates to the empty alias list. You cannot put
// "nothing" (the empty list) explicitly because this is resolved by es core to
// _all
if (aliasesRequest.aliases().length == 0) {
/*
* If no aliases are authorized, then fill in an expression that MetaData#findAliases evaluates to an
* empty alias list. We can not put an empty list here because core resolves this as _all. For other
* request types, this replacement is not needed and can trigger issues when we rewrite the request
* on the coordinating node. For example, for a remove index request, if we did this replacement,
* the request would be rewritten to include "*","-*" and for a user that does not have permissions
* on "*", the master node would not authorize the request.
*/
if (aliasesRequest.expandAliasesWildcards() && aliasesRequest.aliases().length == 0) {
aliasesRequest.replaceAliases(NO_INDICES_OR_ALIASES_ARRAY);
}
}
Expand Down
Loading

0 comments on commit 89f4299

Please sign in to comment.