Relax the index access control check for scroll searches (#61446)

The check introduced by #60640 for scroll searches, in which we log if the index access control before the query and fetch phases differs from when the scroll context is created, is too strict, leading to spurious warning log messages. The check verifies instance equality but this assumes that the fetch phase is executed in the same thread context as the scroll context validation. However, this is not true if the scroll search is executed cross-cluster, and even for local scroll searches it is an unfounded assumption. The check is hence reduced to a null check for the index access. The fact that the access control is suitable given the indices that are actually accessed (by the scroll) will be done in a follow-up, after we better regulate the creation of index access controls in general.
elastic · Aug 27, 2020 · f530513 · f530513
1 parent 00aecf8
commit f530513
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/...src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/...src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java
@@ -96,14 +96,12 @@ public void onPreQueryPhase(SearchContext searchContext) {
 
     void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) {
         if (licenseState.isAuthAllowed() && searchContext.scrollContext() != null) {
-            IndicesAccessControl scrollIndicesAccessControl =
-                    searchContext.scrollContext().getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
             IndicesAccessControl threadIndicesAccessControl =
                     threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
-            if (scrollIndicesAccessControl != threadIndicesAccessControl) {
-                throw new ElasticsearchSecurityException("[" + searchContext.id() + "] expected scroll indices access control [" +
-                        scrollIndicesAccessControl.toString() + "] but found [" + threadIndicesAccessControl.toString() + "] in thread " +
-                        "context");
+            if (null == threadIndicesAccessControl) {
+                throw new ElasticsearchSecurityException("Unexpected null indices access control for search context [" +
+                        searchContext.id() + "] for request [" + searchContext.request().shardId() + "] with source [" +
+                        searchContext.source() + "]");
             }
         }
     }
@@ -124,7 +122,7 @@ static void ensureAuthenticatedUserIsSame(Authentication original, Authenticatio
         if (original.getUser().isRunAs()) {
             if (current.getUser().isRunAs()) {
                 sameRealmType = original.getLookedUpBy().getType().equals(current.getLookedUpBy().getType());
-            }  else {
+            } else {
                 sameRealmType = original.getLookedUpBy().getType().equals(current.getAuthenticatedBy().getType());
             }
         } else if (current.getUser().isRunAs()) {