Exceptions during authorization can be hidden #49999
Labels
>bug
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Security
Meta label for security team
In the introduction of support for authorization engines (#38358), the authorization code was changed to support asynchronous authorization calls. In one of the changed blocks of code an exception could get hidden and the user will only get a 403 Access Denied error without any clue into what caused this.
To reproduce this specific scenario:
See the following block of code:
elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
Lines 206 to 225 in 12e1bc4
An exception that is thrown during the rest of the authorization process, will wind up getting caught by that listener's exception consumer. This leads to a confusing
run_as_denied
audit event after arun_as_granted
event for the same request. I think the first item to address is the fact thate
gets dropped in that code. The second item is to avoid the confusion of having the error reported as arun_as_denied
event and appropriately handle the exception.The text was updated successfully, but these errors were encountered: