-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Transform] Secondary credentials used with transforms should only require source and destination index privileges, not transform privileges #94420
[Transform] Secondary credentials used with transforms should only require source and destination index privileges, not transform privileges #94420
Conversation
58ffa66
to
f95443b
Compare
… using secondary auth only
f95443b
to
549e160
Compare
Hi @przemekwitek, I've created a changelog YAML for you. |
Pinging @elastic/ml-core (Team:ML) |
// <2> Validate source and destination indices | ||
ActionListener<Void> checkPrivilegesListener = ActionListener.wrap( | ||
aVoid -> ClientHelper.executeWithHeadersAsync( | ||
config.getHeaders(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find it surprising that this works. config.setHeaders
was called inside a block that switched to secondary headers. So I would have thought that here we end up calling ValidateTransformAction
using the secondary headers, which should fail if those secondary headers only allow index access and not transform administration.
I can see you have a test that seems to test that this functionality works, but please can you do some extra due diligence on whether this is really working as expected, perhaps by running the test locally with extra debug, or by manually testing it with gradle run
.
If this extra testing shows that the existing test is only succeeding by some fluke then I think the way to fix it would be to put this call back to how it was before, and instead switch to secondary headers (using useSecondaryAuthIfAvailable
) within the subsections of TransportValidateTransformAction
that access the source or destination indices.
If the code really does work correctly as you've got it now then I need to adjust my understanding of what executeWithHeadersAsync
does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I would have thought that here we end up calling ValidateTransformAction using the secondary headers, which should fail if those secondary headers only allow index access and not transform administration.
Yes, that was indeed the case and the scenario from Quynh I reproduced.
I can see you have a test that seems to test that this functionality works, but please can you do some extra due diligence on whether this is really working as expected, perhaps by running the test locally with extra debug, or by manually testing it with gradle run.
So, I did a little back and forth on this PR and the version you reviewed probably had the test (my new test written exactly for this case) failing in the CI which I noticed and fixed a few hours later...
The reason for this was I noticed Ben's work (#86757) solving the issue #86731 (Prefer secondary authentication headers when creating/updating transforms) and I wanted to keep his tests passing as well.
I ended up with the following (this PR is now updated):
- pass all the security headers to
_validate
call - only store secondary headers in the transform config.
This way _validate
call can be executed even if the secondary headers does not have transform_admin
.
And at the same time we only store secondary header in the config in order to use it for data access later on (e.g: creating destination index).
I've just udpated this PR description to reflect the change: now all the security headers are passed on to _validate
.
fda2f4f
to
9e9ada2
Compare
Hi @przemekwitek, I've created a changelog YAML for you. |
Some tests are now failing on CI. |
…which can be null)
…mekwitek/elasticsearch into call_validate_with_sec_auth
Ok, the tests are fixed. It was a simple NPE causing these failures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately I still think there is a problem.
I think the solution is to call _validate
using the internal _xpack
user, as it's entirely an internal endpoint.
Then, in TransportValidateTransformAction
the functions that use a Client
should switch to the appropriate headers instead of relying on the caller of _validate
to have done this. As far as I can see that's:
Line 130 in a8a684e
function.deduceMappings(client, config.getSource(), deduceMappingsListener); |
and:
Line 139 in a8a684e
function.validateQuery(client, config.getSource(), request.timeout(), validateQueryListener); |
...rm/src/main/java/org/elasticsearch/xpack/transform/action/TransportStartTransformAction.java
Outdated
Show resolved
Hide resolved
...lugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransformUpdater.java
Outdated
Show resolved
Hide resolved
...form/src/main/java/org/elasticsearch/xpack/transform/action/TransportPutTransformAction.java
Outdated
Show resolved
Hide resolved
_validate
Done.
Done. |
...sform/src/main/java/org/elasticsearch/xpack/transform/utils/SecondaryAuthorizationUtils.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if you could just rename a method as per #94420 (comment) before merging.
The internal
_validate
action was called byPUT
action using secondary headers only. This was causing authorization issues if the API key (secondary header) was lackingtransform_admin
role.This PR fixes this by providing all the security headers to
_validate
action usingClientHelper.executeWithHeadersAsync
helper method rather than rawclient.execute
.Relates #93259