Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the security permission check in cat indices (_cat/indices) API #2257

Closed
bowenlan-amzn opened this issue Nov 8, 2022 · 4 comments
Closed

Improve the security permission check in cat indices (_cat/indices) API #2257

bowenlan-amzn opened this issue Nov 8, 2022 · 4 comments
Labels
enhancement New feature or request good first issue These are recommended starting points for newcomers looking to make their first contributions. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@bowenlan-amzn
Copy link
Member

Is your feature request related to a problem? Please describe.

Today, to be able to call _cat/indices successfully, you need to have a permission at least with these permissions:

    "cluster_permissions" : [
      "cluster:monitor/state",
      "cluster:monitor/health"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "allowed_actions" : [
          "indices:monitor/settings/get",
          "indices:monitor/stats"
        ]
      }
    ]

If the index_patterns is not set to "*" but "log-*", _cat/indices fails with a security exception:
"no permissions for [indices:monitor/settings/get] and User [name=bowen, backend_roles=[], requestedTenant=__user__]
I suppose this is because cluster has other indices that don't match "log-*" and security check fails.
You will be able to call _cat/indices/log-* successfully though.

Describe the solution you'd like
Instead of failing the full request, can we improve the user experience of _cat/indices to return the indices user has permission of?
To be specific, if user has index permission on "log-*", calling _cat/indices can return the indices start with log- in the cluster.
@bowenlan-amzn bowenlan-amzn added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 8, 2022
@andrross andrross added the Security Security Related Issues label Nov 8, 2022
@anasalkouz
Copy link
Member

@davidlago do you see any security concern of doing this change?

@nandi-github Do you thing it's the right thing from customer perspective to list indices that who access to read, which won't give him any visibility if there are other indices on the cluster.

@anasalkouz anasalkouz removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Nov 9, 2022
@davidlago
Copy link

I guess we could leverage the existing do_not_fail_on_forbidden config flag that is used in the Privileges Evaluator and add the indices:monitor permissions to the considered patterns here.

Is there anything else that is not index-specific that would be revealing things we shouldn't to a user who can only see a subset of indexes making these calls? (tagging @peternied for an additional set of eyes)

@peternied
Copy link
Member

Thanks for writing this up, that is a much better user experience.

From a user experience/information disclosure, the scenario is in-line with our existing DNDOF cases. The filtering logic implemented in the IndexResolverReplacer [1] would need to be updated to handle GetSettingsRequest that supports this scenario.

I'll transfer this to the security repository to be triaged by the team and where the change would need to be made. This would be a great first issue for anyone if they are looking to get involved in the security codebase.

[1]

security/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java

Line 536 in 93fe633

private boolean getOrReplaceAllIndices(final Object request, final IndicesProvider provider, boolean allowEmptyIndices) {

@peternied peternied transferred this issue from opensearch-project/OpenSearch Nov 12, 2022
@peternied peternied added untriaged Require the attention of the repository maintainers and may need to be prioritized triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 12, 2022
@stephen-crawford stephen-crawford added good first issue These are recommended starting points for newcomers looking to make their first contributions. and removed Security Security Related Issues labels Dec 2, 2022
@davidlago
Copy link

Closing in favor of #1815 to track in a single place

@nibix nibix mentioned this issue Jan 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue These are recommended starting points for newcomers looking to make their first contributions. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peternied @davidlago @andrross @anasalkouz @bowenlan-amzn @stephen-crawford