Skip to content

Commit

Permalink
Note restricted indices in access denied message (elastic#85013)
Browse files Browse the repository at this point in the history
When security prevents access to an index, it indicates the action
that was attempted, the indices it was applied to and the privileges
that would grant that access.

However, if the index is a restricted index, that message was
insufficient.
Even if the user was granted "all" on "*", they would still be
prevented from performing actions on restricted indices such as
".security" or ".kibana".
Access to those indices would require a role that grants access
with the allow_restricted_indices field set to true

This change expands the error message to note which indices are
"restricted" as a way of guiding users towards the necessary solution.
  • Loading branch information
tvernum authored Mar 16, 2022
1 parent 3e66893 commit 3d7b277
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 9 deletions.
5 changes: 5 additions & 0 deletions docs/changelog/85013.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 85013
summary: Note restricted indices in access denied message
area: Authorization
type: enhancement
issues: []
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@

import org.elasticsearch.action.ActionListener;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesRequest;
Expand All @@ -27,6 +26,7 @@
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;

/**
* <p>
Expand Down Expand Up @@ -349,7 +349,7 @@ public boolean isAuditable() {
* Returns additional context about an authorization failure, if {@link #isGranted()} is false.
*/
@Nullable
public String getFailureContext() {
public String getFailureContext(Predicate<String> isRestrictedIndex) {
return null;
}

Expand Down Expand Up @@ -383,19 +383,35 @@ public IndexAuthorizationResult(boolean auditable, IndicesAccessControl indicesA
}

@Override
public String getFailureContext() {
public String getFailureContext(Predicate<String> isRestrictedIndex) {
if (isGranted()) {
return null;
} else {
return getFailureDescription(indicesAccessControl.getDeniedIndices());
return getFailureDescription(indicesAccessControl.getDeniedIndices(), isRestrictedIndex);
}
}

public static String getFailureDescription(Collection<?> deniedIndices) {
public static String getFailureDescription(Collection<String> deniedIndices, Predicate<String> isRestrictedIndex) {
if (deniedIndices.isEmpty()) {
return null;
}
return "on indices [" + Strings.collectionToCommaDelimitedString(deniedIndices) + "]";
final StringBuilder regularIndices = new StringBuilder();
final StringBuilder restrictedIndices = new StringBuilder();
for (String index : deniedIndices) {
final StringBuilder builder = isRestrictedIndex.test(index) ? restrictedIndices : regularIndices;
if (builder.isEmpty() == false) {
builder.append(',');
}
builder.append(index);
}
StringBuilder message = new StringBuilder();
if (regularIndices.isEmpty() == false) {
message.append("on indices [").append(regularIndices).append(']');
}
if (restrictedIndices.isEmpty() == false) {
message.append(message.length() == 0 ? "on" : " and").append(" restricted indices [").append(restrictedIndices).append(']');
}
return message.toString();
}

public IndicesAccessControl getIndicesAccessControl() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ public boolean isGranted() {
return granted;
}

public Collection<?> getDeniedIndices() {
public Collection<String> getDeniedIndices() {
return this.indexPermissions.entrySet()
.stream()
.filter(e -> e.getValue().granted == false)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

package org.elasticsearch.xpack.core.security.authz;

import org.elasticsearch.test.ESTestCase;

import java.util.List;
import java.util.function.Predicate;

import static org.hamcrest.Matchers.is;

public class AuthorizationEngineTests extends ESTestCase {

public void testIndexAuthorizationResultFailureMessage() {
final Predicate<String> restrictedIndex = s -> s.startsWith(".");
assertThat(
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(List.of("index-1", "index-2", ".index-3"), restrictedIndex),
is("on indices [index-1,index-2] and restricted indices [.index-3]")
);

assertThat(
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(List.of("index-1"), restrictedIndex),
is("on indices [index-1]")
);

assertThat(
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(
List.of(".index-1", ".index-2", ".index-3"),
restrictedIndex
),
is("on restricted indices [.index-1,.index-2,.index-3]")
);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,10 @@ private void authorizeBulkItems(
authentication,
itemAction,
request,
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(List.of(resolvedIndex)),
AuthorizationEngine.IndexAuthorizationResult.getFailureDescription(
List.of(resolvedIndex),
indicesAndAliasesResolver.getRestrictedIndicesPredicate()
),
null
)
);
Expand Down Expand Up @@ -960,7 +963,11 @@ public void onResponse(T result) {
failureConsumer.accept(e);
}
} else {
handleFailure(result.isAuditable(), result.getFailureContext(), null);
handleFailure(
result.isAuditable(),
result.getFailureContext(indicesAndAliasesResolver.getRestrictedIndicesPredicate()),
null
);
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import org.elasticsearch.transport.RemoteConnectionStrategy;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authz.ResolvedIndices;
import org.elasticsearch.xpack.core.security.support.Automatons;

import java.util.ArrayList;
import java.util.Arrays;
Expand All @@ -41,6 +42,7 @@
import java.util.Set;
import java.util.SortedMap;
import java.util.concurrent.CopyOnWriteArraySet;
import java.util.function.Predicate;
import java.util.stream.Stream;

import static org.elasticsearch.xpack.core.security.authz.IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER;
Expand All @@ -61,6 +63,10 @@ class IndicesAndAliasesResolver {
this.remoteClusterResolver = new RemoteClusterResolver(settings, clusterService.getClusterSettings());
}

public Predicate<String> getRestrictedIndicesPredicate() {
return Automatons.predicate(nameExpressionResolver.getSystemNameAutomaton());
}

/**
* Resolves, and if necessary updates, the list of index names in the provided <code>request</code> in accordance with the user's
* <code>authorizedIndices</code>.
Expand Down

0 comments on commit 3d7b277

Please sign in to comment.