Skip to content

.security index has dynamic mappings which can lead to errors #35460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
honzakral opened this issue Nov 12, 2018 · 1 comment · Fixed by #40499
Closed

.security index has dynamic mappings which can lead to errors #35460

honzakral opened this issue Nov 12, 2018 · 1 comment · Fixed by #40499
Assignees
@tvernum
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@honzakral
Copy link
Contributor

Elasticsearch version : 6.x, master

Description of the problem including expected versus actual behavior: settings for the .security index are set to dynamic: true for rules and metadata which can cause conflicts and also cause mapping explosion in case of many rules.

Steps to reproduce:

  1. create role mapping:
{"enabled": true, "roles": ["superuser"], "rules": {"field": {"metadata.saml": 12}}}
  1. attempt to create another role mapping:
{"enabled": true, "roles": ["superuser"], "rules": {"field": {"metadata.saml": "X"}}}

this will now fail since a mapping has been created for rules.field.metadata.saml in the .security index.

this is explicitly enabled in https://github.com/elastic/elasticsearch/blob/master/x-pack/plugin/core/src/main/resources/security-index-template.json#L154

the dynamic value should be set to false for rules in the template
@jtibshirani jtibshirani added the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Nov 12, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@tvernum tvernum mentioned this issue Mar 27, 2019
Merged
@tvernum tvernum self-assigned this Mar 27, 2019
@tvernum tvernum added >bug and removed team-discuss labels Mar 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove dynamic objects from security index tvernum/elasticsearch
5 participants
@honzakral @bizybot @tvernum @jtibshirani @elasticmachine