Skip to content

ILM policy Rollover action fails in case alias points to more than one index #40831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bizybot opened this issue Apr 4, 2019 · 2 comments · Fixed by #40834
Closed

ILM policy Rollover action fails in case alias points to more than one index #40831

bizybot opened this issue Apr 4, 2019 · 2 comments · Fixed by #40834
Assignees
@bizybot
Labels
>bug :Data Management/ILM+SLM Index and Snapshot lifecycle management :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@bizybot
Copy link
Contributor

bizybot commented Apr 4, 2019

Elasticsearch version (bin/elasticsearch --version): 6.6.2

Description of the problem including expected versus actual behavior:
Rollover action via ILM fails with unauthorized access when the user does
not have access to concrete index but only to alias.
This only happens when is_write_index is true, that is after the rollover
we can have rolled over-index with the same alias.

The authorization check fails as IndicesAndAliasesResolver#getPutMappingIndexOrAlias filters
out the alias name as it has multiple indices associated with it. For multiple indexes for the given alias, we should check if there is only one write index associated with it instead of simple size check.

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

Lines 249 to 253 in c737943

Optional<String> foundAlias = aliasMetaData.stream()
.map(AliasMetaData::alias)
.filter(authorizedIndicesList::contains)
.filter(aliasName -> metaData.getAliasAndIndexLookup().get(aliasName).getIndices().size() == 1)
.findFirst();

Expected behavior:
The rollover action should succeed resulting in successful policy run.

Actual behavior:
Fails with

action [indices:admin/mapping/put] is unauthorized for user [test_user]

Steps to reproduce:

  • Create ILM policy
PUT /_ilm/policy/foo-policy
         {
            "policy" : {
               "phases" : {
                  "hot" : {
                    "min_age": "0ms",
                    "actions" : {
                       "rollover" : {
                          "max_docs" : 2
                       }
                    }
                  }
               }
             }
          }
  • Put Index template
PUT /_template/foo-template
         {
            "index_patterns": ["foo-logs-*"],
            "settings": {
              "number_of_shards": 1,
              "number_of_replicas": 0,
              "index.lifecycle.name": "foo-policy",
              "index.lifecycle.rollover_alias": "foo_alias"
            }
          }
  • Create an index with alias
PUT /foo-logs-000001
         {
            "aliases": {
              "foo_alias" : { "is_write_index": true }
            }
          }
  • Create a user with a role
PUT /_xpack/security/user/ufoo '{ "password": "foobar", "roles" : [ "foo_role" ]  }'

PUT /_xpack/security/role/foo_role '{ "cluster": [ "all" ], "indices": [ { "names": ["foo_alias"], "privileges": ["write", "manage"] } ] }'
  • Index some documents such that ILM gets policy gets triggered using created user (ufoo)
POST /foo_alias/_doc '{ "field" : "foo" }'
POST /foo_alias/_doc '{ "field" : "foo" }'
  • Verify new index exists
GET /foo-logs-000002
  • Try to index using alias
POST /foo_alias/_doc '{ "field" : "foo" }'

Fails with :

action [indices:admin/mapping/put] is unauthorized for user [ufoo]
@bizybot bizybot added >bug :Data Management/ILM+SLM Index and Snapshot lifecycle management :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Apr 4, 2019
@bizybot bizybot self-assigned this Apr 4, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-features

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

bizybot pushed a commit to bizybot/elasticsearch that referenced this issue Apr 4, 2019
Check whether index is same and only one write index exists for alias
5733363 
When same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling for
PutMappingRequest filtered out such aliases making the request unauthorized.
The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias.

Closes elastic#40831
bizybot pushed a commit to bizybot/elasticsearch that referenced this issue Apr 4, 2019
Consider write index when authorizing on alias for multiple indices
5251052 
When same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of put
mapping request to resolve authorized indices had a check on indices size.
If multiple indices existed then it marks request unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias.

Closes elastic#40831
@bizybot bizybot mentioned this issue Apr 4, 2019
Merged
bizybot added a commit that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
ebf7920 
…d indices (#40834)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes #40831
bizybot added a commit to bizybot/elasticsearch that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
2da0979 
…d indices (elastic#40834)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes elastic#40831
@bizybot bizybot mentioned this issue Apr 17, 2019
Merged
bizybot added a commit to bizybot/elasticsearch that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
7b400bb 
…d indices (elastic#40834)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes elastic#40831
@bizybot bizybot mentioned this issue Apr 17, 2019
Merged
@bizybot bizybot mentioned this issue Apr 17, 2019
Merged
bizybot added a commit that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
862be9d 
…d indices (#40834) (#41288)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes #40831
bizybot added a commit that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
0d1178f 
…d indices (#40834) (#41287)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes #40831
bizybot added a commit to bizybot/elasticsearch that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
06589b0 
…d indices (elastic#40834)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes elastic#40831
bizybot added a commit that referenced this issue Apr 17, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
2cc663d 
…d indices (#40834) (#41289)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes #40831
gurkankaymak pushed a commit to gurkankaymak/elasticsearch that referenced this issue May 27, 2019
@bizybot
put mapping authorization for alias with write-index and multiple rea…
8ae9935 
…d indices (elastic#40834)

When the same alias points to multiple indices we can write to only one index
with `is_write_index` value `true`. The special handling in case of the put
mapping request(to resolve authorized indices) has a check on indices size
for a concrete index. If multiple indices existed then it marked the request
as unauthorized.

The check has been modified to consider write index flag and only when the
requested index matches with the one with write index alias, the alias is considered
for authorization.

Closes elastic#40831
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bizybot bizybot

Labels
>bug :Data Management/ILM+SLM Index and Snapshot lifecycle management :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
2 participants
@bizybot @elasticmachine