Hello,
we have readonlyRest Pro and elasticsearch in this configuration:
elasticsearch version: 8.14.1
ROR version 1.60.0
Now, I will create two indices:
PUT index1/_doc/1
{
"content": "index1-data-1"
}
PUT index2/_doc/1
{
"content": "index2-data-1"
}
In readonlyrest config I have set up this block, to allow user “eqltest” to read data only from index1:
- name: "::Other - eqltest::"
auth_key: "eqltest:jabadaba"
actions: ["indices:monitor/settings/get","cluster:monitor/main","cluster:monitor/nodes/stats","cluster:monitor/nodes/info","cluster:monitor/state","indices:monitor/stats","indices:admin/types/exists","indices:data/read/*","indices:admin/template/*","indices:admin/mappings/get"]
indices: ["index1"]
Default policy is block all request. We have no other block in config that should allow this user to read anything else.
Now there are 4 examples of API requests:
Case 1: standard search for index1, that should be allowed: OK
curl -u eqltest:jabadaba -XGET "https://my-elastic-node-url:9200/index1/_search" -H "Content-Type: application/json" -d'
{
"query": {
"match_all": {}
}
}'
# RETURNS:
{"took":18,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"index1","_id":"1","_score":1.0,"_source":{
"content": "index1-data-1"
}
# Which is ok, it has access, and it returns data
Case 2: standard search for index2, that should be filtered: OK
curl -u eqltest:jabadaba -XGET "https://my-elastic-node-url:9200/index2/_search" -H "Content-Type: application/json" -d'
{
"query": {
"match_all": {}
}
}'
# RETURNS:
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [index2_ROR_qUrbUjCe5e]","resource.type":"index_or_alias","resource.id":"index2_ROR_qUrbUjCe5e","index_uuid":"_na_","index":"index2_ROR_qUrbUjCe5e"}],"type":"index_not_found_exception","reason":"no such index [index2_ROR_qUrbUjCe5e]","resource.type":"index_or_alias","resource.id":"index2_ROR_qUrbUjCe5e","index_uuid":"_na_","index":"index2_ROR_qUrbUjCe5e"},"status":404}
# Which is ok, it does not have acces, it returns index_not_found_exception
Case 3: eql search for index1, that should be allowed: OK
curl -u eqltest:jabadaba -XPOST -d '{
"query":
"from index1 | limit 10"
}' -H 'Accept: text/csv; charset=utf-8' -H 'Content-Type: application/json' 'https://my-elastic-node-url:9200/_query?format=csv'
# RETURNS:
content,content.keyword
index1-data-1,index1-data-1
# Which is ok, it has access, and it returns data
Case 4: eql search for index2, that should be filtered: PROBLEM
curl -u eqltest:jabadaba -XPOST -d '{
"query":
"from index2 | limit 10"
}' -H 'Accept: text/csv; charset=utf-8' -H 'Content-Type: application/json' 'https://my-elastic-node-url:9200/_query?format=csv'
# RETURNS:
content,content.keyword
index2-data-1,index2-data-1
# Which is NOT OK, as it should be filtered.. but it returns data!
This last case 4 should not return a real data. From my tests, I found out that if there is any block in readonlyrest that will allow user “eqltest” to read at least one index, eql search will be allowed by this block and will be able to read any data from any index in elasticsearch. If user eqltest has no allow block in readonlyrest at all, the request will be blocked as it should be.