Free ROR ES plugin 1.24.0 aliases support failing on wildcard indices value

rodaj · November 18, 2020, 8:11pm

Attempts to create alias and add index fails with below two variations of authorization blocks on 1.23.0 and 1.24.0 (previous known working version is 1.18.10). If the indices value is changed from “infratest*” to “*” aliases work. To be clear, the alias created is same starting sequence as allowed indices in authorization block.

- name: "CEDP Infra Test producer"
  type: allow
  ldap_auth:
    name: "ldap2"
    groups: ["coedl_INFRATEST_es_producer"]
  actions: ["indices:data/*","indices:admin/*","indices:admin/aliases","indices:admin/aliases/exists","indices:admin/aliases/get","indices:monitor/*","cluster:monitor/*","cluster:admin/snapshot/create","cluster:admin/snapshot/delete","cluster:admin/snapshot/get","cluster:admin/snapshot/restore","cluster:admin/snapshot/status"]
  indices: ["infratest*"]
  repositories: ["infratest"]

- name: "CEDP Infra Test producer"
  type: allow
  ldap_auth:
    name: "ldap2"
    groups: ["coedl_INFRATEST_es_producer"]
  actions: ["indices:data/*","indices:admin/*","indices:monitor/*","cluster:monitor/*","cluster:admin/snapshot/create","cluster:admin/snapshot/delete","cluster:admin/snapshot/get","cluster:admin/snapshot/restore","cluster:admin/snapshot/status"]
  indices: ["infratest*"]
  repositories: ["infratest"]

sscarduzio · November 19, 2020, 11:41am

Hello @rodaj, thanks for reaching out.
Can you please attachan example of request and the corresponding log line in Elasticearch (the one who says “FORBIDDEN”) please?

rodaj · November 19, 2020, 1:05pm

My profuse apologies, as I was collecting data I thought to add the ansible url request to go with and found a bug in my script that has been there since first being written and had a bad alias name (hadn’t occurred to me when writing script that it was just being previously passed through without checking). Therefore the operation forbidden response was/is correct response. After fixing scripts (typo in alias name) and rerunning, all is working as expected for alias operations.

coutoPL · November 19, 2020, 7:28pm

@rodaj please also send this case using the pre-build I sent you in this thread