GET _snapshot permission issue

Hi,

ror enterprise 1.19.5
elastic/kibana 6.7.2

we upgraded ror from 1.19.2 -> 1.19.5 and _snapshot endpoint is not allowed anymore, not even with full permissions. Repository creation and _cat/snapshots works. The strange thing is that ROR doesn’t even log the forbidden message to log, I only see it from client side.

config:
readonlyrest:
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: “elastic”
auth_key_sha256: “”
type: allow

message:
{"error":{"root_cause":[{"reason":"Forbidden by ReadonlyREST ES plugin","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"Forbidden by ReadonlyREST ES plugin","due_to":["OPERATION_NOT_ALLOWED"],"status":403}}

it’s already fixed but not released yet (we plan to do it on weekend).

You can test it without our pre build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.20.0-pre7/readonlyrest-1.20.0-pre7_es6.7.2.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200619/eu-west-1/s3/aws4_request&X-Amz-Date=20200619T114750Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=1998383b2e49c1d3660ff80f24086615ecabf49bce107a1ab296dca185e043d4

I am facing similar issue during “PUT _index_template” API when using readonlyrest-1.20.0_es7.8.0.

I am getting the following error message when I try uploading a template with users having full permission sets, while elasticsearch logs say that the access was granted:
{"error":{"root_cause":[{"reason":"Forbidden: restricted access area","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"Forbidden: restricted access area","due_to":["OPERATION_NOT_ALLOWED"],"status":401}}

Are you planning a fix in the near term?

yes, I faced this regression recently. We’ll add proper tests and fix it in current sprint.

1 Like

Do you have a timeline for releasing this fix?

Thank you!

I’m going to take care of it this week. As soon as I have this fix, I’ll send you a prebuild to test.
This fix will be probably released together with ROR 1.21.0. I’m planning to do two fixes (including this one) and we’ll be ready to release. Maybe this weekend.

@kkt2mail if you are interested in prebuild, please let me know what version of ES you use.

@coutoPL yes, please send me the prebuild to test whats included in 1.21.0

  • kibana/elasticsearch 6.7.2 enterprise

Thank you.

Thank you @coutoPL.
My elastic stack is on version 7.8.0.

@coutoPL is the fix ready? Can I get a pre-build please?

sorry, not ready yet.

@coutoPL any chance you’ll fix “PUT _index_template” anytime soon?

please check this version:

https://readonlyrest-data.s3.amazonaws.com/build/1.22.0-pre6/readonlyrest-1.22.0-pre6_es6.8.7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200822/eu-west-1/s3/aws4_request&X-Amz-Date=20200822T081056Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a380a340b067f7d901aac80f0f10c4ed581f2165f9cb6dcf6a9b8f5a75e37adb

Hello,

I am seeing this same issue, trying to access: /_snapshot with full permissions returns an OPERATION_NOT_ALLOWED error. This is in ES 6.8.12 with the ror version: readonlyrest-1.22.1_es6.8.12.zip. Is the fix going to be releases soon?

Thanks!

OK, Replying to myself. It works if I use _all i.e: _snapshot/_all, this allow me to workaround the issue, but still the original behavior is a bit unexpected.

We just upgraded to the same versions of both ror and ES (readonlyrest-1.22.1_es6.8.12), and are encountering the same issue. Thanks for the workaround!

This is under development right now. Will notify you when it’s fixed