Group not checked in access rule?


(kris) #1

I have the following configuration:

  access_control_rules:

  - name: testrule
    type: allow
    verbosity: info
    groups: ["nonexisting"]

  users:

  - username: user
    auth_key: user:passwd
    groups: ["testgroup"]

If I request the list of indices using curl -XGET -u user 'https://localhost:9200/_cat/indices?v&pretty', I expect an authentication error because the user user doesn’t belong to the group nonexisting. However, I get a list of indices.

The log file contains the following lines, suggesting the was successfully authenticated:

[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL            ] request: { ID:1767708345-609652801, TYP:ClusterStateRequest, USR:user, BRS:true, ACT:cluster:monitor/state, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent,  HIS:[testrule->[groups->true]] } matched block: testrule match: true}
[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL            ] request: { ID:1767708345-568441551, TYP:ClusterHealthRequest, USR:user, BRS:true, ACT:cluster:monitor/health, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent,  HIS:[testrule->[groups->true]] } matched block: testrule match: true}
[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL            ] request: { ID:1767708345-361031949, TYP:IndicesStatsRequest, USR:user, BRS:true, ACT:indices:monitor/stats, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent,  HIS:[testrule->[groups->true]] } matched block: testrule match: true}

I was expecting that the user wouldn’t be accepted as he is not part of the unused group. Am I interpreting the user/group configuration correctly, i.e. is this intended behaviour, or is this a bug?

I am using Elasticsearch 5.4.0 with a fresh build of ReadonlyREST 1.15.1-pre1.


(Simone Scarduzio) #2

Confirmed as a bug in 1.15.1-pre1.
@coutoPL FYI looks like the groups feature completely broke in the refactoring.

I’m going to write put together an integration test for this right now.


(Mateusz Kołodziejczyk) #3

yes, if there is no test of this, regression might occurs :frowning:


(Simone Scarduzio) #4

Meanwhile: I found the bug. It was just a flipped boolean condition. Will proceed with the test.


(Simone Scarduzio) #5

Thanks @krbr for reporting this, now we fixed this, enhanced the logic and have an integration test about it. :rocket:

Here is a new pre release for you.

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.15.1-pre2/readonlyrest-1.15.1-pre2_es5.4.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20170519/eu-west-1/s3/aws4_request&X-Amz-Date=20170519T171542Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=e04786d39aa843edef1514ed340d95d8b8df3fc9f9607750fa18327f6b8dd7fb

Tell us if you find any issues :slight_smile:


(kris) #6

Hi, it seems to work as expected now, thanks for the fix!