I have the following configuration:
access_control_rules:
- name: testrule
type: allow
verbosity: info
groups: ["nonexisting"]
users:
- username: user
auth_key: user:passwd
groups: ["testgroup"]
If I request the list of indices using curl -XGET -u user 'https://localhost:9200/_cat/indices?v&pretty'
, I expect an authentication error because the user user
doesn’t belong to the group nonexisting
. However, I get a list of indices.
The log file contains the following lines, suggesting the was successfully authenticated:
[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL ] request: { ID:1767708345-609652801, TYP:ClusterStateRequest, USR:user, BRS:true, ACT:cluster:monitor/state, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[testrule->[groups->true]] } matched block: testrule match: true}
[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL ] request: { ID:1767708345-568441551, TYP:ClusterHealthRequest, USR:user, BRS:true, ACT:cluster:monitor/health, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[testrule->[groups->true]] } matched block: testrule match: true}
[19/May/2017:12:18:31 +0000] [INFO ][o.e.p.r.a.ACL ] request: { ID:1767708345-361031949, TYP:IndicesStatsRequest, USR:user, BRS:true, ACT:indices:monitor/stats, OA:172.17.0.1, IDX:, MET:GET, PTH:/_cat/indices, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[testrule->[groups->true]] } matched block: testrule match: true}
I was expecting that the user wouldn’t be accepted as he is not part of the unused
group. Am I interpreting the user/group configuration correctly, i.e. is this intended behaviour, or is this a bug?
I am using Elasticsearch 5.4.0 with a fresh build of ReadonlyREST 1.15.1-pre1.