@Sinedko
please take a look at my tests:
readonlyrest.yml
readonlyrest:
access_control_rules:
- name: "CONTAINER ADMIN"
verbosity: "error"
type: "allow"
auth_key: "admin:container"
- name: "user1 block"
auth_key: user1:pass
indices: [abc_*]
Admin creates indices:
curl -v -u admin:container -XPUT -H "Content-Type: application/json" "http://127.0.0.1:9200/foo_/_doc/1" -d '{"example":"test"}
{"_index":"foo_","_type":"_doc","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
curl -u admin:container -XPUT -H "Content-Type: application/json" "http://127.0.0.1:9200/bar_/_doc/1" -d '{"example":"test"}'
{"_index":"bar_","_type":"_doc","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
curl -u admin:container -XPUT -H "Content-Type: application/json" "http://127.0.0.1:9200/abc_something/_doc/1" -d '{"example":"test"}'
{"_index":"abc_something","_type":"_doc","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
curl -u admin:container "http://localhost:9200/_cat/indices"
yellow open abc_something 75UfaNFXSgCnet_MkoadsQ 1 1 1 0 3.4kb 3.4kb
yellow open bar_ vUKExE2WRoKdR5lZl6kEzg 1 1 1 0 3.4kb 3.4kb
yellow open foo_ mK8yElFNR7uLyZaCzZkudQ 1 1 1 0 3.4kb 3.4kb
curl -u admin:container "http://localhost:9200/_cat/aliases"
// empty response
User1 doesn’t have an access to bar_
and foo_
:
curl -u user1:pass "http://localhost:9200/_cat/indices"
yellow open abc_something 75UfaNFXSgCnet_MkoadsQ 1 1 1 0 3.4kb 3.4kb
User1 tries to create abc_alias
to one of non-allowed indices (eg. foo_
):
first method:
curl -u user1:pass -XPOST -H "Content-Type: application/json" "http://localhost:9200/_aliases" -d '{"actions":[{"add":{"index":"foo_","alias":"abc_alias"}}]}'
{"error":{"root_cause":[{"reason":"forbidden","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"forbidden","due_to":["OPERATION_NOT_ALLOWED"],"status":401}}
[2020-07-02T15:51:07,797][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [n1_it] FORBIDDEN by default req={ ID:1036056043-82774905#183, TYP:IndicesAliasesRequest, CGR:N/A, USR:user1 (attempted), BRS:true, KDX:null, ACT:indices:admin/aliases, OA:127.0.0.1/32, XFF:null, DA:::1/32, IDX:foo_, MET:POST, PTH:/_aliases, CNT:{"actions":[{"add":{"index":"foo_","alias":"abc_alias"}}]}, HDR:Accept=*/*, Authorization=Basic dXNlcjE6cGFzcw==, Content-Length=58, Content-Type=application/json, Host=localhost:9200, User-Agent=curl/7.54.0, HIS:[CONTAINER ADMIN-> RULES:[auth_key->false], RESOLVED:[indices=foo_]], [user1 block-> RULES:[auth_key->true, indices->false], RESOLVED:[user=user1;indices=foo_]] }
second method:
curl -u user1:pass -XPUT "http://localhost:9200/foo_/_alias/abc_alias2"
{"error":{"root_cause":[{"reason":"forbidden","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"forbidden","due_to":["OPERATION_NOT_ALLOWED"],"status":401}}
[2020-07-02T16:03:46,233][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [n1_it] FORBIDDEN by default req={ ID:61700229-1673001928#452, TYP:IndicesAliasesRequest, CGR:N/A, USR:user1 (attempted), BRS:true, KDX:null, ACT:indices:admin/aliases, OA:127.0.0.1/32, XFF:null, DA:::1/32, IDX:foo_, MET:PUT, PTH:/foo_/_alias/abc_alias2, CNT:<N/A>, HDR:Accept=*/*, Authorization=Basic dXNlcjE6cGFzcw==, Host=localhost:9200, User-Agent=curl/7.54.0, content-length=0, HIS:[CONTAINER ADMIN-> RULES:[auth_key->false], RESOLVED:[indices=foo_]], [user1 block-> RULES:[auth_key->true, indices->false], RESOLVED:[user=user1;indices=foo_]] }
As we can see indices
rule reject the request.
So, I cannot confirm your objections. It works as expected. User still cannot access forbidden indices.
But user1 is allowed to create alias for index which he is allowed to see:
curl -u user1:pass -XPOST -H "Content-Type: application/json" "http://localhost:9200/_aliases" -d '{"actions":[{"add":{"index":"abc_something","alias":"abc_alias"}}]}'
{"acknowledged":true}
curl -u user1:pass "http://localhost:9200/_cat/aliases"
abc_alias abc_something - - - -
curl -u user1:pass "http://localhost:9200/abc_alias"
{"abc_something":{"aliases":{"abc_alias":{}},"mappings":{"properties":{"example":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"settings":{"index":{"creation_date":"1593697592955","number_of_shards":"1","number_of_replicas":"1","uuid":"75UfaNFXSgCnet_MkoadsQ","version":{"created":"7070199"},"provided_name":"abc_something"}}}}
As I mentioned before, there is one problem. User can create alias with forbidden name (should be rejected by indices
rule):
curl -u user1:pass -XPOST -H "Content-Type: application/json" "http://localhost:9200/_aliases" -d '{"actions":[{"add":{"index":"abc_something","alias":"should_be_forbidden"}}]}'
{"acknowledged":true}
curl -u user1:pass "http://localhost:9200/_cat/aliases"
abc_alias abc_something - - - -
should_be_forbidden abc_something - - - -
curl -u user1:pass "http://localhost:9200/should_be_forbidden"
{"abc_something":{"aliases":{"abc_alias":{},"should_be_forbidden":{}},"mappings":{"properties":{"example":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"settings":{"index":{"creation_date":"1593697592955","number_of_shards":"1","number_of_replicas":"1","uuid":"75UfaNFXSgCnet_MkoadsQ","version":{"created":"7070199"},"provided_name":"abc_something"}}}}
As you can see I’m not able to reproduce the issue you’ve reported. Maybe your case is a little bit different, so I’d be nice if you could analyse the scenario above once again and compare with your tests scenario.
Let me know. If I’ll be able to reproduce the issue, fixing should not be a problem.
Cheers