Hello
Today I was debugging ROR plugin and noticed that the rules in one of the blocks I’ve configured were not executed in the order I expected. Then I realised there’s is no user defined order as a block is just a YAML map and well maps are usually not ordered
So, I was curious about what was the design decision here. Most of the rules don’t actually care as they work independently but indices_rewrite
and indices
could have ordering implications.
Like filtering based on user provided index name or the rewritten one or even both if rules were allowed to be repeated.
Cheers
BTW, to give some context, I’m using ROR to secure a plain ElasticSearch cluster where the user can only access its own index where I’m playing with indices_rewrite and indices to make it happen.
Details below if you are interested.
[details=Summary]All the configuration is currently the block below:
- name: "Restrict access to user's index only"
type: allow
proxy_auth: "*"
indices_rewrite: ["^(client-index).*$", "$1-@user"]
indices: ["client-index*"]
You can figure my expectations were, check auth then rewrite finally check rewritten indices.
Anyway, after making reads work, I had some trouble with update operations, but in version 1.14.1-pre4 that config seems to be working ok.
I don’t really have much time available so I had to use what’s already in the plugin. But a simpler way of implementing the rule above would be if indices
supported the @user
placeholder; except for the user visible index name differences.
The only change I had to apply is switching a HashSet to a LinkedHashSet to make the order of iteration predictable (currently the order of addition in Block::initSyncConditions).
diff --git a/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/Block.java b/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/Block.java
index 55041ec..4523aff 100644
--- a/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/Block.java
+++ b/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/Block.java
@@ -70,7 +70,7 @@ public class Block {
private final Logger logger;
private final ConfigurationHelper conf;
private final Client client;
- private final Set<SyncRule> syncConditionsToCheck = Sets.newHashSet();
+ private final Set<SyncRule> syncConditionsToCheck = Sets.newLinkedHashSet();
private final Set<AsyncRule> asyncConditionsToCheck = Sets.newHashSet();
private boolean authHeaderAccepted = false;
public Block(Settings s, List<User> userList, List<LdapConfig> ldapList, Logger logger,
@@ -246,6 +246,10 @@ public class Block {
} catch (RuleNotConfiguredException ignored) {
}
try {
+ syncConditionsToCheck.add(new IndicesRewriteSyncRule(s));
+ } catch (RuleNotConfiguredException ignored) {
+ }
+ try {
syncConditionsToCheck.add(new IndicesSyncRule(s));
} catch (RuleNotConfiguredException ignored) {
}
@@ -258,10 +262,6 @@ public class Block {
} catch (RuleNotConfiguredException ignored) {
}
try {
- syncConditionsToCheck.add(new IndicesRewriteSyncRule(s));
- } catch (RuleNotConfiguredException ignored) {
- }
- try {
syncConditionsToCheck.add(new KibanaHideAppsSyncRule(s));
} catch (RuleNotConfiguredException ignored) {
}
[/details]