Elasticsearch: Alias to closed index when Security is enabled

Created on 6 Dec 2018  路  4Comments  路  Source: elastic/elasticsearch

When security is enabled (xpack.security.enabled: true and license is non basic) Indices requests with wildcard patterns might touch closed indices and throw. This happens if the wildcard (incl _all) includes an alias (that is authorized for the user) and the alias points to a closed index.
For example

PUT /foo
{
  "settings": {
    "number_of_replicas": 0,
    "number_of_shards": 1
  },
  "aliases": {
    "bar": {}
  }
}
POST /foo/_close
GET /_stats

IndexClosedException[closed]
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:216)
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndexNames(IndexNameExpressionResolver.java:138)
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndexNames(IndexNameExpressionResolver.java:71)
org.elasticsearch.action.support.broadcast.node.TransportBroadcastByNodeAction$AsyncAction.<init>(TransportBroadcastByNodeAction.java:253)
org.elasticsearch.action.support.broadcast.node.TransportBroadcastByNodeAction.doExecute(TransportBroadcastByNodeAction.java:226)

The writing is on the wall https://github.com/elastic/elasticsearch/pull/31520#issuecomment-400260012
and
https://github.com/elastic/elasticsearch/blob/5afcbb80ac7884765df964fa42149a01d7152db7/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java#L420

In detail, when security is enable it will pre-expand wildcards to indices and aliases that are authorized for the user. When expanding indices it's simple to check and not expand to closed indices. However an authorized alias can point to closed and open indices.

I think the root problem is that when we expand wildcards to concrete aliases it comes to the core as if the user specifically requested this alias, when in fact it requested a wildcard, which the core will otherwise gracefully expand only to the open indices.

CC @javanna @talevy

:SecuritAuthorization >bug
Source
picture albertzaharovits

All 4 comments

Pinging @elastic/es-security

elasticmachine picture elasticmachine on 6 Dec 2018

I can own this but I am not sure yet of the fix. Suggestions are welcome.

albertzaharovits picture albertzaharovits on 6 Dec 2018

The problem here is that in security, we don't want to expand aliases to their concrete indices, as roles may be set up for aliases (to allow for document level security through filtered aliases) rather than their concrete indices. When you have an alias that points to multiple indices, and e.g. one is open while the other is closed, we have to decide what to do with the alias: Elasticsearch would expand that alias to only the opened index, and silently leave the closed index out. But Security has to either leave the alias (what it does today causing the error) or leave it out but then the opened index would be ignored which is a bug too.

I've seen this come up in the past, see #32238 which looks like the same issue. The solution to this would be to switch to authorizing indices names only (see #29874).

javanna picture javanna on 6 Dec 2018
👍1

@albertzaharovits I am closing this as a duplicate of #32238. As @javanna said, the solution is authorizing indices only, which I believe you plan to work on.

jaymode picture jaymode on 6 Dec 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dadoonet picture dadoonet  路  3Comments
rbayliss picture rbayliss  路  3Comments
abrahamduran picture abrahamduran  路  3Comments
dawi picture dawi  路  3Comments
makeyang picture makeyang  路  3Comments