Skip to content

[SQL] SQL query expands index alias and runs queries against the backing index instead of the alias #87259

@BenB196

Description

@BenB196

Elasticsearch Version

8.2.2

Installed Plugins

No response

Java Version

bundled

OS Version

ECK deployment

Problem Description

If you run some queries via SQL that target an index alias, instead of the query actually using the index alias, the backing index names are used. This is an issue, if you provide privileges to an alias but not to the backing index.

Note: This was not a problem is 7.x, but is a problem in 8.x (only tested against 8.2.2), I don't see this listed as a known limitation, so opening as a bug.

Steps to Reproduce

  1. Have an index that also has an alias (for this example, I'll use the index pattern: .internal.alerts-observability.*.*-*-*, with the alias pattern of .alerts-observability.*.*-*
  2. Have a role (and role mapping which grants read access to the index)
{
  ".alerts-observability.*.*-*-Read-Test" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          ".alerts-observability.*.*-*"
        ],
        "privileges" : [
          "read",
          "view_index_metadata"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}
  1. Ensure role mapping is assign to user
  2. Run the following query:
POST _sql
{
  "query": """
  SELECT * FROM ".alerts-observability.metrics.alerts-*"
  """
}
  1. Get the following exception/error:
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000001], this action is granted by the index privileges [read,all]"
      },
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000002], this action is granted by the index privileges [read,all]"
      },
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000003], this action is granted by the index privileges [read,all]"
      },
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000004], this action is granted by the index privileges [read,all]"
      },
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000005], this action is granted by the index privileges [read,all]"
      },
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000006], this action is granted by the index privileges [read,all]"
      }
    ],
    "type" : "search_phase_execution_exception",
    "reason" : "all shards failed",
    "phase" : "query",
    "grouped" : true,
    "failed_shards" : [
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000001",
        "node" : "YFhI3ml0RKKcZ9-YShjU4g",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000001], this action is granted by the index privileges [read,all]"
        }
      },
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000002",
        "node" : "YFhI3ml0RKKcZ9-YShjU4g",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000002], this action is granted by the index privileges [read,all]"
        }
      },
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000003",
        "node" : "azaU0MjaRwmV8cQZBZiB8w",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000003], this action is granted by the index privileges [read,all]"
        }
      },
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000004",
        "node" : "w48mBtiFS9e3TUSDtIMvdQ",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000004], this action is granted by the index privileges [read,all]"
        }
      },
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000005",
        "node" : "ewLOLe_LTxe-MWS3REVtNQ",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000005], this action is granted by the index privileges [read,all]"
        }
      },
      {
        "shard" : 0,
        "index" : ".internal.alerts-observability.metrics.alerts-default-000006",
        "node" : "w48mBtiFS9e3TUSDtIMvdQ",
        "reason" : {
          "type" : "security_exception",
          "reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000006], this action is granted by the index privileges [read,all]"
        }
      }
    ]
  },
  "status" : 403
}
  1. Run another query:
POST _sql
{
  "query": """
  SELECT COUNT(*) AS count FROM ".alerts-observability.metrics.alerts-*"
  """
}
  1. Get a success
{
  "columns" : [
    {
      "name" : "count",
      "type" : "long"
    }
  ],
  "rows" : [
    [
      625117
    ]
  ]
}

Logs (if relevant)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions