-
Notifications
You must be signed in to change notification settings - Fork 25.3k
Open
Labels
:Analytics/SQLSQL queryingSQL querying>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)Meta label for analytical engine team (ESQL/Aggs/Geo)v8.2.0
Description
Elasticsearch Version
8.2.2
Installed Plugins
No response
Java Version
bundled
OS Version
ECK deployment
Problem Description
If you run some queries via SQL that target an index alias, instead of the query actually using the index alias, the backing index names are used. This is an issue, if you provide privileges to an alias but not to the backing index.
Note: This was not a problem is 7.x, but is a problem in 8.x (only tested against 8.2.2), I don't see this listed as a known limitation, so opening as a bug.
Steps to Reproduce
- Have an index that also has an alias (for this example, I'll use the index pattern:
.internal.alerts-observability.*.*-*-*
, with the alias pattern of.alerts-observability.*.*-*
- Have a role (and role mapping which grants read access to the index)
{
".alerts-observability.*.*-*-Read-Test" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".alerts-observability.*.*-*"
],
"privileges" : [
"read",
"view_index_metadata"
],
"field_security" : {
"grant" : [
"*"
],
"except" : [ ]
},
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
- Ensure role mapping is assign to user
- Run the following query:
POST _sql
{
"query": """
SELECT * FROM ".alerts-observability.metrics.alerts-*"
"""
}
- Get the following exception/error:
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000001], this action is granted by the index privileges [read,all]"
},
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000002], this action is granted by the index privileges [read,all]"
},
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000003], this action is granted by the index privileges [read,all]"
},
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000004], this action is granted by the index privileges [read,all]"
},
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000005], this action is granted by the index privileges [read,all]"
},
{
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000006], this action is granted by the index privileges [read,all]"
}
],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000001",
"node" : "YFhI3ml0RKKcZ9-YShjU4g",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000001], this action is granted by the index privileges [read,all]"
}
},
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000002",
"node" : "YFhI3ml0RKKcZ9-YShjU4g",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000002], this action is granted by the index privileges [read,all]"
}
},
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000003",
"node" : "azaU0MjaRwmV8cQZBZiB8w",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000003], this action is granted by the index privileges [read,all]"
}
},
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000004",
"node" : "w48mBtiFS9e3TUSDtIMvdQ",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000004], this action is granted by the index privileges [read,all]"
}
},
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000005",
"node" : "ewLOLe_LTxe-MWS3REVtNQ",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000005], this action is granted by the index privileges [read,all]"
}
},
{
"shard" : 0,
"index" : ".internal.alerts-observability.metrics.alerts-default-000006",
"node" : "w48mBtiFS9e3TUSDtIMvdQ",
"reason" : {
"type" : "security_exception",
"reason" : "action [indices:data/read/search[phase/query]] is unauthorized for user [testuser] with roles [.alerts-observability.*.*-*-Read-Test] on indices [.internal.alerts-observability.metrics.alerts-default-000006], this action is granted by the index privileges [read,all]"
}
}
]
},
"status" : 403
}
- Run another query:
POST _sql
{
"query": """
SELECT COUNT(*) AS count FROM ".alerts-observability.metrics.alerts-*"
"""
}
- Get a success
{
"columns" : [
{
"name" : "count",
"type" : "long"
}
],
"rows" : [
[
625117
]
]
}
Logs (if relevant)
No response
Metadata
Metadata
Assignees
Labels
:Analytics/SQLSQL queryingSQL querying>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)Meta label for analytical engine team (ESQL/Aggs/Geo)v8.2.0