403 for no index permission from _cat/indices call

[bmcconaghy]

Elasticsearch version (bin/elasticsearch --version): 7.0.0-SNAPSHOT

Description of the problem including expected versus actual behavior:
When calling _cat/indices with no index list, indices for which the user does not have privileges simply omit the docs count and storage size information. However, calling the same API with an index for which the user does not have privileges (_cat/indices/index_you_cant_see_info_for) returns a 403 error:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:monitor/stats] is unauthorized for user [billy]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:monitor/stats] is unauthorized for user [billy]"
  },
  "status": 403
}

I think the API should behave the same in either case, just return the data without storage size and docs count.

[javanna]

This is by design: empty indices are considered as a wildcard expression (same as specifying *), which is expanded to all the indices that the current user is authorized for. When specifying a concrete index though, you will get an error back like you noticed. I am pretty sure that this is documented somewhere, but I can't seem to find where anymore. Maybe somebody from @elastic/es-security can chime in.

[bmcconaghy]

@javanna This behavior is asymmetrical though. Users can see indices that they don't have permissions for when they don't specify an index list. Seems to me that those indices should just be filtered out and then the behavior would be more consistent.

[javanna]

@bmcconaghy I see what you mean, I agree with you.

[elasticmachine]

Pinging @elastic/es-core-features

[albertzaharovits]

@javanna This behavior is asymmetrical though. Users can see indices that they don't have permissions for when they don't specify an index list. Seems to me that those indices should just be filtered out and then the behavior would be more consistent.

I agree as well. I think the prob is in RestIndicesAction

elasticsearch/server/src/main/java/org/elasticsearch/rest/action/cat/RestIndicesAction.java

Line 126 in 9ceb218

Table tab = buildTable(request, concreteIndices, clusterHealthResponse,

. I have an idea of a simple fix for this, but _cat APIs probably need some cleansing overall.

[bmcconaghy]

Thanks for taking a look at this @albertzaharovits !