Skip to content

Role mappings do not warn about invalid role_template entries #48773

New issue
New issue
Closed
#52636
Closed
Role mappings do not warn about invalid role_template entries#48773
#52636
Assignees
ywangd
Labels
:Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
@legrego

Description

@legrego
legrego
opened on Oct 31, 2019

Role mappings can specify either an array of roles, or an array of role_templates. When role_templates are specified, they are expected to be in one of these two formats (based on my limited understanding of the code):

  1. { "template": { "source": "some_{{mustache}}_template_string" } }
  2. { "template": { "id": "stored_script_id" } }

The API allows users to submit invalid templates, such as:

{
	...
    "role_templates": [
        {
           "template": {
              "someOtherField": "foo"
           }
        },
        {
           "template": "just a plain old string"
        }
    ]
}

But once this role mapping is created, no users who rely on role mappings will be able to authenticate:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "error attempting to authenticate request",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "security_exception",
    "reason": "error attempting to authenticate request",
    "caused_by": {
      "type": "not_x_content_exception",
      "reason": "Compressor detection can only be called on some xcontent bytes or compressed xcontent bytes"
    },
    "header": {
      "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status": 401
}

I think the API should ideally prevent these invalid templates from being stored in the first place, but I'm not sure how feasible that is.

Further, format 1 above requires inline scripts to be enabled, and format 2 above requires stored scripts to be enabled. If the required script type is disabled in Elasticsearch, then users will be unable to authenticate:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "error attempting to authenticate request",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "security_exception",
    "reason": "error attempting to authenticate request",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "cannot execute [inline] scripts"
    },
    "header": {
      "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status": 401
}

I don't know how much can be done here, since node settings like scripts.allowed_types can be changed at any point after role mappings are created.

Metadata

Metadata

Assignees

Labels

:Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions