Skip to content

Non-wildcard index deletion returns a wildcard warning with security enabled #67958

New issue
New issue
Closed
Closed
Non-wildcard index deletion returns a wildcard warning with security enabled#67958
Labels
:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:SecurityMeta label for security team
@williamrandolph

Description

@williamrandolph
williamrandolph
opened on Jan 25, 2021

Description of the problem including expected versus actual behavior

@spalger discovered this issue while doing some testing around the action.destructive_requires_name setting: #66908 (comment)

In short, if you run Elasticsearch with security enabled and action.destructive_requires_name set to true, and you're ignoring unavailable indices, you can get a wildcard warning from an index deletion request that doesn't include a wildcard.

curl -s -XDELETE 'http://elastic:changeme@localhost:9200/functional-test-actions-index?ignore_unavailable=true&pretty'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Wildcard expressions or all indices are not allowed"
      }
    ],
    "type" : "illegal_argument_exception",
    "reason" : "Wildcard expressions or all indices are not allowed"
  },
  "status" : 400
}

This reproduces on 7.10.2 and master for me.

Steps to reproduce

Reproducing on the command line of a fresh 7.10.2 installation:

  1. Add xpack.security.enabled: true and action.destructive_requires_name to config/elasticsearch.yml.
  2. Start elasticsearch and set the password for the elastic user to `changeme.
  3. Run the following command:
curl -s -XDELETE 'http://elastic:changeme@localhost:9200/functional-test-actions-index?ignore_unavailable=true&pretty'

Reproducing using a YAML test:

  1. Add the following file to your Elasticsearch repo:
rest-api-spec/src/main/resources/rest-api-spec/test/indices.delete/20_destructive_wildcard.yml 
---
setup:
  - do:
      cluster.put_settings:
        body:
          transient:
            action.destructive_requires_name: "true"
        flat_settings: true
---
teardown:
  - do:
      cluster.put_settings:
        body:
          transient:
            action.destructive_requires_name: "false"
        flat_settings: true
---
"Delete nonexistent concrete index with wildcard expansion disallowed":
  - do:
      indices.delete:
        index: index3
        ignore_unavailable: true
  1. Non-security yaml rest tests should pass:
./gradlew :rest-api-spec:yamlRestTest -Dtests.method="test {yaml=indices.delete/20*}"
  1. ...but the ones with security enabled will fail.
./gradlew ':x-pack:qa:core-rest-tests-with-security:integTest' --tests "org.elasticsearch.xpack.security.CoreWithSecurityClientYamlTestSuiteIT" -Dtests.method="test {yaml=indices.delete/20*}"

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:SecurityMeta label for security team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions