Skip to content

Auth error for index template APIs doesn't include manage_index_templates cluster priv #68144

New issue
New issue
Closed
#68260
Closed
Auth error for index template APIs doesn't include manage_index_templates cluster priv#68144
#68260
Assignees
tvernum
Labels
:Data Management/Indices APIsAPIs to create and manage indices and templates:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:Data ManagementMeta label for data/management teamTeam:SecurityMeta label for security team
@jrodewig

Description

@jrodewig
jrodewig
opened on Jan 28, 2021

Elasticsearch version (bin/elasticsearch --version): Latest elasticsearch-8.0.0-SNAPSHOT-darwin-x86_64.tar.gz

Plugins installed: []

JVM version (java -version):

openjdk version "15.0.1" 2020-10-20
OpenJDK Runtime Environment AdoptOpenJDK (build 15.0.1+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 15.0.1+9, mixed mode, sharing)

OS version (uname -a if on a Unix-like system):
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

The manage_index_templates cluster privilege lets a user run the following APIs:

However, the authorization error returned by these APIs does not list manage_index_templates as a privilege.

Steps to reproduce:

  1. As the elastic user, create a mytest role with no cluster privileges:
POST _security/role/mytest
{
  "cluster": [
  ],
  "indices": [ ]
}
  1. As the elastic user, create a test user with the mytest role:
POST _security/user/test
{
  "password" : "...",
  "roles" : [ "mytest" ]
}
  1. Use one of the above APIs as the test user. For example, use the put composable index template API:
PUT _index_template/template_1
{
  "index_patterns" : ["te*"],
  "priority" : 1
}

The request returns the following error message. manage_index_templates should be in the list of privileges but is not included. Only manage,all are listed.

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
  },
  "status" : 403
}
  1. As the elastic user, add the manage_index_templates cluster privilege to the mytest role :
POST _security/role/mytest
{
  "cluster": [
    "manage_index_templates"
  ],
  "indices": [ ]
}
  1. As the test user, use the above API again. This time, the attempt will succeed.
PUT _index_template/template_1
{
  "index_patterns" : ["te*"],
  "priority" : 1
}

Metadata

Metadata

Assignees

Labels

:Data Management/Indices APIsAPIs to create and manage indices and templates:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:Data ManagementMeta label for data/management teamTeam:SecurityMeta label for security team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions