You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When security is enabled (xpack.security.enabled: true and license is non basic) Indices requests with wildcard patterns might touch closed indices and throw. This happens if the wildcard (incl _all) includes an alias (that is authorized for the user) and the alias points to a closed index.
For example
PUT /foo
{
"settings": {
"number_of_replicas": 0,
"number_of_shards": 1
},
"aliases": {
"bar": {}
}
}
POST /foo/_close
GET /_stats
//TODO investigate supporting expandWildcards option for aliases too, like es core does.
In detail, when security is enable it will pre-expand wildcards to indices and aliases that are authorized for the user. When expanding indices it's simple to check and not expand to closed indices. However an authorized alias can point to closed and open indices.
I think the root problem is that when we expand wildcards to concrete aliases it comes to the core as if the user specifically requested this alias, when in fact it requested a wildcard, which the core will otherwise gracefully expand only to the open indices.
The problem here is that in security, we don't want to expand aliases to their concrete indices, as roles may be set up for aliases (to allow for document level security through filtered aliases) rather than their concrete indices. When you have an alias that points to multiple indices, and e.g. one is open while the other is closed, we have to decide what to do with the alias: Elasticsearch would expand that alias to only the opened index, and silently leave the closed index out. But Security has to either leave the alias (what it does today causing the error) or leave it out but then the opened index would be ignored which is a bug too.
I've seen this come up in the past, see #32238 which looks like the same issue. The solution to this would be to switch to authorizing indices names only (see #29874).
@albertzaharovits I am closing this as a duplicate of #32238. As @javanna said, the solution is authorizing indices only, which I believe you plan to work on.
When security is enabled (
xpack.security.enabled: true
and license is non basic) Indices requests with wildcard patterns might touch closed indices and throw. This happens if the wildcard (incl_all
) includes an alias (that is authorized for the user) and the alias points to a closed index.For example
The writing is on the wall #31520 (comment)
and
elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
Line 420 in 5afcbb8
In detail, when security is enable it will pre-expand wildcards to indices and aliases that are authorized for the user. When expanding indices it's simple to check and not expand to closed indices. However an authorized alias can point to closed and open indices.
I think the root problem is that when we expand wildcards to concrete aliases it comes to the core as if the user specifically requested this alias, when in fact it requested a wildcard, which the core will otherwise gracefully expand only to the open indices.
CC @javanna @talevy
The text was updated successfully, but these errors were encountered: