-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
search.allow_expensive_queries + wildcard application privs can fail authorization #96465
Comments
Pinging @elastic/es-security (Team:Security) |
I think this applies more broadly than just to API keys, i.e., regular users (and roles) as well. As long as there is a role with the right application privilege descriptors, we will run into this. I haven't tested it, just basing this on what I've seen in the code. There are other examples where turning off expensive queries breaks Security APIs (e.g., the QueryApiKey API may not work because we use a runtime field to flatten I think we should document this limitation, e.g., here: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-limitations.html and also more broadly here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html. If we want to solve this beyond better docs, I think we might want to aim for something general rather than specific to just application privileges (e.g., along the lines of #53607). I'll leave more thoughts on this tomorrow. |
This is a long standing issue. As @n1v0lg said, it affects roles as well, not just API keys. More importantly, we have reserved roles that use wildcard for application names, e.g.: Line 398 in 1cc1d12
So users can hit this issue even without creating any custom roles or API keys. We talked about this couple times in the past. I think we all agree it is an issue because the breakage is unintuitve. But haven't really allocate time to address it partly because we are not sure whether it should be addressed in a broader scope of how I do think we should fix the issue in the narrow context of security usage because it is unknown when the broader expensive query issue can be resolved. The solution we discussed before is to filter it in memory when
AFAIK, this is the only place where security internally uses expensive queries. API Key metadata is flattened field type which is not expensive. Users can query API keys with expensive queries. But in that case, they explicitly request the expensive operations. It is not the same as the case for NativePrivilegesStore where we internally uses prefix queries for role resolution without users being aware of it. |
For application privileges, today we use prefix query to resolve application names with trailing wildcard. However, prefix query is considered to be expensive and can be disabled if the cluster setting search.allow_expensive_queries is set to false. When that happens it breaks authorization in a surprising way. This PR adds conditional logic to fallback to in-memory filtering for application names when expensive queries are disabled. It is not less expensive. But it avoids the surprising breakage. Resolves: elastic#96465
For application privileges, today we use prefix query to resolve application names with trailing wildcard. However, prefix query is considered to be expensive and can be disabled if the cluster setting search.allow_expensive_queries is set to false. When that happens it breaks authorization in a surprising way. This PR adds conditional logic to fallback to in-memory filtering for application names when expensive queries are disabled. It is not less expensive. But it avoids the surprising breakage. Resolves: #96465
Elasticsearch Version
Tested against 8.6.0
Installed Plugins
No response
Java Version
bundled
OS Version
Ubuntu
Problem Description
When
search.allow_expensive_queries
is set tofalse
some queries may fail since they are considered expensive. Typically there is an obvious connection between the action you are performing and any errors raised due to expensive queries. For example, if you explicitly issue a prefix query andsearch.allow_expensive_queries
is set tofalse
there is a natural correlation between your request and the error.It has been found that when the following conditions are met
myapp*
)then authentication will fail due to an error [1] related to the expensive query. This because internally the code issues a prefix query to for the application name. The end result is the API key can longer be used for authentication for any action.
Workaround include :
search.allow_expensive_queries
is set totrue
*
from the application privilege nameIt is also possible to set
search.allow_expensive_queries
totrue
make a call with the API key or user with the role so that it gets cached, then setsearch.allow_expensive_queries
back tofalse
. That will cause the API key or role to be cached, and it will work after that, but it can also start to fail again at what would seem a random time if ever evicted from the cache or the node gets restarted. For this reason, that work around is not suggested.[1] Example exception. Note - other similar exceptions can occur but they all reference
search.allow_expensive_queries
and the.security-*
indexSteps to Reproduce
EDIT: Updated text to suggest this can happen with an API key or a custom role
The text was updated successfully, but these errors were encountered: