Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role mappings do not warn about invalid role_template entries #48773

Closed
legrego opened this issue Oct 31, 2019 · 2 comments · Fixed by #52636
Closed

Role mappings do not warn about invalid role_template entries #48773

legrego opened this issue Oct 31, 2019 · 2 comments · Fixed by #52636
Assignees
@ywangd
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@legrego
Copy link
Member

legrego commented Oct 31, 2019
edited
Loading

Role mappings can specify either an array of roles, or an array of role_templates. When role_templates are specified, they are expected to be in one of these two formats (based on my limited understanding of the code):

  1. { "template": { "source": "some_{{mustache}}_template_string" } }
  2. { "template": { "id": "stored_script_id" } }

The API allows users to submit invalid templates, such as:

{
	...
    "role_templates": [
        {
           "template": {
              "someOtherField": "foo"
           }
        },
        {
           "template": "just a plain old string"
        }
    ]
}

But once this role mapping is created, no users who rely on role mappings will be able to authenticate:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "error attempting to authenticate request",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "security_exception",
    "reason": "error attempting to authenticate request",
    "caused_by": {
      "type": "not_x_content_exception",
      "reason": "Compressor detection can only be called on some xcontent bytes or compressed xcontent bytes"
    },
    "header": {
      "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status": 401
}

I think the API should ideally prevent these invalid templates from being stored in the first place, but I'm not sure how feasible that is.

Further, format 1 above requires inline scripts to be enabled, and format 2 above requires stored scripts to be enabled. If the required script type is disabled in Elasticsearch, then users will be unable to authenticate:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "error attempting to authenticate request",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "security_exception",
    "reason": "error attempting to authenticate request",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "cannot execute [inline] scripts"
    },
    "header": {
      "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status": 401
}

I don't know how much can be done here, since node settings like scripts.allowed_types can be changed at any point after role mappings are created.
@legrego legrego added the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Oct 31, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@legrego legrego added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) and removed :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Oct 31, 2019
@ywangd ywangd mentioned this issue Feb 21, 2020
Merged
ywangd added a commit that referenced this issue Mar 24, 2020
@ywangd
Validate role templates before saving role mapping (#52636)
d046489 
Role names are now compiled from role templates before role mapping is saved.
This serves as validation for role templates to prevent malformed and invalid scripts
to be persisted, which could later break authentication.

Resolves: #48773
ywangd added a commit to ywangd/elasticsearch that referenced this issue Mar 24, 2020
@ywangd
Validate role templates before saving role mapping (elastic#52636)
9f00704 
Role names are now compiled from role templates before role mapping is saved.
This serves as validation for role templates to prevent malformed and invalid scripts
to be persisted, which could later break authentication.

Resolves: elastic#48773
@ywangd ywangd mentioned this issue Mar 24, 2020
Merged
ywangd added a commit that referenced this issue Mar 24, 2020
@ywangd
Validate role templates before saving role mapping (#52636) (#54059)
d33d20b 
Role names are now compiled from role templates before role mapping is saved.
This serves as validation for role templates to prevent malformed and invalid scripts
to be persisted, which could later break authentication.

Resolves: #48773
@legrego
Copy link
Member Author

legrego commented Mar 24, 2020

Thanks for the fix! ❤️

@codebrain codebrain mentioned this issue Apr 1, 2020
Closed
@ywangd ywangd mentioned this issue Sep 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate role templates before saving role mapping ywangd/elasticsearch
3 participants
@ywangd @legrego @elasticmachine