Make sure that field-level security is enforced when using field aliases. #31807
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jtibshirani
added
>enhancement
:Search Foundations/Mapping
|
Pinging @elastic/es-search-aggs |
|
Pinging @elastic/es-security |
9 tasks
jtibshirani
force-pushed
the
field-alias-security
branch
from
54a0200
to
e57eab7
Compare
jaymode
approved these changes
Jul 13, 2018
| .setQuery(matchQuery("alias", "value1")) | ||
| .get(); | ||
| assertHitCount(response, 1); | ||
| // user2 has no access to field1, so a query on its field alias should match with the document: |
There was a problem hiding this comment.
s/should match/should not match
jtibshirani
force-pushed
the
field-alias-security
branch
from
2d02ddf
to
89e136d
Compare
jtibshirani
added a commit
that referenced
this pull request
Jul 17, 2018
…ses. (#31807) * Add basic unit tests for field level security with field aliases. * Ensure that field caps information is filtered when a field alias is provided.
jtibshirani
added a commit
that referenced
this pull request
Jul 18, 2018
…ses. (#31807) * Add basic unit tests for field level security with field aliases. * Ensure that field caps information is filtered when a field alias is provided.
jtibshirani
added a commit
that referenced
this pull request
Jul 18, 2018
* Add basic support for field aliases in index mappings. (#31287) * Allow for aliases when fetching stored fields. (#31411) * Add tests around accessing field aliases in scripts. (#31417) * Add documentation around field aliases. (#31538) * Add validation for field alias mappings. (#31518) * Return both concrete fields and aliases in DocumentFieldMappers#getMapper. (#31671) * Make sure that field-level security is enforced when using field aliases. (#31807) * Add more comprehensive tests for field aliases in queries + aggregations. (#31565) * Remove the deprecated method DocumentFieldMappers#getFieldMapper. (#32148)
jtibshirani
added a commit
to jtibshirani/elasticsearch
that referenced
this pull request
Jul 24, 2018
…ses. (elastic#31807) * Add basic unit tests for field level security with field aliases. * Ensure that field caps information is filtered when a field alias is provided.
jtibshirani
added a commit
that referenced
this pull request
Jul 24, 2018
* Add basic support for field aliases in index mappings. (#31287) * Allow for aliases when fetching stored fields. (#31411) * Add tests around accessing field aliases in scripts. (#31417) * Return both concrete fields and aliases in DocumentFieldMappers#getMapper. (#31671) * Add documentation around field aliases. (#31538) * Add validation for field alias mappings. (#31518) * Make sure that field-level security is enforced when using field aliases. (#31807) * Add more comprehensive tests for field aliases in queries + aggregations. (#31565) * Remove the deprecated method DocumentFieldMappers#getFieldMapper. (#32148) * Ensure that field aliases cannot be used in multi-fields. (#32219) * Make sure that field aliases count towards the total fields limit. (#32222) * Fix a test bug around nested aggregations and field aliases. (#32287) * Make sure the _uid field is correctly loaded in scripts. * Fix the failing test case FieldLevelSecurityTests#testParentChild_parentField. * Enforce that field aliases can only be specified on indexes with a single type.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A user should only ever set permissions on a concrete field, not a field alias. Given this assumption, this PR verifies that access control is enforced in the following requests:
Note that even if a user can't see an alias' target, they are still able to retrieve the mappings for the alias (which includes the name of the target field). I looked into filtering alias mappings as well, but the change is quite involved. To me this seems like an okay trade-off for now -- when using a field alias, a user can tell that the target field exists, but cannot access any of its mapping information, whether through a 'get mappings' or field capabilities request.
I plan to update the documentation in
elastic/stack-docsin a follow-up PR to specify that security shouldn't be set on field aliases. We currently don't enforce that permissions can't be set on an alias -- I didn't see a good way to do this, but am very happy for pointers.