Add more context to cluster access denied messages #66900

tvernum · 2020-12-31T05:19:57Z

In #60357 we improved the error message when access to perform an
action on an index was denied by including the index name and the
privileges that would grant the action.

This commit extends the second part of that change (the list of
privileges that would resolve the problem) to situations when a
cluster action is denied.

This implementation for cluster privileges is slightly more complex
than that of index privileges because cluster privileges can be
dependent on parameters in the request, not just the action name.
For example, "manage_own_api_key" should be suggested as a matching
privilege when a user attempts to create an API key, or delete their
own API key, but should not be suggested when that same user attempts
to delete another user's API key.

Relates: #42166

In elastic#60357 we improved the error message when access to perform an action on an index was denied by including the index name and the privileges that would grant the action. This commit extends the second part of that change (the list of privileges that would resolve the problem) to situations when a cluster action is denied. This implementation for cluster privileges is slightly more complex than that of index privileges because cluster privileges can be dependent on parameters in the request, not just the action name. For example, "manage_own_api_key" should be suggested as a matching privilege when a user attempts to create an API key, or delete their own API key, but should not be suggested when that same user attempts to delete another user's API key. Relates: elastic#42166

elasticmachine · 2020-12-31T05:20:00Z

Pinging @elastic/es-security (Team:Security)

albertzaharovits

LGTM

tvernum · 2021-01-12T03:40:20Z

@elasticmachine update branch

tvernum · 2021-01-12T06:03:56Z

@elasticmachine run elasticsearch-ci/packaging-sample-windows

14:59:20             > Could not HEAD 'https://api.adoptopenjdk.net/v3/binary/version/jdk-15.0.1+9/windows/x64/jdk/hotspot/normal/adoptopenjdk'. Received status code 503 from server: Service Unavailable

Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In elastic#60357 and elastic#66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Resolves: elastic#68144

In elastic#60357 we improved the error message when access to perform an action on an index was denied by including the index name and the privileges that would grant the action. This commit extends the second part of that change (the list of privileges that would resolve the problem) to situations when a cluster action is denied. This implementation for cluster privileges is slightly more complex than that of index privileges because cluster privileges can be dependent on parameters in the request, not just the action name. For example, "manage_own_api_key" should be suggested as a matching privilege when a user attempts to create an API key, or delete their own API key, but should not be suggested when that same user attempts to delete another user's API key. Backport of: elastic#66900

Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In #60357 and #66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Resolves: #68144

In #60357 we improved the error message when access to perform an action on an index was denied by including the index name and the privileges that would grant the action. This commit extends the second part of that change (the list of privileges that would resolve the problem) to situations when a cluster action is denied. This implementation for cluster privileges is slightly more complex than that of index privileges because cluster privileges can be dependent on parameters in the request, not just the action name. For example, "manage_own_api_key" should be suggested as a matching privilege when a user attempts to create an API key, or delete their own API key, but should not be suggested when that same user attempts to delete another user's API key. Backport of: #66900

Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In elastic#60357 and elastic#66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Backport of: elastic#68260

Some actions that start with "indices:" are actually handled by cluster privileges in ES security (e.g. indices:admin/template/*) In #60357 and #66900 we added better context information for the error messages that are generated when an action is denied, but the generation of that message did not correctly classify actions between cluster and index level privileges. This change does 2 things: 1. It fixes the code that determines whether an action is handled by a cluster privilege or an index privilege 2. Includes the words "cluster" and "index" in the error message so that classification is clear to the reader The latter change is not directly related to the issue being resolved, but in the course of fixing the issue it became evident that the message lacked clarity because it did not tell the reader what type of privilege would be needed to resolve the access denied issue. Backport of: #68260

tvernum added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.12.0 labels Dec 31, 2020

tvernum requested a review from albertzaharovits December 31, 2020 05:19

elasticmachine added the Team:Security Meta label for security team label Dec 31, 2020

tvernum added 3 commits December 31, 2020 17:24

Fix message in API Key Yaml Rest Test

8bdacb3

Fix error message check in Jdbc Test

784505b

Merge branch 'master' into feature/cluster-priv-context-message

1f2751b

albertzaharovits approved these changes Jan 11, 2021

View reviewed changes

Merge branch 'master' into feature/cluster-priv-context-message

042128d

tvernum merged commit 6ed5413 into elastic:master Jan 12, 2021

tvernum added the backport pending label Jan 12, 2021

This was referenced Jan 31, 2021

Auth error for index template APIs doesn't include manage_index_templates cluster priv #68144

Closed

Fix identification of action type in error message #68260

Merged

tvernum mentioned this pull request Feb 1, 2021

[Backport] Add more context to cluster access denied messages #68263

Merged

tvernum removed the backport pending label Feb 3, 2021

tvernum mentioned this pull request Feb 3, 2021

[Backport] Fix identification of action type in error message #68426

Merged

jakelandis added v8.0.0-alpha1 and removed v8.0.0 labels Jul 26, 2021

ywangd mentioned this pull request Aug 12, 2022

[Management] If "All" cluster privileges is selected, allowing unchecked other options is misleading elastic/kibana#18482

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add more context to cluster access denied messages #66900

Add more context to cluster access denied messages #66900

tvernum commented Dec 31, 2020

elasticmachine commented Dec 31, 2020

albertzaharovits left a comment

tvernum commented Jan 12, 2021

tvernum commented Jan 12, 2021

Add more context to cluster access denied messages #66900

Add more context to cluster access denied messages #66900

Conversation

tvernum commented Dec 31, 2020

elasticmachine commented Dec 31, 2020

albertzaharovits left a comment

Choose a reason for hiding this comment

tvernum commented Jan 12, 2021

tvernum commented Jan 12, 2021