Allow enrich_user to read/view enrich indices #100707
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dnhatn
added
>bug
:Security/Authorization
|
Hi @dnhatn, I've created a changelog YAML for you. |
dnhatn
added
Team:Data Management
elasticsearchmachine
removed
the
Team:Data Management
|
Pinging @elastic/es-security (Team:Security) |
|
@jakelandis Thank you so much for the quick review ❤️ |
dnhatn
added a commit
to dnhatn/elasticsearch
that referenced
this pull request
Oct 11, 2023
> Unexpected error from Elasticsearch: security_exception - action [indices:data/read/esql/lookup] is unauthorized for user [guest] with effective roles [enrich_user,esql-read-role] on restricted indices [.enrich-group_lookup-1696927917972], this action is granted by the index privileges [read,all] Currently, the enrich indices (.enrich-*) are restricted system indices managed by the enrich plugin. While the `enrich_user` should not be allowed to manage or write to these indices, they should be allowed to read and view_index_metadata. This is necessary for ESQL; otherwise, ESQL users would require broader privileges to perform enrich in ESQL.
💚 Backport successful
|
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* Allow enrich_user to read/view enrich indices (#100707) > Unexpected error from Elasticsearch: security_exception - action [indices:data/read/esql/lookup] is unauthorized for user [guest] with effective roles [enrich_user,esql-read-role] on restricted indices [.enrich-group_lookup-1696927917972], this action is granted by the index privileges [read,all] Currently, the enrich indices (.enrich-*) are restricted system indices managed by the enrich plugin. While the `enrich_user` should not be allowed to manage or write to these indices, they should be allowed to read and view_index_metadata. This is necessary for ESQL; otherwise, ESQL users would require broader privileges to perform enrich in ESQL. * compile
dnhatn
added a commit
that referenced
this pull request
Oct 18, 2023
Today, we have a hierarchy of tasks in ESQL designed to leverage the task framework for reporting status and cancellation. ```mermaid flowchart RESTLayer -->| EsqlQueryRequest indices:data/read/esql | ComputeService ComputeService -->| DriverRequest indices:data/read/esql/compute | Driver ComputeService -->| DataNodeRequest indices:data/read/esql/data | DataNode DataNode -->| DriverRequest indices:data/read/esql/compute | Driver Driver -->| LookupRequest indices:data/read/esql/lookup | EnrichLookupService ``` The primary issue here is that `DriverRequest` is neither `IndicesRequest` nor `CompositeIndicesRequest`. Consequently, the Driver is executed within the context of the system user, leading to access indices with the system user. To address this issue, this PR makes `DriverRequest` a `CompositeIndicesRequest` and ensures that the Driver executes within the user's context. With this fix we can now properly capture the response headers when a Driver is yielded and rescheduled. Relates #100707 Relates #99646 Relates #99926 Closes #100164
dnhatn
added a commit
to dnhatn/elasticsearch
that referenced
this pull request
Oct 18, 2023
Today, we have a hierarchy of tasks in ESQL designed to leverage the task framework for reporting status and cancellation. ```mermaid flowchart RESTLayer -->| EsqlQueryRequest indices:data/read/esql | ComputeService ComputeService -->| DriverRequest indices:data/read/esql/compute | Driver ComputeService -->| DataNodeRequest indices:data/read/esql/data | DataNode DataNode -->| DriverRequest indices:data/read/esql/compute | Driver Driver -->| LookupRequest indices:data/read/esql/lookup | EnrichLookupService ``` The primary issue here is that `DriverRequest` is neither `IndicesRequest` nor `CompositeIndicesRequest`. Consequently, the Driver is executed within the context of the system user, leading to access indices with the system user. To address this issue, this PR makes `DriverRequest` a `CompositeIndicesRequest` and ensures that the Driver executes within the user's context. With this fix we can now properly capture the response headers when a Driver is yielded and rescheduled. Relates elastic#100707 Relates elastic#99646 Relates elastic#99926 Closes elastic#100164
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 18, 2023
Today, we have a hierarchy of tasks in ESQL designed to leverage the task framework for reporting status and cancellation. ```mermaid flowchart RESTLayer -->| EsqlQueryRequest indices:data/read/esql | ComputeService ComputeService -->| DriverRequest indices:data/read/esql/compute | Driver ComputeService -->| DataNodeRequest indices:data/read/esql/data | DataNode DataNode -->| DriverRequest indices:data/read/esql/compute | Driver Driver -->| LookupRequest indices:data/read/esql/lookup | EnrichLookupService ``` The primary issue here is that `DriverRequest` is neither `IndicesRequest` nor `CompositeIndicesRequest`. Consequently, the Driver is executed within the context of the system user, leading to access indices with the system user. To address this issue, this PR makes `DriverRequest` a `CompositeIndicesRequest` and ensures that the Driver executes within the user's context. With this fix we can now properly capture the response headers when a Driver is yielded and rescheduled. Relates #100707 Relates #99646 Relates #99926 Closes #100164
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the enrich indices (.enrich-*) are restricted system indices managed by the enrich plugin. While the
enrich_usershould not be allowed to manage or write to these indices, they should be allowed to read and view_index_metadata. This is necessary for ESQL; otherwise, ESQL users would require broader privileges to perform enrich in ESQL.