Alias permissions on index_pattern else than "*" possible?

faxmodem · September 28, 2020, 8:36am

Hi,

I’m unable to restrict the permission indices:admin/aliases/get to foo-*.
If I do this, I get an no permissions for [indices:admin/aliases/get] exception.

sg_role_config:

If I only grant access to some indices, I get the exception:

        query_bot:
          tenant_permissions: []
          cluster_permissions:
            - SGS_CLUSTER_COMPOSITE_OPS_RO
            - SGS_CLUSTER_MONITOR
            - "indices:admin/aliases/get"
          index_permissions:
            - index_patterns:
                - 'foo-*'
              allowed_actions:
                - SGS_READ
                - SGS_SEARCH
                - "indices:admin/aliases/get"

If I grant permissions to all indices, it works:

        query_bot:
          tenant_permissions: []
          cluster_permissions:
            - SGS_CLUSTER_COMPOSITE_OPS_RO
            - SGS_CLUSTER_MONITOR
            - "indices:admin/aliases/get"
          index_permissions:
            - index_patterns:
                - 'foo-*'
              allowed_actions:
                - SGS_READ
                - SGS_SEARCH
            - index_patterns:
                - '*'
              allowed_actions:
                - "indices:admin/aliases/get"

cstaley · September 28, 2020, 9:50am

I am assuming that you are trying to use the indices:admin/aliases/get action with a wildcard which also matches indexes the user does not have access to?

In the default configuration, Search Guard does only check whether users have all permissions to execute a given request. It does not modify the request to include only the resources the user has access to.

To a certain extent, such filtering is however done when do_not_fail_on_forbidden is enabled. Then, Search Guard will try to remove indexes a user has no access to from the request.

Unfortunately, the do_not_fail_on_forbidden feature is right now only supported for these actions:

indices:data/read/*
indices:admin/mappings/fields/get
indices:admin/shards/search_shards
indices:admin/resolve/index

For all other actions, the operation will fail if there are no permissions for all indices in the request.

We will look into supporting further actions. However, this often requires separate consideration for each action type; thus, this can take some time.

faxmodem · September 28, 2020, 3:04pm

Thanks for the detailed explanation.
Please put this into the documentation, that would be awesome!

system · October 19, 2020, 3:04pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Denying access to creating aliases Search Guard	2	552	September 28, 2017
Exclude Role from Access to Multiple Indices Search Guard	5	1078	August 13, 2020
Blacklist Indices Search Guard	5	579	May 24, 2019
How to allow access to all indices except one? Search Guard	3	631	December 4, 2018
Sgs_cluster_manage_index this doesn't have permission when the specific index pattern is configured as 'log-test'. But the same works when index pattern is configured as '' Search Guard	6	365	March 11, 2021

Alias permissions on index_pattern else than "*" possible?

sg_role_config:

Related Topics