Exclude Index Permissions masks index from other roles with access

TL;DR

Using an index exclusion in one role also masks the index from another role, which would otherwise grant access.

Version

Elastic Stack 7.10.2 with Search Guard 49.0.0

Issue

Background

I have a basic user group, which allows our standard level of user access to indices. I also have a second user group, which allows admin access, via membership in the SGS_ALL_ACCESS role. We use SAML authentication, via ADFS. Because of the way AD is configured in our environment, all admins are also members of the basic user group.

The Issue

Because exclusion appears to operate on a least-privilege basis, when an index exclusion is added to the basic user group, via exclude_index_permissions, it also prevents the admin group or another group, which should have access to the index, from viewing it.

To Replicate

  1. Create an index exclusion in the user group granting basic access (i.e., SGS_READ, SGS_SEARCH) to indices.

  2. Purge the permissions cache, if created from within the Kibana UI.

  3. Attempt to view or search the excluded index from an account, which is a member of both the excluded group and a group, which should be able to view the index (i.e., an account with SGS_ALL_ACCESS).

Hi Doug!

Right now, the behaviour you are observing is by design. Permissions are always evaluated independently of the roles; this means that first, the union of all permissions and permission exclusions is determined; based on this union, all the privilege evaluation is performed.

This allows role-spanning use of privileges when two privileges are necessary at the same time (example: bulk actions). Also, this has some performance advantages.

We might look at creating a more expressive way to specify precedence of privileges. The most expressive way would be however quite complicated and have performance penalties (compare for example CSS rule precedence).

Would you have any suggestion on how to handle your requirement?

How does your basic user group look like? Possibly, your requirement can be achieved by using more complex index patterns?

I suspected as much, since I can tell that least-privilege is used.

At the moment, no.

This is how I’ve been handling it, until I saw the exclude_index_permissions and decided to try it:

MY_ROLE_NAME:
  index_permissions:
    - index_patterns:
        - '/^(?!foo-|bar-|baz-).*/'
      ...

This works just fine and excludes the indices I expect to see excluded. I was just hoping to do it more easily. :grin: