Hello,
I have a Search Guard user which has access to all indices in the cluster except “investor”; if I submit the following msearch request:
curl -k -u noinvestor:password -XPOST https://localhost:9235/_msearch?pretty -d ’
{“index”:“company”, “ignore_unavailable”: true}
{“size”:0,“query”:{“bool”:{“must”:{“match_all”:{}},“must_not”:,“filter”:{“bool”:{“must”:[{“range”:{“founded_date”:{“gte”:-3256530944000,“lte”:1477065856000,“format”:“epoch_millis”}}}]}}}}}
{“index”:[“investor”], “ignore_unavailable”: true}
{“size”:0,“query”:{“bool”:{“must”:{“match_all”:{}},“must_not”:,“filter”:{“bool”:{“must”:}}}}}
’
I get the following response:
{
“error” : {
“root_cause” : [ {
“type” : “security_exception”,
“reason” : “no permissions for indices:data/read/msearch”
} ],
“type” : “security_exception”,
“reason” : “no permissions for indices:data/read/msearch”
},
“status” : 403
}
Would it be feasible/sensible to return an error response only for the searches on unauthorized indices? e.g.:
{
“responses” : [ {
“took” : 9,
“timed_out” : false,
“_shards” : {
“total” : 5,
“successful” : 5,
“failed” : 0
},
“hits” : {
“total” : 619008,
“max_score” : 0.0,
“hits” :
}
}, {
“error” : {
“root_cause” : [ {
“type” : “security_exception”,
“reason” : “no permissions for indices:data/read/msearch”
} ],
“type” : “security_exception”,
“reason” : “no permissions for indices:data/read/msearch”
},
“status” : 403
} ]
}
This kind of behaviour would be especially useful in Kibi/Kibana where all the searches generated by a dashboard are submitted as a single msearch request.
For comparison, Shield behaves in the same way, returning a single error response if at least one of the searches is not authorized.
Note that if you send an msearch containing an invalid query, you will still get the valid responses in the output, e.g.:
curl -k -u noinvestor:password -XPOST https://localhost:9235/_msearch?pretty -d ’
{“index”:“company”, “ignore_unavailable”: true}
{“size”:0, “query”:{“bool”:{“must”:{“match_all”:{}}}}}
{“index”:[“company”], “ignore_unavailable”: true}
{“size”:-1, “query”:{“bool”:{“must”:{“match_all”:{}}}}}
’
{
“responses” : [ {
“took” : 1,
“timed_out” : false,
“_shards” : {
“total” : 5,
“successful” : 5,
“failed” : 0
},
“hits” : {
“total” : 160106,
“max_score” : 0.0,
“hits” :
}
}, {
“error” : {
“root_cause” : [ {
“type” : “search_parse_exception”,
“reason” : “size is set to [-1] and is expected to be higher or equal to 0”,
“line” : 1,
“col” : 2
} ],
“type” : “search_phase_execution_exception”,
“reason” : “all shards failed”,
“phase” : “query”,
“grouped” : true,
“failed_shards” : [ {
“shard” : 0,
“index” : “company”,
“node” : “TCBl84UMSiq6aiEq8lUSOA”,
“reason” : {
“type” : “search_parse_exception”,
“reason” : “size is set to [-1] and is expected to be higher or equal to 0”,
“line” : 1,
“col” : 2
}
} ]
}
} ]
}
Cheers,
Fabio