Why SG need cluster permissions indices:data/read/scroll when I try _delete_by_query

System information:

  • Operating System: CentOS 7.4
    Software:
    • ElasticSearch version: 5.6.3-1
    • SearchGuard version: 5.6.3-16
    • JVM version: 8u144

I have user with all permission on indexes “index*” and namely “index_admin”. Configuration looks like this:

sg_roles.yml:
index_all:
indices:
‘index*’:
‘*’:
- INDICES_ALL

``

sg_roles_mapping.yml
index_all:
users:
- index_admin

``

I try execute next query:
curl -XPOST -u spir_admin ‘localhost:9200/index/material/_delete_by_query’ -H ‘Content-Type: application/json’ -d’
{
“query”: {
“bool”: {
“filter”: [
{
“range”: {
“create_date”: {
“gte”: 1451595600,
“lte”: 1507582799
}
}
}
]
}
}
}

``

On this query ElasticSearch returned me error:
{
“error”:{
“root_cause”:[{
“type”:“security_exception”,
“reason”:“no permissions for indices:data/read/scroll”
}],
“type”:“security_exception”,
“reason”:“no permissions for indices:data/read/scroll”},
“status”:403
}

``

I turned on debug in SearchGuard and I seen, SG try requested index ‘_all’:
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=index_admin, roles=]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/scroll/clear from 10.111.146.128:48922
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.search.ClearScrollRequest is not an IndicesRequest
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for index_admin: [sg_own_index, sg_public, spir_all]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists
, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘sg_own_index’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:data/read/msearch, cluster:monitor/main, indices:data/read/coordinate-msearch*, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘sg_public’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: index_all
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘index_all’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=index_admin, roles=[]] [IndexType [index=_all, type=
]] [Action [indices:data/read/scroll/clear]] [RolesChecked [sg_own_index, sg_public, index_all]]
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2017-10-25T18:19:42,446][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/scroll/clear
[2017-10-25T18:19:42,446][WARN ][o.e.i.r.TransportDeleteByQueryAction] [elk] Failed to clear scroll [DnF1ZXJ5VGhlbkZldGNoBQAAAAAAAAFqFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABaRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9BAAAAAAAAAWsWMGtxa3pxOWZRcDJPeWVwbGNQamZfQQAAAAAAAAFsFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABbRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9B]

``

When I added cluster permission indices:data/read/scroll - it works!

Why? Why SG require cluster permission for _delete_by_query? And what that permission does?

see https://github.com/floragunncom/search-guard/issues/377

···

Am 26.10.2017 um 09:29 schrieb Alexey Chernyaev <a.u.chernyaev@gmail.com>:

System information:
  * Operating System: CentOS 7.4
  Software:
    * ElasticSearch version: 5.6.3-1
    * SearchGuard version: 5.6.3-16
    * JVM version: 8u144

I have user with all permission on indexes "index*" and namely "index_admin". Configuration looks like this:

sg_roles.yml:
  index_all:
    indices:
      'index*':
        '*':
          - INDICES_ALL

sg_roles_mapping.yml
  index_all:
    users:
      - index_admin

I try execute next query:
curl -XPOST -u spir_admin 'localhost:9200/index/material/_delete_by_query' -H 'Content-Type: application/json' -d'
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "create_date": {
              "gte": 1451595600,
              "lte": 1507582799
            }
          }
        }
      ]
    }
  }
}
'

On this query ElasticSearch returned me error:
{
  "error":{
    "root_cause":[{
      "type":"security_exception",
      "reason":"no permissions for indices:data/read/scroll"
    }],
    "type":"security_exception",
    "reason":"no permissions for indices:data/read/scroll"},
  "status":403
}

I turned on debug in SearchGuard and I seen, SG try requested index '_all':
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=index_admin, roles=]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/scroll/clear from 10.111.146.128:48922
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.search.ClearScrollRequest is not an IndicesRequest
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=*]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for index_admin: [sg_own_index, sg_public, spir_all]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_own_index' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:data/read/msearch, cluster:monitor/main, indices:data/read/coordinate-msearch*, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_public' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: index_all
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/*]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'index_all' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=index_admin, roles=] [IndexType [index=_all, type=*]] [Action [indices:data/read/scroll/clear]] [RolesChecked [sg_own_index, sg_public, index_all]]
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2017-10-25T18:19:42,446][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/scroll/clear
[2017-10-25T18:19:42,446][WARN ][o.e.i.r.TransportDeleteByQueryAction] [elk] Failed to clear scroll [DnF1ZXJ5VGhlbkZldGNoBQAAAAAAAAFqFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABaRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9BAAAAAAAAAWsWMGtxa3pxOWZRcDJPeWVwbGNQamZfQQAAAAAAAAFsFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABbRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9B]

When I added cluster permission indices:data/read/scroll - it works!

Why? Why SG require cluster permission for _delete_by_query? And what that permission does?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baeee5b4-f650-4bf4-8e12-e88e1041c7b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.