Why SG need cluster permissions indices:data/read/scroll when I try _delete_by_query

Alexey_Chernyaev · October 26, 2017, 7:29am

System information:

Operating System: CentOS 7.4
Software:
- ElasticSearch version: 5.6.3-1
- SearchGuard version: 5.6.3-16
- JVM version: 8u144

I have user with all permission on indexes “index*” and namely “index_admin”. Configuration looks like this:

sg_roles.yml:
index_all:
indices:
‘index*’:
‘*’:
- INDICES_ALL

``

sg_roles_mapping.yml
index_all:
users:
- index_admin

``

I try execute next query:
curl -XPOST -u spir_admin ‘localhost:9200/index/material/_delete_by_query’ -H ‘Content-Type: application/json’ -d’
{
“query”: {
“bool”: {
“filter”: [
{
“range”: {
“create_date”: {
“gte”: 1451595600,
“lte”: 1507582799
}
}
}
]
}
}
}
’

``

On this query ElasticSearch returned me error:
{
“error”:{
“root_cause”:[{
“type”:“security_exception”,
“reason”:“no permissions for indices:data/read/scroll”
}],
“type”:“security_exception”,
“reason”:“no permissions for indices:data/read/scroll”},
“status”:403
}

``

I turned on debug in SearchGuard and I seen, SG try requested index ‘_all’:
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=index_admin, roles=]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/scroll/clear from 10.111.146.128:48922
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.search.ClearScrollRequest is not an IndicesRequest
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for index_admin: [sg_own_index, sg_public, spir_all]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘sg_own_index’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:data/read/msearch, cluster:monitor/main, indices:data/read/coordinate-msearch*, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘sg_public’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: index_all
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for ‘index_all’ and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=index_admin, roles=[]] [IndexType [index=_all, type=]] [Action [indices:data/read/scroll/clear]] [RolesChecked [sg_own_index, sg_public, index_all]]
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2017-10-25T18:19:42,446][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/scroll/clear
[2017-10-25T18:19:42,446][WARN ][o.e.i.r.TransportDeleteByQueryAction] [elk] Failed to clear scroll [DnF1ZXJ5VGhlbkZldGNoBQAAAAAAAAFqFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABaRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9BAAAAAAAAAWsWMGtxa3pxOWZRcDJPeWVwbGNQamZfQQAAAAAAAAFsFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABbRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9B]

``

When I added cluster permission indices:data/read/scroll - it works!

Why? Why SG require cluster permission for _delete_by_query? And what that permission does?

searchguard_google_group · October 28, 2017, 8:27pm

see https://github.com/floragunncom/search-guard/issues/377

···

Am 26.10.2017 um 09:29 schrieb Alexey Chernyaev <a.u.chernyaev@gmail.com>:

System information:
  * Operating System: CentOS 7.4
  Software:
    * ElasticSearch version: 5.6.3-1
    * SearchGuard version: 5.6.3-16
    * JVM version: 8u144

I have user with all permission on indexes "index*" and namely "index_admin". Configuration looks like this:

sg_roles.yml:
  index_all:
    indices:
      'index*':
        '*':
          - INDICES_ALL

sg_roles_mapping.yml
  index_all:
    users:
      - index_admin

I try execute next query:
curl -XPOST -u spir_admin 'localhost:9200/index/material/_delete_by_query' -H 'Content-Type: application/json' -d'
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "create_date": {
              "gte": 1451595600,
              "lte": 1507582799
            }
          }
        }
      ]
    }
  }
}
'

On this query ElasticSearch returned me error:
{
  "error":{
    "root_cause":[{
      "type":"security_exception",
      "reason":"no permissions for indices:data/read/scroll"
    }],
    "type":"security_exception",
    "reason":"no permissions for indices:data/read/scroll"},
  "status":403
}

I turned on debug in SearchGuard and I seen, SG try requested index '_all':
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=index_admin, roles=]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/scroll/clear from 10.111.146.128:48922
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.search.ClearScrollRequest is not an IndicesRequest
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=*]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for index_admin: [sg_own_index, sg_public, spir_all]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_own_index' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:data/read/msearch, cluster:monitor/main, indices:data/read/coordinate-msearch*, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_public' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: index_all
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/*]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'index_all' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=index_admin, roles=] [IndexType [index=_all, type=*]] [Action [indices:data/read/scroll/clear]] [RolesChecked [sg_own_index, sg_public, index_all]]
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2017-10-25T18:19:42,446][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/scroll/clear
[2017-10-25T18:19:42,446][WARN ][o.e.i.r.TransportDeleteByQueryAction] [elk] Failed to clear scroll [DnF1ZXJ5VGhlbkZldGNoBQAAAAAAAAFqFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABaRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9BAAAAAAAAAWsWMGtxa3pxOWZRcDJPeWVwbGNQamZfQQAAAAAAAAFsFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABbRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9B]

When I added cluster permission indices:data/read/scroll - it works!

Why? Why SG require cluster permission for _delete_by_query? And what that permission does?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baeee5b4-f650-4bf4-8e12-e88e1041c7b6%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Topic		Replies	Views
Query regarding scroll and clear permission Search Guard	11	3627	February 1, 2021
no permissions for indices:data/read/mget indices:data/write/bulk Search Guard	2	632	May 9, 2017
Cluster level permissions needed for CSV export Search Guard	3	1679	September 15, 2020
Permissions issue when using _search/scroll and clear Search Guard	9	4828	November 7, 2019
no permissions for [indices:monitor/settings/get] and User [name=curator, roles=[], requestedTenant= Search Guard	2	4538	March 27, 2019

Why SG need cluster permissions indices:data/read/scroll when I try _delete_by_query

Related topics