Why SG need cluster permissions indices:data/read/scroll when I try _delete_by_query
906 views
Skip to first unread message
Alexey Chernyaev
Oct 26, 2017, 3:29:27 AM10/26/17
to Search Guard Community Forum
System information:
* Operating System: CentOS 7.4
Software:
* ElasticSearch version: 5.6.3-1
* SearchGuard version: 5.6.3-16
* JVM version: 8u144
I have user with all permission on indexes "index*" and namely "index_admin". Configuration looks like this:
sg_roles.yml:
sg_roles_mapping.yml
I try execute next query:
On this query ElasticSearch returned me error:
I turned on debug in SearchGuard and I seen, SG try requested index '_all':
When I added cluster permission indices:data/read/scroll - it works!
Why? Why SG require cluster permission for _delete_by_query? And what that permission does?
* Operating System: CentOS 7.4
Software:
* ElasticSearch version: 5.6.3-1
* SearchGuard version: 5.6.3-16
* JVM version: 8u144
I have user with all permission on indexes "index*" and namely "index_admin". Configuration looks like this:
sg_roles.yml:
index_all:
indices:
'index*':
'*':
- INDICES_ALLsg_roles_mapping.yml
index_all:
users:
- index_adminI try execute next query:
curl -XPOST -u spir_admin 'localhost:9200/index/material/_delete_by_query' -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"filter": [
{
"range": {
"create_date": {
"gte": 1451595600,
"lte": 1507582799
}
}
}
]
}
}
}
'On this query ElasticSearch returned me error:
{
"error":{
"root_cause":[{
"type":"security_exception",
"reason":"no permissions for indices:data/read/scroll"
}],
"type":"security_exception",
"reason":"no permissions for indices:data/read/scroll"},
"status":403
}I turned on debug in SearchGuard and I seen, SG try requested index '_all':
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=index_admin, roles=[]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/scroll/clear from 10.111.146.128:48922
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.search.ClearScrollRequest is not an IndicesRequest
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=*]]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for index_admin: [sg_own_index, sg_public, spir_all]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/coordinate-msearch*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_own_index' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:admin/aliases/exists*, indices:data/read/msearch, cluster:monitor/main, indices:data/read/coordinate-msearch*, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'sg_public' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: index_all
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/*]
[2017-10-25T18:19:42,446][DEBUG][c.f.s.c.PrivilegesEvaluator] not match found a match for 'index_all' and indices:data/read/scroll/clear, check next role
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=index_admin, roles=[]] [IndexType [index=_all, type=*]] [Action [indices:data/read/scroll/clear]] [RolesChecked [sg_own_index, sg_public, index_all]]
[2017-10-25T18:19:42,446][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2017-10-25T18:19:42,446][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/scroll/clear
[2017-10-25T18:19:42,446][WARN ][o.e.i.r.TransportDeleteByQueryAction] [elk] Failed to clear scroll [DnF1ZXJ5VGhlbkZldGNoBQAAAAAAAAFqFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABaRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9BAAAAAAAAAWsWMGtxa3pxOWZRcDJPeWVwbGNQamZfQQAAAAAAAAFsFjBrcWt6cTlmUXAyT3llcGxjUGpmX0EAAAAAAAABbRYwa3FrenE5ZlFwMk95ZXBsY1BqZl9B]
When I added cluster permission indices:data/read/scroll - it works!
Why? Why SG require cluster permission for _delete_by_query? And what that permission does?
SG
Oct 28, 2017, 4:27:21 PM10/28/17
to search...@googlegroups.com
see https://github.com/floragunncom/search-guard/issues/377
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baeee5b4-f650-4bf4-8e12-e88e1041c7b6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baeee5b4-f650-4bf4-8e12-e88e1041c7b6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages