Skip to content

ILM policy Rollover action fails in case alias points to more than one index #40831

New issue
New issue
Closed
#40834
Closed
ILM policy Rollover action fails in case alias points to more than one index#40831
#40834
Assignees
bizybot
Labels
:Data Management/ILM+SLMIndex and Snapshot lifecycle management:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug
@bizybot

Description

@bizybot
bizybot
opened on Apr 4, 2019

Elasticsearch version (bin/elasticsearch --version): 6.6.2

Description of the problem including expected versus actual behavior:
Rollover action via ILM fails with unauthorized access when the user does
not have access to concrete index but only to alias.
This only happens when is_write_index is true, that is after the rollover
we can have rolled over-index with the same alias.

The authorization check fails as IndicesAndAliasesResolver#getPutMappingIndexOrAlias filters
out the alias name as it has multiple indices associated with it. For multiple indexes for the given alias, we should check if there is only one write index associated with it instead of simple size check.

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

Lines 249 to 253 in c737943

Optional<String> foundAlias = aliasMetaData.stream()
.map(AliasMetaData::alias)
.filter(authorizedIndicesList::contains)
.filter(aliasName -> metaData.getAliasAndIndexLookup().get(aliasName).getIndices().size() == 1)
.findFirst();

Expected behavior:
The rollover action should succeed resulting in successful policy run.

Actual behavior:
Fails with

action [indices:admin/mapping/put] is unauthorized for user [test_user]

Steps to reproduce:

  • Create ILM policy
PUT /_ilm/policy/foo-policy
         {
            "policy" : {
               "phases" : {
                  "hot" : {
                    "min_age": "0ms",
                    "actions" : {
                       "rollover" : {
                          "max_docs" : 2
                       }
                    }
                  }
               }
             }
          }
  • Put Index template
PUT /_template/foo-template
         {
            "index_patterns": ["foo-logs-*"],
            "settings": {
              "number_of_shards": 1,
              "number_of_replicas": 0,
              "index.lifecycle.name": "foo-policy",
              "index.lifecycle.rollover_alias": "foo_alias"
            }
          }
  • Create an index with alias
PUT /foo-logs-000001
         {
            "aliases": {
              "foo_alias" : { "is_write_index": true }
            }
          }
  • Create a user with a role
PUT /_xpack/security/user/ufoo '{ "password": "foobar", "roles" : [ "foo_role" ]  }'

PUT /_xpack/security/role/foo_role '{ "cluster": [ "all" ], "indices": [ { "names": ["foo_alias"], "privileges": ["write", "manage"] } ] }'
  • Index some documents such that ILM gets policy gets triggered using created user (ufoo)
POST /foo_alias/_doc '{ "field" : "foo" }'
POST /foo_alias/_doc '{ "field" : "foo" }'
  • Verify new index exists
GET /foo-logs-000002
  • Try to index using alias
POST /foo_alias/_doc '{ "field" : "foo" }'

Fails with :

action [indices:admin/mapping/put] is unauthorized for user [ufoo]

Metadata

Metadata

Assignees

Labels

:Data Management/ILM+SLMIndex and Snapshot lifecycle management:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions