Skip to content

Exceptions during authorization can be hidden #49999

New issue
New issue
Open
Open
Exceptions during authorization can be hidden#49999
Assignees
albertzaharovits
Labels
:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:SecurityMeta label for security team
@jaymode

Description

@jaymode
jaymode
opened on Dec 9, 2019

In the introduction of support for authorization engines (#38358), the authorization code was changed to support asynchronous authorization calls. In one of the changed blocks of code an exception could get hidden and the user will only get a 403 Access Denied error without any clue into what caused this.

To reproduce this specific scenario:

  • Use run as
    • The authenticated user may have a simple role
    • The run as user needs to have a complex role combination that will trigger a TooComplexToDeterminize exception (or some other way to cause an exception)

See the following block of code:

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

Lines 206 to 225 in 12e1bc4

ActionListener<AuthorizationResult> runAsListener = wrapPreservingContext(ActionListener.wrap(result -> {
if (result.isGranted()) {
if (result.isAuditable()) {
auditTrail.runAsGranted(requestId, authentication, action, request,
authzInfo.getAuthenticatedUserAuthorizationInfo());
}
authorizeAction(requestInfo, requestId, authzInfo, listener);
} else {
if (result.isAuditable()) {
auditTrail.runAsDenied(requestId, authentication, action, request,
authzInfo.getAuthenticatedUserAuthorizationInfo());
}
listener.onFailure(denialException(authentication, action, null));
}
}, e -> {
auditTrail.runAsDenied(requestId, authentication, action, request,
authzInfo.getAuthenticatedUserAuthorizationInfo());
listener.onFailure(denialException(authentication, action, null));
}), threadContext);
authorizeRunAs(requestInfo, authzInfo, runAsListener);

An exception that is thrown during the rest of the authorization process, will wind up getting caught by that listener's exception consumer. This leads to a confusing run_as_denied audit event after a run_as_granted event for the same request. I think the first item to address is the fact that e gets dropped in that code. The second item is to avoid the confusion of having the error reported as a run_as_denied event and appropriately handle the exception.

Metadata

Metadata

Assignees

Labels

:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bugTeam:SecurityMeta label for security team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions