Skip to content

Make sure that field-level security is enforced when using field aliases. #31807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 16, 2018
Merged

Make sure that field-level security is enforced when using field aliases. #31807

merged 3 commits into from
Jul 16, 2018

Conversation

@jtibshirani
Copy link
Contributor

@jtibshirani jtibshirani commented Jul 4, 2018
edited
Loading

A user should only ever set permissions on a concrete field, not a field alias. Given this assumption, this PR verifies that access control is enforced in the following requests:

  • Search: security applies out-of-the-box because aliases are always translated to concrete fields before calling into lucene, and field level security is performed at the lucene level.
  • Field capabilities: when a field alias is used, we make sure to check the security filter against its target to avoid returning mapping information that a user doesn't have access to.

Note that even if a user can't see an alias' target, they are still able to retrieve the mappings for the alias (which includes the name of the target field). I looked into filtering alias mappings as well, but the change is quite involved. To me this seems like an okay trade-off for now -- when using a field alias, a user can tell that the target field exists, but cannot access any of its mapping information, whether through a 'get mappings' or field capabilities request.

I plan to update the documentation in elastic/stack-docs in a follow-up PR to specify that security shouldn't be set on field aliases. We currently don't enforce that permissions can't be set on an alias -- I didn't see a good way to do this, but am very happy for pointers.

@jtibshirani jtibshirani added >enhancement :Search Foundations/Mapping Index mappings, including merging and defining field types :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jul 4, 2018
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 4, 2018

Pinging @elastic/es-search-aggs

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 4, 2018

Pinging @elastic/es-security

@jtibshirani jtibshirani mentioned this pull request Jul 4, 2018
Closed
9 tasks
@jtibshirani jtibshirani force-pushed the field-alias-security branch from 54a0200 to e57eab7 Compare July 4, 2018 21:19
@jaymode jaymode self-requested a review July 11, 2018 16:30
jaymode
jaymode approved these changes Jul 13, 2018
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/plugin/security/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java Outdated
Copy link
Member

@jaymode jaymode Jul 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/should match/should not match

Copy link
Contributor Author

@jtibshirani jtibshirani Jul 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jtibshirani jtibshirani force-pushed the field-alias-security branch from 2d02ddf to 89e136d Compare July 16, 2018 18:21
@jtibshirani jtibshirani merged commit e9b4008 into elastic:field-aliases Jul 16, 2018
@jtibshirani jtibshirani deleted the field-alias-security branch July 16, 2018 21:17
jtibshirani added a commit that referenced this pull request Jul 17, 2018
@jtibshirani
Make sure that field-level security is enforced when using field alia…
270a924 
…ses. (#31807)

* Add basic unit tests for field level security with field aliases.
* Ensure that field caps information is filtered when a field alias is provided.
jtibshirani added a commit that referenced this pull request Jul 18, 2018
@jtibshirani
Make sure that field-level security is enforced when using field alia…
5995794 
…ses. (#31807)

* Add basic unit tests for field level security with field aliases.
* Ensure that field caps information is filtered when a field alias is provided.
jtibshirani added a commit that referenced this pull request Jul 18, 2018
@jtibshirani
Add support for field aliases. (#32172)
15ff3da 
* Add basic support for field aliases in index mappings. (#31287)
* Allow for aliases when fetching stored fields. (#31411)
* Add tests around accessing field aliases in scripts. (#31417)
* Add documentation around field aliases. (#31538)
* Add validation for field alias mappings. (#31518)
* Return both concrete fields and aliases in DocumentFieldMappers#getMapper. (#31671)
* Make sure that field-level security is enforced when using field aliases. (#31807)
* Add more comprehensive tests for field aliases in queries + aggregations. (#31565)
* Remove the deprecated method DocumentFieldMappers#getFieldMapper. (#32148)
jtibshirani added a commit to jtibshirani/elasticsearch that referenced this pull request Jul 24, 2018
@jtibshirani
Make sure that field-level security is enforced when using field alia…
9bc098a 
…ses. (elastic#31807)

* Add basic unit tests for field level security with field aliases.
* Ensure that field caps information is filtered when a field alias is provided.
jtibshirani added a commit that referenced this pull request Jul 24, 2018
@jtibshirani
Add support for field aliases to 6.x. (#32184)
6672f53 
* Add basic support for field aliases in index mappings. (#31287)
* Allow for aliases when fetching stored fields. (#31411)
* Add tests around accessing field aliases in scripts. (#31417)
* Return both concrete fields and aliases in DocumentFieldMappers#getMapper. (#31671)
* Add documentation around field aliases. (#31538)
* Add validation for field alias mappings. (#31518)
* Make sure that field-level security is enforced when using field aliases. (#31807)
* Add more comprehensive tests for field aliases in queries + aggregations. (#31565)
* Remove the deprecated method DocumentFieldMappers#getFieldMapper. (#32148)
* Ensure that field aliases cannot be used in multi-fields. (#32219)
* Make sure that field aliases count towards the total fields limit. (#32222)
* Fix a test bug around nested aggregations and field aliases. (#32287)
* Make sure the _uid field is correctly loaded in scripts.
* Fix the failing test case FieldLevelSecurityTests#testParentChild_parentField.
* Enforce that field aliases can only be specified on indexes with a single type.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaymode jaymode jaymode approved these changes

Assignees

No one assigned

Labels

>enhancement :Search Foundations/Mapping Index mappings, including merging and defining field types :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jtibshirani @elasticmachine @jaymode