Switch security to authorise on indices rather than aliases

[elasticmachine]

Original comment by @tvernum:

We've discussed this a number of times in the past. The current approach of authorising based on aliases was an attempt to offer something a bit like DLS, prior to our proper DLS implementation.

Switching to only authorise on indices would make a lot of the code simpler, but would be a breaking change (and is complicated by license levels, aliases work in Gold, but DLS is in Platinum).

Opening this ticket as a place for discussion.

[jaymode]

This was discussed in today's team meeting. Given the complexity that alias authorization adds, we agreed that this is a breaking change we should make to remove complexity and simplify a users ability to reason about a request.

[albertzaharovits]

I got to think about this, got some feedback from the team at large about use cases that would be impacted by this, and we also had a discussion inside the ES Security team.

The main issue is with ILM, specifically the alias that ILM maintains over the last index in a rollover series. In this situation, the alias points to all indices in the series and it is a write alias for the last index in the series. Therefore a read from the alias, would read from all the indices and a write would write to the last index in the series.
When Security is enabled it is very easy to grant privileges to the user used to ingest data, the administrator simply has to grant read/write on the alias that ILM manages. The ingest user doesn't have to be concerned with the indices backing up the alias it is accessing.

However, this mechanism of an alias carrying around privileges and pointing to various indices is exactly the confusing behavior we wish to remediate. Removing privs on aliases would move privileges closer to the data in the index, since an index cannot be renamed.

We have brainstormed some ideas, some of which need more careful scrutiny:

• in Core, change the rollover action so that it makes a rolled over index read only. This way, with Security, an administrator grants read/write to the full index series.
• in Security, provide a way to define privileges on the last index in a series; right now with wildcards you can only grant privileges on the whole series
• in Core, implement index rename
• in Security, authorize on more than names. That is, the administrator has the option to grant privileges for indices with some specific metadata attribute.