-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scrolling a remote index should not require cluster:monitor/state privilege #43974
Comments
Pinging @elastic/es-search |
I think the problem is in the elasticsearch/server/src/main/java/org/elasticsearch/transport/RemoteClusterConnection.java Line 210 in b9ce649
I think that call to get the remote cluster state for the purpose of checking which nodes exist should be done in the system context, like in elasticsearch/server/src/main/java/org/elasticsearch/cluster/metadata/TemplateUpgradeService.java Line 134 in b9ce649
|
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes elastic#43974
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes elastic#43974
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes elastic#43974
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes #43974
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes #43974
When finding nodes in a connected cluster for cross cluster search the requests to get cluster state on the connected cluster should be made in the system context because logically they are equivalent to checking a single detail in the local cluster state and should not require that the user who made the request that is using this method in its implementation is authorized to view the entire cluster state. Fixes #43974
At the moment it seems that starting a scroll on a remote index requires just the index permissions you'd expect, but continuing that scroll involving a remote index additionally requires that you have permission to read the entire cluster state.
To demonstrate:
cluster_one_data
in cluster 1 that givesall
access to the index containing the imported datacluster_one_data
in cluster 1 that givesall
access to the remote index containing the imported data in cluster 1cluster_two_data
in cluster 2 that givesall
access to the index containing the imported data in cluster 2a.
kibana_user
b.
cluster_one_data
c.
cluster_two_data
(Obviously the exact scroll IDs will vary from run to run.)
You will note that the local scroll can be started and continued with just privileges on the index being scrolled. The scroll of the remote index can also be started successfully, returning the first few hits as expected. But the attempt to continue the remote scroll returns this:
I think that if the remote scroll continuation needs to get some portion of the cluster state as an internal implementation detail then it should switch to system context to get this information, because logically you'd expect to be able to scroll an index when you have been granted permission to scroll that index. You should not additionally need permission to read the entire cluster state.
The text was updated successfully, but these errors were encountered: