Validate query field when creating roles
#46275
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bizybot
added
>bug
:Security/Authorization
|
Pinging @elastic/es-security |
bizybot
force-pushed
the
34252-fix
branch
10 times, most recently
from
406f3a1
to
6efafea
Compare
|
unrelated failure |
As of now the validation occurs at runtime when the query is being executed. I think the reason was due to the use of template queries which need runtime information as they need to be evaluated like user information. This commit adds validation for the role query but **not for the template query** as we do not have the runtime information required for evaluating the template query. This also corrects some tests and roles.yml files where the `query` field was not populated correctly. For validation, the query is evaluated (if not a template), parsed to build the `QueryBuilder` and verify if the query type is allowed. Closes elastic#34252
|
@elasticmachine run elasticsearch-ci/2 |
jkakavas
reviewed
Sep 10, 2019
| } | ||
| } | ||
| } catch (XContentParseException | IOException e) { | ||
| throw new ElasticsearchParseException("failed to parse field 'query' from the role descriptor", e); |
There was a problem hiding this comment.
consider changing the error message here, we wouldn't trying parse the query. WDYT ?
There was a problem hiding this comment.
changed the message here, Thank you.
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
| import java.util.List; | ||
|
|
||
| /** | ||
| * This class helps in evaluating the query field if it is template |
There was a problem hiding this comment.
it evaluates non template queries also, right ?
There was a problem hiding this comment.
So there are two validation methods one that validates query (validateQueryField) and another one that evaluates a query if it is a template and then performs validation(validateAndVerifyRoleQuery).
validateQueryField cannot evaluate the template query so skips the validation for it as the runtime information is not available.
I have corrected the documentation for validateQueryField which was incorrect. Thank you.
added 2 commits
September 12, 2019 13:15
- add index privileg index to the error message to denote query of which index privilege failed to validate. - add more information to the error message where we know the expected values
tvernum
reviewed
Sep 12, 2019
| @@ -190,7 +190,7 @@ private static Role randomRole(String roleName) { | |||
| .name(roleName) | |||
| .clusterPrivileges(randomSubsetOf(randomInt(3), Role.ClusterPrivilegeName.ALL_ARRAY)) | |||
| .indicesPrivileges( | |||
| randomArray(3, IndicesPrivileges[]::new, () -> IndicesPrivilegesTests.createNewRandom(randomAlphaOfLength(3)))) | |||
| randomArray(3, IndicesPrivileges[]::new, () -> IndicesPrivilegesTests.createNewRandom("{\"match_all\": {}}"))) | |||
There was a problem hiding this comment.
If we really want this to be a random role then may this would be better as
Suggested change
| randomArray(3, IndicesPrivileges[]::new, () -> IndicesPrivilegesTests.createNewRandom("{\"match_all\": {}}"))) | |
| randomArray(3, IndicesPrivileges[]::new, () -> IndicesPrivilegesTests.createNewRandom( | |
| "{\"term\":{ \"" + randomAlphaOfLength(5) + "\" : \"" + randomAlphaOfLength(3) + "\"}}"))) |
But maybe that's overkill, I didn't really look at where we use this method.
There was a problem hiding this comment.
Since this was an IT testing put role, we were failing due to validation, earlier the query was invalid.
I don't think we need to create a random query here, the createNewRandom is being used in unit tests mostly. But if you feel that we should have a random query string generated then we can do something here. Thank you.
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
...java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.java
Outdated
Show resolved
Hide resolved
...ugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java
Show resolved
Hide resolved
Yep, I assumed that was the case, but there's no harm in asking 😄
Yeah, this is a quick win for us, good suggestion.
I think this would be ideal, but that would be quite a bit of work for us, and not something I could take on in the near future. |
added 6 commits
September 13, 2019 00:10
- public to package protected method - return immediately for simpler methods - correct the logic in file roles and add tests
tvernum
requested changes
Sep 25, 2019
...src/main/java/org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.java
Outdated
Show resolved
Hide resolved
tvernum
approved these changes
Sep 25, 2019
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Sep 25, 2019
In the current implementation, the validation of the role query occurs at runtime when the query is being executed. This commit adds validation for the role query when creating a role but not for the template query as we do not have the runtime information required for evaluating the template query (eg. authenticated user's information). This is similar to the scripts that we store but do not evaluate or parse if they are valid queries or not. For validation, the query is evaluated (if not a template), parsed to build the QueryBuilder and verify if the query type is allowed. Closes elastic#34252
bizybot
added a commit
that referenced
this pull request
Sep 26, 2019
In the current implementation, the validation of the role query occurs at runtime when the query is being executed. This commit adds validation for the role query when creating a role but not for the template query as we do not have the runtime information required for evaluating the template query (eg. authenticated user's information). This is similar to the scripts that we store but do not evaluate or parse if they are valid queries or not. For validation, the query is evaluated (if not a template), parsed to build the QueryBuilder and verify if the query type is allowed. Closes #34252
tvernum
added a commit
that referenced
this pull request
Jan 13, 2020
When creating a role, we do not check if the exceptions for the field permissions are a subset of granted fields. If such a role is assigned to a user then that user's authentication fails for this reason. We added a check to validate role query in #46275 and on the same lines, this commit adds check if the exceptions for the field permissions is a subset of granted fields when parsing the index privileges from the role descriptor. Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Jan 13, 2020
When creating a role, we do not check if the exceptions for the field permissions are a subset of granted fields. If such a role is assigned to a user then that user's authentication fails for this reason. We added a check to validate role query in elastic#46275 and on the same lines, this commit adds check if the exceptions for the field permissions is a subset of granted fields when parsing the index privileges from the role descriptor. Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com> Backport of: elastic#50212
tvernum
added a commit
that referenced
this pull request
Jan 14, 2020
When creating a role, we do not check if the exceptions for the field permissions are a subset of granted fields. If such a role is assigned to a user then that user's authentication fails for this reason. We added a check to validate role query in #46275 and on the same lines, this commit adds check if the exceptions for the field permissions is a subset of granted fields when parsing the index privileges from the role descriptor. Backport of: #50212 Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
SivagurunathanV
pushed a commit
to SivagurunathanV/elasticsearch
that referenced
this pull request
Jan 23, 2020
When creating a role, we do not check if the exceptions for the field permissions are a subset of granted fields. If such a role is assigned to a user then that user's authentication fails for this reason. We added a check to validate role query in elastic#46275 and on the same lines, this commit adds check if the exceptions for the field permissions is a subset of granted fields when parsing the index privileges from the role descriptor. Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
This was referenced Feb 3, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the current implementation, the validation of the role query
occurs at runtime when the query is being executed.
This commit adds validation for the role query when creating a role
but not for the template query as we do not have the runtime
information required for evaluating the template query (eg. authenticated user's
information). This is similar to the scripts that we
store but do not evaluate or parse if they are valid queries or not.
For validation, the query is evaluated (if not a template), parsed to build the
QueryBuilderand verify if the query type is allowed.Closes #34252