Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rollup_search requires more than read-only permissions #50245

Closed
markharwood opened this issue Dec 16, 2019 · 3 comments · Fixed by #52043
Closed

Rollup_search requires more than read-only permissions #50245

markharwood opened this issue Dec 16, 2019 · 3 comments · Fixed by #52043
Assignees
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 v7.5.1

Comments

@markharwood
Copy link
Contributor

In searches against rollup indices using the _rollup_search api, users need at least manage privileges for what should really be a read only operation.
This was reported on 6.8 and I reproduced it but this may apply to other versions too.
It's possible read and view_index_metadata may be required privileges but write-capable permissions should really not be required here.

@markharwood markharwood added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 labels Dec 16, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-analytics-geo (:Analytics/Rollup)

@gbanasiak
Copy link
Contributor

Also present in 7.5.1.

ywangd added a commit that referenced this issue Mar 3, 2020
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: #50245
ywangd added a commit to ywangd/elasticsearch that referenced this issue Mar 3, 2020
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: elastic#50245
ywangd added a commit that referenced this issue Mar 3, 2020
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: #50245
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 v7.5.1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants