Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rollup_search requires more than read-only permissions #50245

Closed
markharwood opened this issue Dec 16, 2019 · 3 comments · Fixed by #52043
Closed

Rollup_search requires more than read-only permissions #50245

markharwood opened this issue Dec 16, 2019 · 3 comments · Fixed by #52043
Assignees
@ywangd
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 v7.5.1

Comments

@markharwood
Copy link
Contributor

In searches against rollup indices using the _rollup_search api, users need at least manage privileges for what should really be a read only operation.
This was reported on 6.8 and I reproduced it but this may apply to other versions too.
It's possible read and view_index_metadata may be required privileges but write-capable permissions should really not be required here.
@markharwood markharwood added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 labels Dec 16, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-analytics-geo (:Analytics/Rollup)

@gbanasiak
Copy link
Contributor

Also present in 7.5.1.

@ywangd ywangd mentioned this issue Feb 7, 2020
Merged
ywangd added a commit that referenced this issue Mar 3, 2020
@ywangd
Allow _rollup_search with read privilege (#52043)
9a2a59b 
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: #50245
ywangd added a commit to ywangd/elasticsearch that referenced this issue Mar 3, 2020
@ywangd
Allow _rollup_search with read privilege (elastic#52043)
afcdcb8 
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: elastic#50245
@ywangd ywangd mentioned this issue Mar 3, 2020
Merged
ywangd added a commit that referenced this issue Mar 3, 2020
@ywangd
Allow _rollup_search with read privilege (#52043) (#53047)
70814da 
Currently _rollup_search requires manage privilege to access. It should really be
a read only operation. This PR changes the requirement to be read indices privilege.

Resolves: #50245
@codebrain codebrain mentioned this issue Apr 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC :StorageEngine/Rollup Turn fine-grained time-based data into coarser-grained data v6.8.0 v7.5.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow _rollup_search with read privilege ywangd/elasticsearch
4 participants
@markharwood @ywangd @gbanasiak @elasticmachine