Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API keys should throw an error, if unknown privilege gets added #67311

Closed
spinscale opened this issue Jan 11, 2021 · 2 comments · Fixed by #82049
Closed

API keys should throw an error, if unknown privilege gets added #67311

spinscale opened this issue Jan 11, 2021 · 2 comments · Fixed by #82049
Assignees
@ywangd
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@spinscale
Copy link
Contributor

Elasticsearch version (bin/elasticsearch --version): 7.10.1

Description of the problem including expected versus actual behavior:

Adding an API key with a non-existing privilege returns successfully, but throws an error on the first operation that tries to get executed.

Steps to reproduce:

POST /_security/api_key
{
  "name": "my-api-key",
  "role_descriptors": { 
    "my-management": {
      "cluster": ["manage_index_template"]
    }
  }
}

Note the missing s at the end of manage_index_template - this returns a successful response with an API key.

However the next request trying to create an index template returns

Exception in thread "main" java.lang.RuntimeException: error storing index template [my_analytics_template]: status [400], body [{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"unknown cluster privilege [manage_index_template]. a privilege must be either one of the predefined cluster privilege names [monitor_ml,manage_enrich,read_slm,monitor_watcher,manage_index_templates,manage_ccr,monitor_transform,manage_logstash_pipelines,delegate_pki,none,monitor_snapshot,manage_data_frame_transforms,read_ilm,monitor_data_frame_transforms,manage_api_key,manage_security,manage_saml,manage_own_api_key,all,manage_ilm,manage_oidc,manage_ingest_pipelines,read_ccr,monitor,manage_rollup,manage_slm,manage_watcher,manage,manage_transform,manage_token,manage_autoscaling,manage_ml,manage_pipeline,monitor_rollup,grant_api_key,transport_client,create_snapshot] or a pattern over one of the available cluster actions"}],"type":"illegal_argument_exception","reason":"unknown cluster privilege [manage_index_template]. a privilege must be either one of the predefined cluster privilege names [monitor_ml,manage_enrich,read_slm,monitor_watcher,manage_index_templates,manage_ccr,monitor_transform,manage_logstash_pipelines,delegate_pki,none,monitor_snapshot,manage_data_frame_transforms,read_ilm,monitor_data_frame_transforms,manage_api_key,manage_security,manage_saml,manage_own_api_key,all,manage_ilm,manage_oidc,manage_ingest_pipelines,read_ccr,monitor,manage_rollup,manage_slm,manage_watcher,manage,manage_transform,manage_token,manage_autoscaling,manage_ml,manage_pipeline,monitor_rollup,grant_api_key,transport_client,create_snapshot] or a pattern over one of the available cluster actions"},"status":400}]
@spinscale spinscale added >bug needs:triage Requires assignment of a team area label labels Jan 11, 2021
@albertzaharovits albertzaharovits added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) and removed needs:triage Requires assignment of a team area label labels Jan 12, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jan 12, 2021
@albertzaharovits albertzaharovits self-assigned this Jan 12, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@albertzaharovits
Copy link
Contributor

albertzaharovits commented Jan 12, 2021
edited

Thank you for reporting it @spinscale !
I concur that we have validation when creating roles but no validation when creating API keys (which internally use the same role descriptor structure).

@tvernum tvernum mentioned this issue Sep 21, 2021
Open
@ywangd ywangd self-assigned this Dec 14, 2021
ywangd added a commit to ywangd/elasticsearch that referenced this issue Dec 23, 2021
@ywangd
Add validation for API key role descriptors
8e1dc66 
Put Role API prevents creation of invalidate role descriptors by
validating that the given cluster privileges and index previleges can be
resolved. However, the same validation is not performed when creating
API keys. As a result, users are able to create invalidate API keys
which then fail at use time. The experience is not user friendly and
inconsistent. This PR fixes it by adding the same validation logic for
API key creation.

Resolves: elastic#67311
@ywangd ywangd mentioned this issue Dec 23, 2021
Merged
ywangd added a commit that referenced this issue Jan 10, 2022
@ywangd
Add validation for API key role descriptors (#82049)
5822aa2 
Put Role API prevents creation of invalidate role descriptors by
validating that the given cluster privileges and index previleges can be
resolved. However, the same validation is not performed when creating
API keys. As a result, users are able to create invalidate API keys
which then fail at use time. The experience is not user friendly and
inconsistent. This PR fixes it by adding the same validation logic for
API key creation.

Resolves: #67311
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add validation for API key role descriptors ywangd/elasticsearch
4 participants
@spinscale @ywangd @albertzaharovits @elasticmachine