Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate field permissions when creating a role #50212

Merged
merged 5 commits into from
Jan 13, 2020
Merged

Validate field permissions when creating a role #50212

merged 5 commits into from
Jan 13, 2020

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented Dec 16, 2019

When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in #46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Replaces: #48108

Yogesh Gaikwad and others added 4 commits October 16, 2019 19:01
Validate field permissions when creating a role
904f487 
When creating a role, we do not check if the exceptions for
the field permissions is a subset of granted fields. If such
role is assigned to a user the user authentication fails.
On the same lines we validate role query, this commit
adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges.
precommit error
16ed5a8
@tvernum
Merge branch 'master' into check-subset-for-field-permissions-rd
ce3ca67
@tvernum
Remove duplication of subset check
0906110
@tvernum tvernum added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.6.0 labels Dec 16, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@tvernum tvernum mentioned this pull request Dec 16, 2019
Closed
jkakavas
jkakavas approved these changes Jan 9, 2020
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tvernum
Copy link
Contributor Author

tvernum commented Jan 13, 2020

@elasticmachine update branch

@tvernum
Copy link
Contributor Author

tvernum commented Jan 13, 2020

Merging despite CLA check failure as these commits were authored by someone who was an Elastic employee at the time.

@tvernum tvernum merged commit 65a7a13 into elastic:master Jan 13, 2020
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Jan 13, 2020
@tvernum
Validate field permissions when creating a role
e35e30d 
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in elastic#46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>

Backport of: elastic#50212
@tvernum tvernum mentioned this pull request Jan 13, 2020
Merged
tvernum added a commit that referenced this pull request Jan 14, 2020
@tvernum @bizybot
Validate field permissions when creating a role (#50917)
1577a0e 
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in #46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Backport of: #50212

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
@tvernum @bizybot @SivagurunathanV
Validate field permissions when creating a role (elastic#50212)
7f0fe96 
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in elastic#46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
This was referenced Feb 3, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkakavas jkakavas jkakavas approved these changes

Assignees
No one assigned
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v7.6.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tvernum @elasticmachine @jkakavas @jakelandis