Remove system-index write-access from superuser role #81400

tvernum · 2021-12-07T04:02:11Z

This commit changes the superuser role so that it no longer has any sort of write access to restricted indices (system indices).
This improves the safety ad security of the cluster, as it means that there are no out-of-the-box users or roles that can write to, delete or close the security index.

Superusers can still read from (and monitor) system indices.

Done

Remove write access from superuser role descriptor (46614de)
Change XPackSecurity internal user to have its own private role and not rely on superuser (7da9999)
Fix QA tests that use test_superuser to manipulate system indices
Remove short circuit case for superuser if the user has other roles as well.

tvernum · 2021-12-07T04:02:52Z

@jkakavas @ywangd FYI. It's still draft for now, but I'll be looking for reviews later.

tvernum · 2021-12-07T04:08:07Z

It is not yet decided whether we want to go down this path at this point in time. This PR is to explore what it would look like if we did make that decision.

...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

This new test verifies superuser works as expected in a running cluster. Relates: #81400 Backport of: #82651

The _xpack_security user no longer has the superuser role since elastic#81400

The _xpack_security user no longer has the superuser role since #81400

The _xpack_security user no longer has the superuser role since elastic#81400

The _xpack_security user no longer has the superuser role since #81400

The _xpack_security user no longer has the superuser role since elastic#81400

In elastic#81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only if other roles or application privileges are unavailable

In #81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: #85312

In elastic#81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: elastic#85312

In #81400 we changed `superuser` to no longer have _every_ privilege. Consequently, we also removed the special case code that existed that would ignore all other roles for any user that had superuser role. However, we added some special handling so that failing to resolve those other roles would not block superuser access - when a user has superuser role, any failures in role resolution will be effectively ignored, and the user will be given the superuser role only. However, this failure handling did not account for the loading of application privileges. If application privileges needed to be loaded, but failed, this could prevent resolution of the superuser role. This change extends the failure handling to encompass the full resolution of roles, and fallback to superuser only, whenever other roles or application privileges are unavailable Relates: #85312

Adjusted the document to ensure alignment and correctness after following changes were made: #81400 and adjusted for proposed solution mentioned here: #81451 (comment)

Cpt-Falcon · 2022-07-12T17:00:58Z

a

tvernum added 2 commits December 7, 2021 14:29

Change superuser role

46614de

Switch XPackSecurity user to have own role

7da9999

tvernum added >breaking WIP :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Dec 7, 2021

tvernum requested a review from ywangd December 7, 2021 04:02

elasticsearchmachine added the v8.1.0 label Dec 7, 2021

tvernum added 3 commits December 8, 2021 17:30

Use custom role for test infra

f41dfed

Fix spotless/checkstyle

852fed8

Merge branch 'master' into superuser-no-system-indices

36a3bbb

ywangd reviewed Dec 8, 2021

View reviewed changes

...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java Outdated Show resolved Hide resolved

tvernum added 7 commits December 9, 2021 13:09

Include new root role in high level client test

0c4d814

Include new root role in watcher test

9c80ab1

Include new root role in JDBC test

a027a8d

Update doc snippet test to accommodate role change

7238596

Merge branch 'master' into superuser-no-system-indices

7712ff9

Run SystemIndices test as root instead of superuser

72f9956

Fix X-Pack doc snippet tests

1163e87

tylersmalley mentioned this pull request Dec 9, 2021

Test blocking write access to system indices elasticseach#81400 elastic/kibana#120705

Closed

tvernum added 4 commits December 17, 2021 16:30

Merge branch 'master' into superuser-no-system-indices

d5fa450

Run fleet and logstash tests as _root

9db3412

Add root role to graph QA roles.yml

0143c47

Merge branch 'master' into superuser-no-system-indices

d77e7d4

ashokaditya mentioned this pull request Dec 20, 2021

[Security Solution][Endpoint] Use internal kibana client to write to ES system indices elastic/kibana#121642

Merged

2 tasks

tvernum added 4 commits December 21, 2021 13:15

Merge branch 'master' into superuser-no-system-indices

0d5f1c1

Add root role to IdP QA roles.yml

6503d8c

Add root role to ILM QA roles.yml

62fcff2

Add root role to Security-on-Basic QA roles.yml

3dbcb99

elasticsearchmachine pushed a commit that referenced this pull request Jan 17, 2022

Add simple integTest (QA) for Superuser role (#82654)

8974eba

This new test verifies superuser works as expected in a running cluster. Relates: #81400 Backport of: #82651

jportner mentioned this pull request Jan 17, 2022

[8.0] [8.1] Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden elastic/kibana#123113

Closed

mark-vieira mentioned this pull request Jan 18, 2022

Fix getBuildPluginFile for examples and thirdparty build #82730

Merged

This was referenced Jan 19, 2022

Support for superuser not having write access elastic/kibana#123338

Closed

Support for superuser not having write access elastic/kibana#123337

Merged

pugnascotia added v8.0.0-rc2 and removed v8.0.0 labels Feb 1, 2022

ywangd added a commit to ywangd/elasticsearch that referenced this pull request Feb 8, 2022

Clean up for superuser role name references

e32c273

The _xpack_security user no longer has the superuser role since elastic#81400

ywangd mentioned this pull request Feb 8, 2022

Clean up for superuser role name references #83627

Merged

ywangd added a commit that referenced this pull request Feb 14, 2022

Clean up for superuser role name references (#83627)

a9cdbf4

The _xpack_security user no longer has the superuser role since #81400

ywangd added a commit to ywangd/elasticsearch that referenced this pull request Feb 14, 2022

Clean up for superuser role name references (elastic#83627)

b35c670

The _xpack_security user no longer has the superuser role since elastic#81400

ywangd mentioned this pull request Feb 14, 2022

Clean up for superuser role name references (#83627) #83881

Merged

ywangd added a commit to ywangd/elasticsearch that referenced this pull request Feb 14, 2022

Clean up for superuser role name references (elastic#83627)

b78628d

The _xpack_security user no longer has the superuser role since elastic#81400

ywangd mentioned this pull request Feb 14, 2022

Clean up for superuser role name references (#83627) #83882

Merged

elasticsearchmachine pushed a commit that referenced this pull request Feb 14, 2022

Clean up for superuser role name references (#83627) (#83881)

1d1379e

The _xpack_security user no longer has the superuser role since #81400

elasticsearchmachine pushed a commit that referenced this pull request Feb 14, 2022

Clean up for superuser role name references (#83627) (#83882)

11c26af

The _xpack_security user no longer has the superuser role since #81400

tlrx pushed a commit to tlrx/elasticsearch that referenced this pull request Mar 3, 2022

Clean up for superuser role name references (elastic#83627)

1a9cdb2

The _xpack_security user no longer has the superuser role since elastic#81400

tvernum mentioned this pull request Mar 31, 2022

Ignore app priv failures when resolving superuser #85519

Merged

williamrandolph mentioned this pull request May 25, 2022

Elasticsearch is missing datastream index template .fleet-actions-results #81451

Open

robb3rt pushed a commit that referenced this pull request Jul 11, 2022

added warning for required privileges

fd8e1fe

Adjusted the document to ensure alignment and correctness after following changes were made: #81400 and adjusted for proposed solution mentioned here: #81451 (comment)

robb3rt mentioned this pull request Jul 11, 2022

added warning for required privileges #88438

Open

greibrokka mentioned this pull request Jul 20, 2022

[Bug] Unable to use the option allow_restricted_indices when creating security role elastic/terraform-provider-elasticstack#125

Closed

RobsonSutton mentioned this pull request Jul 23, 2022

[Documentation] Update doc to include missing API attribute #88751

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove system-index write-access from superuser role #81400

Remove system-index write-access from superuser role #81400

tvernum commented Dec 7, 2021 •

edited

tvernum commented Dec 7, 2021

tvernum commented Dec 7, 2021

Cpt-Falcon commented Jul 12, 2022 •

edited

Remove system-index write-access from superuser role #81400

Remove system-index write-access from superuser role #81400

Conversation

tvernum commented Dec 7, 2021 • edited

tvernum commented Dec 7, 2021

tvernum commented Dec 7, 2021

Cpt-Falcon commented Jul 12, 2022 • edited

tvernum commented Dec 7, 2021 •

edited

Cpt-Falcon commented Jul 12, 2022 •

edited