Custom Authorization Engine issue

Elastic Stack Elasticsearch
1

I'm working on an implementation of a custom authorization engine by following the instructions on this page and using this sample. I'm using Elasticsearch v8.2.0.

I've been able to generate the single zip file for my custom authorization engine and I've followed the steps to use the security extension as described on that page. I implemented the AuthorizationEngine to basically deny index operations. So implemented this method to deny.

The issue I'm facing is I don't think the security extension is being called as all my index actions like create, delete are succeeding. I would have expected a denial while running index-related actions. Even the logs don't seem to provide any information about whether the extension is used or not. Although the logs do say that my plugin was loaded. Any idea if I'm missing something ?

2

Authorization Engines are pretty tricky to get right, and are a really advanced feature. Are you sure that's the right answer to the problem you have?

I definitely do not recommend it if you have any other options.

It's hard to debug the problem without seeing your code. The only advice I can offer is to take it 1 step at a time. Put some logging in the constructor for your SecurityExtension and then some in the getAuthorizationEngine method and see whether they're being called.

3

I'm trying to use an external authorization engine to authorize requests that ES gets. Here is the code.

I was using print statements to figure out if the code is being called but I'll try to add some logs. Please do let me know if the code looks ok. I appreciate the help.

Thanks

4

I added some logging as you suggested. I can see this and this log in the ES logs.

But when I run a query I would have expected to see this log for example but I don't.

Also if it helps this is how I run a query:

$ curl -k -u elastic:zymvKQ2vtKba5uPOiXAW -X POST "https://localhost:9200/logs-my_app-default/_doc?pretty" -H 'Content-Type: application/json' -d'
{
  "@timestamp": "2099-05-06T16:21:15.000Z",
  "event": {
    "original": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  }
}'

$ curl -k -u elastic:zymvKQ2vtKba5uPOiXAW -X DELETE "https://localhost:9200/_data_stream/logs-my_app-default?pretty"

$ curl --cacert http_ca.crt -u elastic -X POST "https://localhost:9200/logs-my_app-default/_doc?pretty" -H 'Content-Type: application/json' -d'
{
  "@timestamp": "2099-05-06T16:21:15.000Z",
  "event": {
    "original": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  }
}'

$ curl --cacert http_ca.crt -u elastic -X DELETE "https://localhost:9200/_data_stream/logs-my_app-default?pretty"

Do you expect the above queries to hit some of the methods of the AuthorizationEngine interface ?

5

@TimV if you need any more information please do let me know. I appreciate your feedback. Thanks!

6

The problem is that you are testing with the elastic user. Builtin users will always use the RBAC engine. You need to use a custom user if you want to use your own engine.

7

Hey @TimV thanks for your reply. I create a custom role as described here and a custom user as described here. In this case too, it looks like it uses the RBAC engine. Is this the correct way to test or can you please recommend something else ?

Secondly, I'm using docker.elastic.co/elasticsearch/elasticsearch:8.2.0 for my setup which should fine, correct ?

8

This is my test flow:

  1. Create a custom role
$ curl --cacert http_ca.crt -u elastic  -X POST "https://localhost:9200/_security/role/not_superuser?pretty" -H 'Content-Type: application/json' -d'
{
  "cluster": [ "monitor" ],
  "indices": [
    {
      "names": [ "*" ],
      "privileges": [ "read" ]
    }
  ]
}'
  1. Add a new user
$ docker exec -ti elasticsearch-opa_elasticsearch_1 /usr/share/elasticsearch/bin/elasticsearch-users useradd bob -p theshining -r not_superuser
  1. Test Query 1: Create index
$ curl --cacert http_ca.crt -u bob -X PUT "https://localhost:9200/my-index-000001?pretty"
Enter host password for user 'bob':
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/create] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_index,manage,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/create] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_index,manage,all]"
  },
  "status" : 403
}
  1. Test Query 2: Add a single document
$ curl --cacert http_ca.crt -u bob -X POST "https://localhost:9200/logs-my_app-default/_doc?pretty" -H 'Content-Type: application/json' -d'
{
  "@timestamp": "2099-05-06T16:21:15.000Z",
  "event": {
    "original": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  }
}
'
Enter host password for user 'bob':
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/write/index] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_doc,create,index,write,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:data/write/index] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_doc,create,index,write,all]"
  },
  "status" : 403
}

In both the test cases, the RBAC engine seems to be making the decision and not the custom engine.

9

When I start ES with xpack.license.self_generated.type=trial, now my custom authorization code is now being called. Thanks @TimV , appreciate the help.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.