Data is being shown sometimes without access

Elastic Security
1

We are on elastic version 8.8.1, build_flavor is default and build_type is docker. We have created an user test_user with role role_1 which has access to index_1 and no other index.

We are noticing a security issue that when I login as that user test_user and try to access abc to which it does not have access. When I execute command in dev console or curl multiple times to access index abc, I get security exception which is fine.

ISSUE: But on some attempts it shows the data which should NOT happen. When I execute the command some times I get security exception error (Correct) and sometimes I can see the data (ISSUE) . Has anyone faced this issue? Do we know what is the root cause or any recommendation for next step?

Below are the test and results

curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"},"status":403}
curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"count":907938,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}
curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"count":907938,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}
curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"count":907938,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}
curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"},"status":403}
curl -XGET --user "test_user:password" "https://o11y-dev-es.idcmgt.intel.com/abc/_count" -H "kbn-xsrf: reporting"
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with effective roles [test_user] on indices [abc], this action is granted by the index privileges [read,all]"},"status":403}

Thanks.

1 Like
2

Hi @Amol_Gaitonde1,

Thank you for those logs. According to them giving the test_user role read access on the abc index should solve that problem. Roll documentation.

3

This definitely should not happen, but can you provide a little more context?

First, how did you created the user and the roles? Using REST requests to Elasticsearch or are you using file based role management?

Second, you are making requests to https://o11y-dev-es.idcmgt.intel.com, is this a LB in front of your nodes? Can you share the logs from your elasticsearch when you make the requests?

Also, please share your elasticsearch.yml and docker compose.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.