Feature request? Ignore allow_explicit_index when accessing root /_bulk URL


(Иван Кадочников) #1

Hello,

When url-based access control is used for bulk requests

rest.action.multi.allow_explicit_index: false

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/url-access-control.html
It forbids explicitly setting the index in the request body regardless of
the bulk url used.

Would it be possible to allow setting explicit indexes when the URL
accessed is the /_bulk root, with no index specified in the URL?

This way if a user is allowed to access /_bulk, he can work as if
allow_explicit_index is false, while if a user is only allowed to access
specific {index}/_bulk urls, he is effectively contained.

With the current rules, the only way to allow bulk access with explicit
index to one user is to set allow_explicit_index to true and thus allow
full access to everybody with bulk access.

Maybe this feature is not that high-priority, I see that access control in
general does not seem to be the focus of elasticsearch. But if this is an
easy change, would this work?

Thanks,
Ivan

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/58bee79e-2e30-4dc2-809b-d2b6ba275336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Mark Walkom) #2

That'd be worth entering in here -
https://github.com/elasticsearch/elasticsearch/issues :slight_smile:

Regards,
Mark Walkom

Infrastructure Engineer
Campaign Monitor
email: markw@campaignmonitor.com
web: www.campaignmonitor.com

On 13 August 2014 22:37, Иван Кадочников fizmat.r66@gmail.com wrote:

Hello,

When url-based access control is used for bulk requests

rest.action.multi.allow_explicit_index: false

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/url-access-control.html
It forbids explicitly setting the index in the request body regardless of
the bulk url used.

Would it be possible to allow setting explicit indexes when the URL
accessed is the /_bulk root, with no index specified in the URL?

This way if a user is allowed to access /_bulk, he can work as if
allow_explicit_index is false, while if a user is only allowed to access
specific {index}/_bulk urls, he is effectively contained.

With the current rules, the only way to allow bulk access with explicit
index to one user is to set allow_explicit_index to true and thus allow
full access to everybody with bulk access.

Maybe this feature is not that high-priority, I see that access control in
general does not seem to be the focus of elasticsearch. But if this is an
easy change, would this work?

Thanks,
Ivan

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/58bee79e-2e30-4dc2-809b-d2b6ba275336%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/58bee79e-2e30-4dc2-809b-d2b6ba275336%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEM624b7pArFMuT1jn%3DF_WAc1weVNpaVYJ3CCk1r5baGZnMrWw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(Иван Кадочников) #3

Ok, done.
I was not sure if I should go right to github or ask here first =)

On 08/13/2014 04:46 PM, Mark Walkom wrote:

That'd be worth entering in here -
https://github.com/elasticsearch/elasticsearch/issues :slight_smile:

Regards,
Mark Walkom

Infrastructure Engineer
Campaign Monitor
email: markw@campaignmonitor.com mailto:markw@campaignmonitor.com
web: www.campaignmonitor.com http://www.campaignmonitor.com

On 13 August 2014 22:37, Иван Кадочников <fizmat.r66@gmail.com
mailto:fizmat.r66@gmail.com> wrote:

Hello,

When url-based access control is used for bulk requests

rest.action.multi.allow_explicit_index: false

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/url-access-control.html
It forbids explicitly setting the index in the request body
regardless of the bulk url used.

Would it be possible to allow setting explicit indexes when the
URL accessed is the /_bulk root, with no index specified in the URL?

This way if a user is allowed to access /_bulk, he can work as if
allow_explicit_index is false, while if a user is only allowed to
access specific {index}/_bulk urls, he is effectively contained.

With the current rules, the only way to allow bulk access with
explicit index to one user is to set allow_explicit_index to true
and thus allow full access to everybody with bulk access.

Maybe this feature is not that high-priority, I see that access
control in general does not seem to be the focus of elasticsearch.
But if this is an easy change, would this work?

Thanks,
Ivan
-- 
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to elasticsearch+unsubscribe@googlegroups.com
<mailto:elasticsearch+unsubscribe@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/58bee79e-2e30-4dc2-809b-d2b6ba275336%40googlegroups.com
<https://groups.google.com/d/msgid/elasticsearch/58bee79e-2e30-4dc2-809b-d2b6ba275336%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/aNj84bHWfDE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com
mailto:elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAEM624b7pArFMuT1jn%3DF_WAc1weVNpaVYJ3CCk1r5baGZnMrWw%40mail.gmail.com
https://groups.google.com/d/msgid/elasticsearch/CAEM624b7pArFMuT1jn%3DF_WAc1weVNpaVYJ3CCk1r5baGZnMrWw%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/53EB5F1A.3000803%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


(system) #4