Pipelines processor and xpack permissions order of evaluation

Hi all,

I have a pipeline on my cluster to process items from metricbeats.
The pipeline is responsible to modify the index based on the original doc.

PUT _ingest/pipeline/metricbeat
{
"description": "Pipeline to ingest metrics from Metricbeat",
"processors": [
{
"set": {
"field": "hostname",
"value": "anyhost"
}
},
{
"script": {
"source": "if (ctx.metricset.module == 'kubernetes') { ctx._index = 'metricbeats-linux-kubernetes' ;} "
}
}
]
}

The user has the permission to save on that index:

GET _xpack/security/user/_has_privileges
{
"cluster": ["manage_index_templates", "monitor"],
"index" : [
{
"names": [ "metricbeats*" ],
"privileges": ["create","create_index"]
}
]
}
{
"username" : "metricbeats_user",
"has_all_requested" : true,
"cluster" : {
"manage_index_templates" : true,
"monitor" : true
},
"index" : {
"metricbeats*" : {
"create_index" : true,
"create" : true
}
},
"application" : { }
}

When I try to post it to a random index, I receive a 403 error.

POST any_index_name/doc?pipeline=metricbeat
{
"@timestamp": "2019-02-13T06:43:50.913Z",
"@metadata": {
"beat": "metricbeat",
"type": "doc",
"version": "7.0.0-alpha1"
},
"os_type": "linux",
"version": "v1",
"metricset": {
"name": "container",
"module": "kubernetes"
}
}
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:admin/create] is unauthorized for user [metricbeats_user]"
}
],
"type": "security_exception",
"reason": "action [indices:admin/create] is unauthorized for user [metricbeats_user]"
},
"status": 403
}

If I post the samething using the endpoint metricbeats/doc?pipeline=metricbeat, it works fine.
However, since the pipeline change the index, I was expecting to be able to Post it to any index.

Is it the expected behavior? Is it configurable?

Thank you

Leandro

Hi @leandro,

It seems like the user does not have index permissions on any_index_name.
You can check by invoking /_xpack/security/_authenticate API to see what roles, indices are allowed for the logged in user.
Or you could check using _has_privileges API whether the user has appropriate privileges:

Hope this helps.

Regards,
Yogesh Gaikwad

Hi @Yogesh_Gaikwad

You are right about that. The user doesn't have the permission to that index, but the pipeline change the index of the docs. So, no matter which index you use to send the request, the pipeline will change it to metricbeats-linux-kubernetes, so I thought that I could use any index, but apparently not. I'm not sure if that is configurable or not, but to me it would make more sense to check the permissions after the pipeline processor and not before.

Hi @leandro,

When you invoke POST any_index_name/doc?pipeline=metricbeat you are trying an action on an index(any_index_name), so ES will always check if you have right set of permissions to invoke the action on the given index.
Hope this helps.

Regards,
Yogesh

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.