When using an ILM to shrink an index, the shrunken index gets a new name on the format shrink-<random-uuid>-<original-index-name>, e.g. shrink-j6-m-my-index (for index my-index).
In order to preserve access to both the shrunken index name and the original name I have to state both my-index and shrink-*-my-index in all roles that grant access to my-index. I believe that this opens up a security problem:
Consider two indices documents and secret-documents.
To grant access to the documents index after shrink I need to add shrink-*-documents as the index pattern in the role, but this pattern will then also unintentionally grant access to any shrunken secret-documents index (shrink-<random-uuid>-secret-documents).
Question:
Is there a recommended way to express index access privileges that supports the shrink ILM action (that does not unintentionally give access to secret data)?
I don't think you need to change your roles to grant access to shrunken index, the ILM process will create an alias pointing to the original index name in the shrink index.
For example, if you have an index named my-documents and have the shrink option in your ILM, after the phase with the shrink option is completed, you will have the shrink-my-documents index and this index will have an alias to my-documents, you will be able to query data in the shrink-my-documents index just querying on my-documents.
Another example, if you have an index named documents-2022.03.02, after the shrink process, you will have shrink-documents-2022.03.02 and this index will have an alias to documents-2022.03.02.
I do not use shrink anymore on my ILM policies, but when I used it was transparent, no changes were needed in the roles as every index had an alias to the original name.
If the access is granted to my-index it doesn't matter if this is the index name or the alias, every request to my-index will work, every user that has permission to read the index my-index will be able to read shrink-my-index as this new shrunked index will have the alias my-index.
After some more testing it was actually the _refresh api call that does not work through the alias name. Even in a role that has "all" index privilege, the _refresh call is not allowed.
But this has nothing to do with the ILM or shrink action.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.