Security issue for indices shrunken by ILM?

tomhe · March 2, 2022, 12:33pm

When using an ILM to shrink an index, the shrunken index gets a new name on the format shrink-<random-uuid>-<original-index-name>, e.g. shrink-j6-m-my-index (for index my-index).

In order to preserve access to both the shrunken index name and the original name I have to state both my-index and shrink-*-my-index in all roles that grant access to my-index. I believe that this opens up a security problem:

Consider two indices documents and secret-documents.

To grant access to the documents index after shrink I need to add shrink-*-documents as the index pattern in the role, but this pattern will then also unintentionally grant access to any shrunken secret-documents index (shrink-<random-uuid>-secret-documents).

Question:

Is there a recommended way to express index access privileges that supports the shrink ILM action (that does not unintentionally give access to secret data)?

leandrojmp · March 2, 2022, 1:15pm

I don't think you need to change your roles to grant access to shrunken index, the ILM process will create an alias pointing to the original index name in the shrink index.

For example, if you have an index named my-documents and have the shrink option in your ILM, after the phase with the shrink option is completed, you will have the shrink-my-documents index and this index will have an alias to my-documents, you will be able to query data in the shrink-my-documents index just querying on my-documents.

Another example, if you have an index named documents-2022.03.02, after the shrink process, you will have shrink-documents-2022.03.02 and this index will have an alias to documents-2022.03.02.

I do not use shrink anymore on my ILM policies, but when I used it was transparent, no changes were needed in the roles as every index had an alias to the original name.

tomhe · March 2, 2022, 1:33pm

Yes, the alias is created automatically, but access is granted on index name (and not alias name).

leandrojmp · March 2, 2022, 1:39pm

If the access is granted to my-index it doesn't matter if this is the index name or the alias, every request to my-index will work, every user that has permission to read the index my-index will be able to read shrink-my-index as this new shrunked index will have the alias my-index.

tomhe · March 3, 2022, 2:10pm

You are correct. We must have made some mistake in our testing of this. The access privileges work with the alias name as you say. Thank you.

tomhe · March 3, 2022, 2:25pm

After some more testing it was actually the _refresh api call that does not work through the alias name. Even in a role that has "all" index privilege, the _refresh call is not allowed.

But this has nothing to do with the ILM or shrink action.

tomhe · March 3, 2022, 2:47pm

For reference, here is a bug report for that case: Index privileges through alias name not working for _refresh, _flush · Issue #84626 · elastic/elasticsearch · GitHub

system · March 31, 2022, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.