Shield Authorization Exception: Percolation and Indexed shapes

security

(Nicolas Cavigliano) #1

We're having an issue with persisting percolate documents with Shield enabled. The issue stems from referencing indexed shapes which are documents from another index.

A similar issue was reported a while ago, http://elasticsearch-users.115913.n3.nabble.com/SHIELD-terms-lookup-filter-AuthorizationException-BUG-td4073867.html

We cannot reproduce the other issue but it has a very similar error message while using indexed documents.

We have a way to reproduce consistently using the following,

# [re]create indexes
curl -XDELETE "$USER:$PASSWORD@localhost:9200/customer"
curl -XDELETE "$USER:$PASSWORD@localhost:9200/shapes"

curl -XPUT "$USER:$PASSWORD@localhost:9200/customer"
curl -XPUT "$USER:$PASSWORD@localhost:9200/shapes"

# create a shape document
curl -XPUT "$USER:$PASSWORD@localhost:9200/shapes/city/1" -d '
{
  "name" : "City1",
  "geo_json": {
    "type": "MultiPolygon",
    "coordinates" : [
      [
        [
          [
            -122.76238,
            38.369484
          ],
          [
            -122.761759,
            38.368645
          ],
          [
            -122.76238,
            38.369484
          ]
        ]
      ]
    ]
  }
}'

curl -XPUT "$USER:$PASSWORD@localhost:9200/customer/.percolator/1" -d '
{
  "query": {
    "geo_shape": {
      "geo_location": {
        "indexed_shape": {
          "type": "city",
          "index": "shapes",
          "id": "1",
          "path": "geo_json"
        }
      }
    }
  }
}'

and the reported error

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "action [indices:data/read/get] is unauthorized for user [__es_system_user]"
            }
        ],
        "type": "percolator_exception",
        "reason": "failed to parse query [1]",
        "index": "customer",
        "caused_by": {
            "type": "security_exception",
            "reason": "action [indices:data/read/get] is unauthorized for user [__es_system_user]"
        }
    },
    "status": 500
}

Versions:
ElasticSearch 2.2.0
Shield 2.2.0

The user we're using to do all the api requests is an admin and has access to all indices and all actions

Any help would be appreciated.


(Jay Modi) #2

I have confirmed this bug and opened an issue to look into how we can fix it. The issue lies in the access to the indexed shape.

A possible workaround is to use the shape directly inside of your percolator query.


(system) #3