Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(elasticsearch): Decouple setting access policies from domain constructor #15876

Merged
merged 12 commits into from
Mar 8, 2022

Conversation

TikiTDO
Copy link
Contributor

@TikiTDO TikiTDO commented Aug 3, 2021

Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain.

Use Cases

See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/

Proposed Solution

This PR extracts the access policy setting to a helper method which can be used if the accessPolicies and useUnsignedBasicAuth props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Aug 3, 2021

@TikiTDO TikiTDO force-pushed the feature/es-domain-policy branch 3 times, most recently from 190f01c to 7af3695 Compare August 4, 2021 00:24
@peterwoodworth peterwoodworth added @aws-cdk/aws-elasticsearch Related to Amazon Elasticsearch Service effort/small Small work item – less than a day of effort labels Aug 6, 2021
@TikiTDO
Copy link
Contributor Author

TikiTDO commented Aug 13, 2021

@BenChaimberg Do you need any additional info to approve this PR? I would really like to set up a cross-region firehose config, and I'm blocked by this issue. I'd be happy to provide anything I can to speed this one up.

@BenChaimberg
Copy link
Contributor

Unless I'm confused, this change should not be necessary. If you are setting a resource policy (which this effectively is), then you do not need to specify the full resource ARN; it's assumed to be the ARN of the resource you are attaching the policy to. That means you should be able to use a wildcard for the resource name like so: arn:aws:es:us-west-2:123456789012:domain/*/_all/_settings.

If this is not the case, I will continue to review this PR

@BenChaimberg BenChaimberg added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 19, 2021
@TikiTDO
Copy link
Contributor Author

TikiTDO commented Aug 19, 2021

@BenChaimberg I'm on vacation this week, but I will try it next week to check if that does what I need.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Aug 24, 2021

@BenChaimberg I took a look, and while your approach will satisfy my immediate use case, it opens up a very nasty potential security issue. Because the domain and path are part of the resource configuration using a wildcard for the domain name may result in you giving more permission than you intended if you are not careful.

Consider the following example:

{    
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111222333444:user/HealthcheckTester"
  },
  "Action": "es:ESHttpGet",
  "Resource": [
    "arn:aws:es:us-west-2:123456789012:domain/*/"
  ]
}

The expectation there would be that I want to let a HealthcheckTester user in some account be able to query to server status page at the root of the ES server to validate that it is up. However, in practice that policy is going to let this user query any data on the server, as long as the request ends with /.

This is true for any URL that can be made to end with a valid post-wildcard segment.

It wouldn't affect my usecase directly, since I don't expect firehose will ever query anything it doesn't need, but it could happen in more advanced cases.

@BenChaimberg
Copy link
Contributor

Understood the potential use-case, will add this to my queue!

@BenChaimberg BenChaimberg added p1 and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Aug 24, 2021
packages/@aws-cdk/aws-elasticsearch/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-elasticsearch/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-elasticsearch/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-elasticsearch/lib/domain.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-elasticsearch/lib/domain.ts Outdated Show resolved Hide resolved
@mergify mergify bot dismissed BenChaimberg’s stale review September 6, 2021 19:02

Pull request has been modified.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Sep 6, 2021

@BenChaimberg Most of the PR comments should be fixed

@mergify mergify bot dismissed BenChaimberg’s stale review September 9, 2021 15:57

Pull request has been modified.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Sep 9, 2021

@BenChaimberg Updated as per your previous review

@mergify mergify bot dismissed BenChaimberg’s stale review September 9, 2021 22:16

Pull request has been modified.

Copy link
Contributor

@BenChaimberg BenChaimberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment above about missing test

@mergify mergify bot dismissed BenChaimberg’s stale review September 9, 2021 22:29

Pull request has been modified.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Sep 9, 2021

@BenChaimberg The domain.addAccessPolicies currently takes an array, so that change in the test removing the wrapping array will not work. I could expand it to support both.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Feb 21, 2022

@kaizen3031593 Sure, I can poke at it today

@TikiTDO TikiTDO closed this Feb 21, 2022
@TikiTDO TikiTDO force-pushed the feature/es-domain-policy branch from c9680cf to 5b92cc3 Compare February 21, 2022 23:33
@TikiTDO TikiTDO reopened this Feb 21, 2022
@TikiTDO
Copy link
Contributor Author

TikiTDO commented Feb 22, 2022

@kaizen3031593 Can you clarify a bit about the direction of opensearch vs elsasticsearch packages? Is the intent to have feature parity between the two? The getting this feature into both is simple enough, I just want to make sure I'm approaching this correctly.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Feb 24, 2022

@kaizen3031593 This PR should be ready for review

@kaizencc
Copy link
Contributor

kaizencc commented Mar 4, 2022

@TikiTDO as long as both opensearch and elasticsearch are stable, we're going to have to support feature parity between the two. However, the plan is to deprecate elasticsearch soon and once that happens, I think we'll only support p0 bugs in elasticsearch.

@kaizencc kaizencc removed pr/do-not-merge This PR should not be merged at this time. labels Mar 8, 2022
kaizencc
kaizencc previously approved these changes Mar 8, 2022
Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @TikiTDO! And sorry it took forever to get this in. I just went in and changed a few more elasticsearches into opensearches.

@mergify mergify bot dismissed kaizencc’s stale review March 8, 2022 21:32

Pull request has been modified.

@TikiTDO
Copy link
Contributor Author

TikiTDO commented Mar 8, 2022

Looks like the tests segfaulted on an unrelated module.

@mergify
Copy link
Contributor

mergify bot commented Mar 8, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit cefdfd3 into aws:master Mar 8, 2022
@mergify
Copy link
Contributor

mergify bot commented Mar 8, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: f58966e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

TheRealAmazonKendra pushed a commit to TheRealAmazonKendra/aws-cdk that referenced this pull request Mar 11, 2022
…structor (aws#15876)

Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain. 

### Use Cases

See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/

### Proposed Solution

This PR extracts the access policy setting to a helper method which can be used if the `accessPolicies` and `useUnsignedBasicAuth` props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticsearch Related to Amazon Elasticsearch Service effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants