Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate field permissions when creating a role #50212

Merged
merged 5 commits into from
Jan 13, 2020

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented Dec 16, 2019

When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in #46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Replaces: #48108

Yogesh Gaikwad and others added 4 commits October 16, 2019 19:01
When creating a role, we do not check if the exceptions for
the field permissions is a subset of granted fields. If such
role is assigned to a user the user authentication fails.
On the same lines we validate role query, this commit
adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges.
@tvernum tvernum added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.6.0 labels Dec 16, 2019
@tvernum tvernum requested a review from jkakavas December 16, 2019 06:16
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tvernum
Copy link
Contributor Author

tvernum commented Jan 13, 2020

@elasticmachine update branch

@tvernum
Copy link
Contributor Author

tvernum commented Jan 13, 2020

Merging despite CLA check failure as these commits were authored by someone who was an Elastic employee at the time.

@tvernum tvernum merged commit 65a7a13 into elastic:master Jan 13, 2020
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Jan 13, 2020
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in elastic#46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>

Backport of: elastic#50212
tvernum added a commit that referenced this pull request Jan 14, 2020
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in #46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Backport of: #50212

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
When creating a role, we do not check if the exceptions for
the field permissions are a subset of granted fields. If such
a role is assigned to a user then that user's authentication fails
for this reason.

We added a check to validate role query in elastic#46275 and on the same lines,
this commit adds check if the exceptions for the field
permissions is a subset of granted fields when parsing the
index privileges from the role descriptor.

Co-authored-by: Yogesh Gaikwad <bizybot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants