[DLS][Network Drive] Document is visible if Group has GRANT access but user has an explicit DENY - Githubissues

elastic / connectors

Official Elastic connectors for third-party data sources

https://www.elastic.co/guide/en/elasticsearch/reference/master/es-connectors.html

Other

16 stars 132 forks source link

[DLS][Network Drive] Document is visible if Group has GRANT access but user has an explicit DENY #1963

Open praveen-kukreja opened 11 months ago

praveen-kukreja commented 11 months ago

Bug Description

Steps to Reproduce:

A group A has been provided read/write access to a file in Windows Network Drive but a given user user1 of that group A has an explicit DENY permissions for a document.

Expected Behaviour:

In that case the document is not accessible to user1 in the source (network drive) since in Windows explicit deny ACEs are evaluated before any explicit allowed ACEs. Reference: https://learn.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces

Actual Results:

The document is visible in the search applications to the user.

Environment

Windows Network Drive

praveen-kukreja commented 11 months ago

I've found a possible resolution for the fix, implementation is in-progress

rodmacedo1 commented 11 months ago

Hi @praveen-elastic this is the same for https://github.com/elastic/connectors/issues/1966?

praveen-kukreja commented 10 months ago

Hi @rodmacedo1, yes I'll raise a common PR for both the issues.

seanstory commented 3 weeks ago

Based on https://github.com/elastic/connectors/issues/2875#issuecomment-2413548818, it seems that this issue is not fixed after all. Reopening.