search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.73k stars 24.41k forks source link

Make the query roles API use the indexed role name for queries #110564

Open albertzaharovits opened 2 weeks ago

albertzaharovits commented 2 weeks ago

Currently, the query roles API (_security/_query/role) uses a query-time runtime field when the queries refer to the role name. https://github.com/elastic/elasticsearch/blob/27b177938f9e78fa341a523bc8ff333e04939222/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportQueryRoleAction.java#L87-L89

That's because the role name is not indexed, it becomes part of the doc's _id, which doesn't store field data that's necessary for querying. We should be indexing the role name to make it searchable without recurring to runtime fields.

I discussed it with @jfreden and we could either add a new migration or extend the existing role migration: https://github.com/elastic/elasticsearch/blob/27b177938f9e78fa341a523bc8ff333e04939222/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityMigrations.java#L71

elasticsearchmachine commented 2 weeks ago

Pinging @elastic/es-security (Team:Security)