search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
69.71k stars 24.67k forks source link

GET SLM status requires write privileges #94395

Closed crabhi closed 4 months ago

crabhi commented 1 year ago

Elasticsearch Version

8.6.1

Installed Plugins

No response

Java Version

bundled

OS Version

Linux 5.10.0-19-cloud-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 GNU/Linux

Problem Description

Calling GET _slm/status returns 403 even if the role has read_slm privilege, although the docs say that read_slm should be enough.

Steps to Reproduce

Having a role that contains read_slm cluster privilege,

$ curl -s http://127.0.0.1:9777/_security/role/REDACTED
{
  "REDACTED": {
    "cluster": [
      "monitor",
      "monitor_snapshot",
      "read_slm"
    ],
    "indices": [
      {
        "names": [
          "*"
        ],
        "privileges": [
          "read",
          "monitor"
        ],
        "allow_restricted_indices": false
      }
    ],
    "applications": [],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

making a request to _slm/status fails with a message requesting manage_slm or higher.

$ curl -s http://REDACTED@127.0.0.1:9777/_slm/status
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [cluster:admin/slm/status] is unauthorized for user [REDACTED] with effective roles [REDACTED], this action is granted by the cluster privileges [manage_slm,manage,all]"
      }
    ],
    "type": "security_exception",
    "reason": "action [cluster:admin/slm/status] is unauthorized for user [REDACTED] with effective roles [REDACTED], this action is granted by the cluster privileges [manage_slm,manage,all]"
  },
  "status": 403
}

Logs (if relevant)

No response

thecoop commented 1 year ago

The docs says that read_slm or manage_slm are needed, the error message only gives manage_slm. So either the docs or the code is incorrect

elasticsearchmachine commented 1 year ago

Pinging @elastic/es-security (Team:Security)

ywangd commented 1 year ago

I can confirm this is a genuine (code) bug. SLM status used to be part of ILM status response. Therefore the existing read_slm privilege grants permission for ILM status. But SLM status API has been splitted out to be its own API for several years now. The read_slm privilege is outdated.

ebuildy commented 1 year ago

A workaround, use following cluster privileges:

cluster: ["monitor", "read_slm", "cluster:admin/snapshot/status", "cluster:admin/repository/get", "cluster:admin/slm/stats", "cluster:admin/slm/status"]
elasticsearchmachine commented 5 months ago

Pinging @elastic/es-data-management (Team:Data Management)

parkertimmins commented 5 months ago

I can confirm this is a genuine (code) bug. SLM status used to be part of ILM status response. Therefore the existing read_slm privilege grants permission for ILM status. But SLM status API has been splitted out to be its own API for several years now. The read_slm privilege is outdated.

So it seems clear we should add get SLM status access to read_slm. Should we also remove the ILM status access? Ideally we would, but this would be a breaking change (I think).

parkertimmins commented 5 months ago

Splitting this into two PRs. https://github.com/elastic/elasticsearch/pull/108333 does the primary ask of this ticket as it adds access to /_slm/status to read_slm. The second PR (not yet created), will remove access to GET /_ilm/status from read_slm. Putting these in separate PRs as removing access to /_ilm/status is a breaking change and needs to go through the breaking change process.

parkertimmins commented 4 months ago

Closing this issue as it fixed by https://github.com/elastic/elasticsearch/pull/108333 . The additional work on removing ILM access from SLM privileges is tracked in https://github.com/elastic/elasticsearch/pull/108485 .