search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.39k stars 8k forks source link

UI only allows creating Cross Cluster API keys with access.search.names #183682

Closed jakelandis closed 1 week ago

jakelandis commented 2 weeks ago

Cross Cluster API keys allow the following options for search :

POST _security/cross_cluster/api_key
{
  "name": "ccx-apikey",
  "expiration": "300d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"],
        "query": {"bool": { "must_not": { "term" : {"field2" : "value2"}}}},
        "field_security": {"grant": [ "field2" ]},
        "allow_restricted_indices" : true
      }
    ]
  }
}

Describe the bug:

The UI prevents creating the API when anything but "names" is present under search.

Steps to reproduce: Navigate to Stack Management -> API keys -> Create API key -> choose Cross Cluster API key -> fill out a name -> add any one (or more) of the following : query, field_security, allow_restricted_indices -> Create API key

Screenshots (if relevant):

image

Any additional context:

8.14+ will prevent users from creating a single API key that has access.search.query AND a replication. See https://github.com/elastic/elasticsearch/pull/108600. I don't think there are any changes needed from Kibana since ES will prevent that scenario, just FYI.

elasticmachine commented 2 weeks ago

Pinging @elastic/kibana-security (Team:Security)

jeramysoucy commented 2 weeks ago

@jakelandis Does your example contain the full list of possible fields?

        "names": ["logs*"],
        "query": {"bool": { "must_not": { "term" : {"field2" : "value2"}}}},
        "field_security": {"grant": [ "field2" ]},
        "allow_restricted_indices" : true

Should replication allow the same options?

FYI I noticed that I was able to enter random string into the query field without any rejection, e.g. "query": {"something": { "must_not": { "term" : {"field2" : "value2"}}}},"

The query seems to always get captured as a string: "query": """{"bool":{"must_not":{"term":{"field2":"value2"}}}}""",

jakelandis commented 2 weeks ago

Does your example contain the full list of possible fields?

yup.

Should replication allow the same options?

only "names" are allowed for replication.

FYI I noticed that I was able to enter random string into the query field without any rejection, e.g.

yeah, "query" is a weird one. we support either an object or a string as the value. Typically, I use cURL and define it like "query": "{\"term\":{\"foo\":{\"value\":\"bar\"}}}" and get a bit confused by dev tools """ behavior. Also, we don't validate the syntax of the query.