🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
What is the bug?
The type property for action groups never been validated. As result it is possible to crate/update an action group without it and this group is never involved into permissions check. Besides it is possible to set any string for the type.
What is the expected behavior?
REST API should validate action group type and accept two possible values: cluster and index.
What is the bug? The
type
property for action groups never been validated. As result it is possible to crate/update an action group without it and this group is never involved into permissions check. Besides it is possible to set any string for the type.What is the expected behavior? REST API should validate action group
type
and accept two possible values:cluster
andindex
.