Open
Description
Elasticsearch Version
8.16.0+
Problem Description
With #112973 we introduce the possibility to request a more verbose version of GET _data_stream. However, in certain cases it throws an authorisation error.
The problem appears when:
- A superuser performs the
GET _data_streamrequest - Querying all including hidden indices
- The cluster has system indices, for example,
.security-7
The problem appears to be that using the wide access of the superuser, the resource resolution is very wide as well, including also the .security-7 index which the _xpack internal user does not have access.
A potential fix could be to pass in the stats request the requested data stream names getDataStreams(state, indexNameExpressionResolver, request), this does appear to work.
Steps to Reproduce
-
Run elasticsearch with security enabled.
-
Ensure you have the
.security-7index available
GET /_cat/indices/.security*
green open .security-7 BnBnnwitT0qHSde3kevfmA 1 0 1 0 4.9kb 4.9kb 4.9kb
- If they do not exist, add a user to initialise them
POST /_security/user/limited_user
{
"roles": [],
"password": "something"
}
- After you have ensured the
.security*indices exist, execute the "troubled" request
GET http://localhost:9200/_data_stream/*?expand_wildcards=all&verbose=true
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:monitor/data_stream/stats] is unauthorized for user [_xpack] with effective roles [_xpack] on restricted indices [.security-7], this action is granted by the index privileges [monitor,manage,all]"
}
],
"type": "security_exception",
"reason": "action [indices:monitor/data_stream/stats] is unauthorized for user [_xpack] with effective roles [_xpack] on restricted indices [.security-7], this action is granted by the index privileges [monitor,manage,all]"
},
"status": 403
}