Skip to content

ES|QL: Fix queries with document level security on lookup indexes #120617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 25 commits into from
Jan 24, 2025
Merged

ES|QL: Fix queries with document level security on lookup indexes #120617

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8254efb
ES|QL: Fix queries with document level security on lookup indexes
luigidellaquila Jan 22, 2025
0427012
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 22, 2025
c40d800
Skip tests with alias lookup indexes
luigidellaquila Jan 22, 2025
edab3ec
Skip tests
luigidellaquila Jan 22, 2025
d0b5512
Update docs/changelog/120617.yaml
luigidellaquila Jan 22, 2025
1cdce58
Skip bwc tests
luigidellaquila Jan 22, 2025
c003b61
Merge remote-tracking branch 'luigidellaquila/esql/fix_lookup_dls' in…
luigidellaquila Jan 22, 2025
129133b
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 22, 2025
b3408fc
Mute tests (again)
luigidellaquila Jan 22, 2025
5d377a8
Use PostAnalysisVerificationAware
luigidellaquila Jan 22, 2025
f16494a
Implement review suggestions
luigidellaquila Jan 23, 2025
151e4ed
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 23, 2025
a0bf736
Validation cleanup and test on datastreams
luigidellaquila Jan 23, 2025
23743b9
Merge remote-tracking branch 'luigidellaquila/esql/fix_lookup_dls' in…
luigidellaquila Jan 23, 2025
8040428
Fix yaml tests
luigidellaquila Jan 23, 2025
6d5b21e
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 23, 2025
17b40f8
Simplify datastream tests
luigidellaquila Jan 23, 2025
ffa5fb9
More tests
luigidellaquila Jan 23, 2025
85b33ff
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 23, 2025
72ed0b5
More tests and comments
luigidellaquila Jan 23, 2025
d070ed7
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 23, 2025
35cbc91
Merge remote-tracking branch 'luigidellaquila/esql/fix_lookup_dls' in…
luigidellaquila Jan 23, 2025
72328a1
Validation message
luigidellaquila Jan 24, 2025
0b30657
Refactoring of enrich security and more tests
luigidellaquila Jan 24, 2025
43a2d07
Merge branch 'main' into esql/fix_lookup_dls
luigidellaquila Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/changelog/120617.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 120617
summary: Fix queries with document level security on lookup indexes
area: ES|QL
type: bug
issues: [120509]
6 changes: 6 additions & 0 deletions x-pack/plugin/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,5 +96,11 @@ tasks.named("yamlRestCompatTestTransform").configure({ task ->
task.skipTest("esql/180_match_operator/match with non text field", "Match operator can now be used on non-text fields")
task.skipTest("esql/180_match_operator/match with functions", "Error message changed")
task.skipTest("esql/40_unsupported_types/semantic_text declared in mapping", "The semantic text field format changed")
task.skipTest("esql/190_lookup_join/Alias as lookup index", "LOOKUP JOIN does not support index aliases for now")
task.skipTest("esql/190_lookup_join/alias-repeated-alias", "LOOKUP JOIN does not support index aliases for now")
task.skipTest("esql/190_lookup_join/alias-repeated-index", "LOOKUP JOIN does not support index aliases for now")
task.skipTest("esql/190_lookup_join/alias-pattern-multiple", "LOOKUP JOIN does not support index aliases for now")
task.skipTest("esql/190_lookup_join/alias-pattern-single", "LOOKUP JOIN does not support index aliases for now")

})

116 changes: 109 additions & 7 deletions ...n/esql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/esql/EsqlSecurityIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ public class EsqlSecurityIT extends ESRestTestCase {
.user("user4", "x-pack-test-password", "user4", false)
.user("user5", "x-pack-test-password", "user5", false)
.user("fls_user", "x-pack-test-password", "fls_user", false)
.user("fls_user2", "x-pack-test-password", "fls_user2", false)
.user("fls_user3", "x-pack-test-password", "fls_user3", false)
.user("dls_user", "x-pack-test-password", "dls_user", false)
.user("metadata1_read2", "x-pack-test-password", "metadata1_read2", false)
.user("alias_user1", "x-pack-test-password", "alias_user1", false)
.user("alias_user2", "x-pack-test-password", "alias_user2", false)
Expand Down Expand Up @@ -92,7 +95,7 @@ private void indexDocument(String index, int id, double value, String org) throw
public void indexDocuments() throws IOException {
Settings lookupSettings = Settings.builder().put("index.mode", "lookup").build();
String mapping = """
"properties":{"value": {"type": "double"}, "org": {"type": "keyword"}}
"properties":{"value": {"type": "double"}, "org": {"type": "keyword"}, "other": {"type": "keyword"}}
""";

createIndex("index", Settings.EMPTY, mapping);
Expand Down Expand Up @@ -163,6 +166,21 @@ public void indexDocuments() throws IOException {
""");
assertOK(client().performRequest(aliasRequest));
}

createMultiRoleUsers();
}

private void createMultiRoleUsers() throws IOException {
Request request = new Request("POST", "_security/user/dls_user2");
request.setJsonEntity("""
{
"password" : "x-pack-test-password",
"roles" : [ "dls_user", "dls_user2" ],
"full_name" : "Test Role",
"email" : "[email protected]"
}
""");
assertOK(client().performRequest(request));
}

protected MapMatcher responseMatcher() {
Expand Down Expand Up @@ -563,25 +581,109 @@ public void testLookupJoinIndexAllowed() throws Exception {
);
assertThat(respMap.get("values"), equalTo(List.of(List.of(40.0, "sales"))));

// Alias, should find the index and the row
resp = runESQLCommand("alias_user1", "ROW x = 31.0 | EVAL value = x | LOOKUP JOIN `lookup-first-alias` ON value | KEEP x, org");
// Aliases are not allowed in LOOKUP JOIN
var resp2 = expectThrows(
ResponseException.class,
() -> runESQLCommand("alias_user1", "ROW x = 31.0 | EVAL value = x | LOOKUP JOIN `lookup-first-alias` ON value | KEEP x, org")
);

assertThat(resp2.getMessage(), containsString("Aliases and index patterns are not allowed for LOOKUP JOIN [lookup-first-alias]"));
assertThat(resp2.getResponse().getStatusLine().getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));

// Aliases are not allowed in LOOKUP JOIN, regardless of alias filters
resp2 = expectThrows(
ResponseException.class,
() -> runESQLCommand("alias_user1", "ROW x = 123.0 | EVAL value = x | LOOKUP JOIN `lookup-first-alias` ON value | KEEP x, org")
);
assertThat(resp2.getMessage(), containsString("Aliases and index patterns are not allowed for LOOKUP JOIN [lookup-first-alias]"));
assertThat(resp2.getResponse().getStatusLine().getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
}

@SuppressWarnings("unchecked")
public void testLookupJoinDocLevelSecurity() throws Exception {
assumeTrue(
"Requires LOOKUP JOIN capability",
EsqlSpecTestCase.hasCapabilities(adminClient(), List.of(EsqlCapabilities.Cap.JOIN_LOOKUP_V11.capabilityName()))
);

Response resp = runESQLCommand("dls_user", "ROW x = 40.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value | KEEP x, org");
assertOK(resp);
Map<String, Object> respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(List.of(Map.of("name", "x", "type", "double"), Map.of("name", "org", "type", "keyword")))
);

assertThat(respMap.get("values"), equalTo(List.of(Arrays.asList(40.0, null))));

resp = runESQLCommand("dls_user", "ROW x = 32.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value | KEEP x, org");
assertOK(resp);
respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(List.of(Map.of("name", "x", "type", "double"), Map.of("name", "org", "type", "keyword")))
);
assertThat(respMap.get("values"), equalTo(List.of(List.of(31.0, "sales"))));
assertThat(respMap.get("values"), equalTo(List.of(List.of(32.0, "marketing"))));

// Alias, for a row that's filtered out
resp = runESQLCommand("alias_user1", "ROW x = 123.0 | EVAL value = x | LOOKUP JOIN `lookup-first-alias` ON value | KEEP x, org");
// same, but with a user that has two dls roles that allow him more visibility

resp = runESQLCommand("dls_user2", "ROW x = 40.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value | KEEP x, org");
assertOK(resp);
respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(List.of(Map.of("name", "x", "type", "double"), Map.of("name", "org", "type", "keyword")))
);
assertThat(respMap.get("values"), equalTo(List.of(Arrays.asList(123.0, null))));

assertThat(respMap.get("values"), equalTo(List.of(Arrays.asList(40.0, "sales"))));

resp = runESQLCommand("dls_user2", "ROW x = 32.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value | KEEP x, org");
assertOK(resp);
respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(List.of(Map.of("name", "x", "type", "double"), Map.of("name", "org", "type", "keyword")))
);
assertThat(respMap.get("values"), equalTo(List.of(List.of(32.0, "marketing"))));

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, these are very helpful. Thanks for adding!

}

@SuppressWarnings("unchecked")
public void testLookupJoinFieldLevelSecurity() throws Exception {
assumeTrue(
"Requires LOOKUP JOIN capability",
EsqlSpecTestCase.hasCapabilities(adminClient(), List.of(EsqlCapabilities.Cap.JOIN_LOOKUP_V11.capabilityName()))
);

Response resp = runESQLCommand("fls_user2", "ROW x = 40.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value");
assertOK(resp);
Map<String, Object> respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(
List.of(
Map.of("name", "x", "type", "double"),
Map.of("name", "value", "type", "double"),
Map.of("name", "org", "type", "keyword")
)
)
);

resp = runESQLCommand("fls_user3", "ROW x = 40.0 | EVAL value = x | LOOKUP JOIN `lookup-user2` ON value");
assertOK(resp);
respMap = entityAsMap(resp);
assertThat(
respMap.get("columns"),
equalTo(
List.of(
Map.of("name", "x", "type", "double"),
Map.of("name", "value", "type", "double"),
Map.of("name", "org", "type", "keyword"),
Map.of("name", "other", "type", "keyword")
)
)

);
}
Copy link
Contributor

@alex-spies alex-spies Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, one last test suggestion - we can also add this in a separate PR if you're already about to make this ready to merge.

I just noticed: all of the fls test cases have permission to read the value field, which is the join key.

I think it'd be interesting to test if forbidding this field for a user makes it so all look ups are null. And, if we wanna be extra paranoid, consider the case where the lookup index has duplicates for a given join key, so the LOOKUP JOIN would lead to extra rows - but without permissions granted on the join key, no extra rows should be emitted. (Otherwise, users could exfiltrate statistics about fields they have no permissions on).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Alex, I still have a couple of things to push, I'll add this one as well.
I think the whole query will fail because the user doesn't see the join key in the schema, but I'll double-check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new tests confirm the above: if a role cannot see the join key in the lookup index, the query will fail with "Unknown column"


public void testLookupJoinIndexForbidden() throws Exception {
Expand Down
31 changes: 31 additions & 0 deletions x-pack/plugin/esql/qa/security/src/javaRestTest/resources/roles.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,37 @@ fls_user:
field_security:
grant: [ value ]

fls_user2:
cluster: []
indices:
- names: [ 'lookup-user2' ]
privileges: [ 'read' ]
field_security:
grant: [ "org", "value" ]

fls_user3:
cluster: []
indices:
- names: [ 'lookup-user2' ]
privileges: [ 'read' ]
field_security:
grant: [ "org", "value", "other" ]

dls_user:
cluster: []
indices:
- names: [ 'lookup-user2' ]
privileges: [ 'read' ]
query: '{"match": {"org": "marketing"}}'

dls_user2:
cluster: []
indices:
- names: [ 'lookup-user2' ]
privileges: [ 'read' ]
query: '{"match": {"org": "sales"}}'


logs_foo_all:
cluster: []
indices:
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlCapabilities.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -748,7 +748,12 @@ public enum Cap {
/**
* Support named argument for function in map format.
*/
OPTIONAL_NAMED_ARGUMENT_MAP_FOR_FUNCTION(Build.current().isSnapshot());
OPTIONAL_NAMED_ARGUMENT_MAP_FOR_FUNCTION(Build.current().isSnapshot()),

/**
* Disabled support for index aliases in lookup joins
*/
LOOKUP_JOIN_NO_ALIASES(JOIN_LOOKUP_V11.isEnabled());

private final boolean enabled;

Expand Down
30 changes: 0 additions & 30 deletions x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/analysis/Analyzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,36 +237,6 @@ private LogicalPlan resolveIndex(UnresolvedRelation plan, IndexResolution indexR

EsIndex esIndex = indexResolution.get();

if (plan.indexMode().equals(IndexMode.LOOKUP)) {
String indexResolutionMessage = null;

var indexNameWithModes = esIndex.indexNameWithModes();
if (indexNameWithModes.size() != 1) {
indexResolutionMessage = "invalid ["
+ table
+ "] resolution in lookup mode to ["
+ indexNameWithModes.size()
+ "] indices";
} else if (indexNameWithModes.values().iterator().next() != IndexMode.LOOKUP) {
indexResolutionMessage = "invalid ["
+ table
+ "] resolution in lookup mode to an index in ["
+ indexNameWithModes.values().iterator().next()
+ "] mode";
}

if (indexResolutionMessage != null) {
return new UnresolvedRelation(
plan.source(),
plan.table(),
plan.frozen(),
plan.metadataFields(),
plan.indexMode(),
indexResolutionMessage,
plan.commandName()
);
}
}
var attributes = mappingAsAttributes(plan.source(), esIndex.mapping());
attributes.addAll(plan.metadataFields());
return new EsRelation(
Expand Down
38 changes: 22 additions & 16 deletions .../plugin/esql/src/main/java/org/elasticsearch/xpack/esql/enrich/AbstractLookupService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
Expand Down Expand Up @@ -134,7 +133,7 @@ public abstract class AbstractLookupService<R extends AbstractLookupService.Requ
private final String actionName;
private final ClusterService clusterService;
private final LookupShardContextFactory lookupShardContextFactory;
private final TransportService transportService;
protected final TransportService transportService;
private final Executor executor;
private final BigArrays bigArrays;
private final BlockFactory blockFactory;
Expand Down Expand Up @@ -238,23 +237,30 @@ public final void lookupAsync(R request, CancellableTask parentTask, ActionListe
DiscoveryNode targetNode = clusterState.nodes().get(shardRouting.currentNodeId());
T transportRequest = transportRequest(request, shardId);
// TODO: handle retry and avoid forking for the local lookup
try (ThreadContext.StoredContext unused = threadContext.stashWithOrigin(ClientHelper.ENRICH_ORIGIN)) {
transportService.sendChildRequest(
targetNode,
actionName,
transportRequest,
parentTask,
TransportRequestOptions.EMPTY,
new ActionListenerResponseHandler<>(
delegate.map(LookupResponse::takePages),
in -> readLookupResponse(in, blockFactory),
executor
)
);
}
sendChildRequest(parentTask, delegate, targetNode, transportRequest);
}));
}

protected void sendChildRequest(
CancellableTask parentTask,
ActionListener<List<Page>> delegate,
DiscoveryNode targetNode,
T transportRequest
) {
transportService.sendChildRequest(
targetNode,
actionName,
transportRequest,
parentTask,
TransportRequestOptions.EMPTY,
new ActionListenerResponseHandler<>(
delegate.map(LookupResponse::takePages),
in -> readLookupResponse(in, blockFactory),
executor
)
);
}

/**
* Get the privilege required to perform the lookup.
* <p>
Expand Down
18 changes: 18 additions & 0 deletions ...ck/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/enrich/EnrichLookupService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,13 @@
package org.elasticsearch.xpack.esql.enrich;

import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.compute.data.Block;
import org.elasticsearch.compute.data.BlockFactory;
import org.elasticsearch.compute.data.BlockStreamInput;
Expand All @@ -23,8 +26,10 @@
import org.elasticsearch.index.mapper.RangeType;
import org.elasticsearch.index.query.SearchExecutionContext;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.tasks.CancellableTask;
import org.elasticsearch.tasks.TaskId;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.esql.EsqlIllegalArgumentException;
import org.elasticsearch.xpack.esql.action.EsqlQueryAction;
Expand Down Expand Up @@ -270,4 +275,17 @@ protected void innerRelease() {
}
}
}

@Override
protected void sendChildRequest(
CancellableTask parentTask,
ActionListener<List<Page>> delegate,
DiscoveryNode targetNode,
TransportRequest transportRequest
) {
ThreadContext threadContext = transportService.getThreadPool().getThreadContext();
try (ThreadContext.StoredContext unused = threadContext.stashWithOrigin(ClientHelper.ENRICH_ORIGIN)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we try and add a comment here with the best understanding that we can gather on what's happening here?

I think it's crucial and extremely important for how permissions are handled for ENRICH.

My understanding:

  • This performs the ENRICH lookup without regard for the role of the user that sent the query. That is, at this point we assume that we are allowed to access any enrich index.
  • This is safe because there's a dedicated privilege for ENRICH which is checked before we reach here, more specifically where hasPrivilege is being used. (I see manage_enrich and monitor_enrich here, and I think we require the latter - although the former seems to be stronger and is probably also sufficient.)

@dnhatn , could you maybe confirm that this is happening, or correct me if I'm wrong?

Copy link
Member

@dnhatn dnhatn Jan 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luigidellaquila @alex-spies I thought more about the fix. Can we move hasPrivilege to EnrichLookupService and remove getRequiredPrivilege? This change would eliminate the privilege assumption and reduce the scattering between two classes. The changes might be similar to these snippets:

AbstractLookupService.lookupAsync

public final void lookupAsync(R request, CancellableTask parentTask, ActionListener<List<Page>> listener) {
    ClusterState clusterState = clusterService.state();
    GroupShardsIterator<ShardIterator> shardIterators = clusterService.operationRouting()
        .searchShards(clusterState, new String[] { request.index }, Map.of(), "_local");
    if (shardIterators.size() != 1) {
        listener.onFailure(new EsqlIllegalArgumentException("target index {} has more than one shard", request.index));
        return;
    }
    ShardIterator shardIt = shardIterators.get(0);
    ShardRouting shardRouting = shardIt.nextOrNull();
    ShardId shardId = shardIt.shardId();
    if (shardRouting == null) {
        listener.onFailure(new UnavailableShardsException(shardId, "target index is not available"));
        return;
    }
    DiscoveryNode targetNode = clusterState.nodes().get(shardRouting.currentNodeId());
    T transportRequest = transportRequest(request, shardId);
    // TODO: handle retry and avoid forking for the local lookup
    sendChildRequest(parentTask, listener, targetNode, transportRequest);
}

EnrichLookupService#sendChildRequest

ThreadContext threadContext = transportService.getThreadPool().getThreadContext();
ActionListener<List<Page>> listener = ContextPreservingActionListener.wrapPreservingContext(outListener, threadContext);
hasEnrichPrivilege(listener.delegateFailureAndWrap((delegate, ignored) -> {
    try (ThreadContext.StoredContext unused = threadContext.stashWithOrigin(ClientHelper.ENRICH_ORIGIN)) {
        super.sendChildRequest(parentTask, delegate, targetNode, transportRequest);
    }
}));

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dnhatn, I agree, it will make things much more clear. Doing it now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, with @dnhatn 's suggestion the whole situation is more localized and more clear.

Personally, I'd still leave a comment in place because for people unfamiliar with this code, it can be unexpected that the call to ThreadContext.stashWithOrigin will abandon the current user's authorization. (It's explained in stashWithOrigin's javadoc, but that requires an extra hop.)

super.sendChildRequest(parentTask, delegate, targetNode, transportRequest);
}
}
}
Loading