Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ES|QL when executed over CCS requires "read" local privilege for any (or none) local indices #108734

Open
jakelandis opened this issue May 16, 2024 · 4 comments
Open

ES|QL when executed over CCS requires "read" local privilege for any (or none) local indices #108734

jakelandis opened this issue May 16, 2024 · 4 comments
Labels
:Analytics/ES|QL AKA ESQL >bug :Security/Security Security issues without another label Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) Team:Security Meta label for security team

Comments

@jakelandis
Copy link
Contributor

jakelandis commented May 16, 2024
edited

Description

When executing ES|QL over CCS (new and tech preview in 8.14) the permissions require that the user have "read" access defined for the local cluster.

The following are the minimum local cluster privileges required :

indices": [
    { 
      "names" : [""],
      "privileges": ["read"]
    }
  ],

to allow ES|QL to work over CCS. (empty names is not needed, empty or any names will work). This requirement is due to an internal implementation detail for how the local actions are authorized before the work travels across clusters.

Ideally, only the following permissions (example for API key based CCS) are needed:

  "remote_indices": [
    {
      "names": [ "logs-*" ],
      "privileges": [ "read","read_cross_cluster" ],
      "clusters" : ["my_remote_cluster"]
    }
  ],

with no local permission required.

cc: @dnhatn @quux00
@jakelandis jakelandis added >bug :Security/Security Security issues without another label :Analytics/ES|QL AKA ESQL labels May 16, 2024
@elasticsearchmachine elasticsearchmachine added the Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) label May 16, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label May 16, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

@jakelandis jakelandis mentioned this issue May 16, 2024
Open
@quux00
Copy link
Contributor

quux00 commented May 16, 2024

nit: in two places in the description you have "CSS" - that should be CCS?

@jakelandis
Copy link
Contributor Author

nit: in two places in the description you have "CSS" - that should be CCS?

IDK LGTM LOL JK (updated the OP) 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/ES|QL AKA ESQL >bug :Security/Security Security issues without another label Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@quux00 @jakelandis @elasticsearchmachine