In access deny msg, only show indices if resolved

tvernum · tvernum · commit 27bc0d3741cf · 2021-04-15T11:31:20.000+10:00
Our authorization engine has a short-circuit check for the intended action the takes place before resolving index names (wildcards). That is, a requests like GET /_search GET /logs-*/_search GET /logs-20210414/_search will fail fast if the user does not have read permission on any indices, and we will never resolve the list of indices that the request targets. Consequently, it is impossible to provide the list of denied indices in the error message because that list does exist (and, in the case of wildards would be empty even if we did resolve it). This change updates the access denied message so that it does not attempt to include the list of indices if the IndiceAccessControl object has an empty list of denied indices. Prior to this, we would generate messages such as action [indices:data/read/search] is unauthorized for user [test] with roles [test] on indices [], That "indices []" section is never useful since it does not name any indices, so it has now been dropped from the message if it is empty. Relates: elastic#42166, elastic#60357
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
@@ -342,6 +342,9 @@ public String getFailureContext() {
         }
 
         public static String getFailureDescription(Collection<?> deniedIndices) {
+            if (deniedIndices.isEmpty()) {
+                return null;
+            }
             return "on indices [" + Strings.collectionToCommaDelimitedString(deniedIndices) + "]";
         }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -679,8 +679,7 @@ public void testUnknownRoleCausesDenial() throws IOException {
         assertThat(securityException, throwableWithMessage(containsString(
             "[" + action + "] is unauthorized" +
                 " for user [test user]" +
-                " with roles [non-existent-role]" +
-                " on indices [")));
+                " with roles [non-existent-role],")));
         assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
 
         verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request), authzInfoRoles(Role.EMPTY.names()));
@@ -721,8 +720,7 @@ public void testThatRoleWithNoIndicesIsDenied() throws IOException {
         assertThat(securityException, throwableWithMessage(containsString(
             "[" + action + "] is unauthorized" +
                 " for user [test user]" +
-                " with roles [no_indices]" +
-                " on indices [")));
+                " with roles [no_indices],")));
         assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
 
         verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request),

Original file line number	Diff line number	Diff line change
`@@ -342,6 +342,9 @@ public String getFailureContext() {`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`public static String getFailureDescription(Collection<?> deniedIndices) {`
	`345`	`+ if (deniedIndices.isEmpty()) {`
	`346`	`+ return null;`
	`347`	`+ }`
`345`	`348`	`return "on indices [" + Strings.collectionToCommaDelimitedString(deniedIndices) + "]";`
`346`	`349`	`}`
`347`	`350`