-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't fallback to anonymous user when credentials are present (Basic Authentication) #108563
Comments
Pinging @elastic/es-security (Team:Security) |
@AkshayGoyal022 The intention is that the anonymous role is also assigned to all other users that present any credential, even if the credentials they present map to other roles. That's because the anonymous role is assigned to users that don't show any credential, and it makes little sense to have fewer permissions when presenting a credential than when not. |
@albertzaharovits Not sure if I understand it completely. Do you mean anonymous role takes precedence over the role associated with the user?
But here we are passing the credentials. Also tried with Authorization Bearer header. So request shouldn't be considered as anonymous |
I mean that Line 242 in 589d927
|
We discussed this in our es-security team meeting yesterday, and decided we will not implement this. We consider it a potential security problem if a client is able to get more or different permissions in case that it omits (eg by mistake) the credentials. |
Elasticsearch Version
8.3.3
Installed Plugins
No response
Java Version
bundled
OS Version
Darwin Kernel Version 23.4.0
Problem Description
We are observing one weird behaviour with anonymous access. Looks like it falls back to anonymous user if credentials are present and user doesn't have required permissions.
I see something similar being fixed in 7.6.0 #51042. Is there a way to disable fallback if credentials are present?
Steps to Reproduce
Create user with role
^ Notice this user only has access to indices starting with
foo*
cluster's config/elasticsearch.yml settings:
Now if i send a request with credentials of this user, i am able to access indices which aren't allowed.
Request:
curl -X GET "http://new_test_user:new_test_password@localhost:9200/bar/_search?pretty"
I even tried with Authorization Header but still same result (`curl -H "Authorization: Basic bmV3X3Rlc3RfdXNlcjpuZXdfdGVzdF9wYXNzd29yZA==" -XGET "http://localhost:9200/bar/_search?pretty")
Logs (if relevant)
No response
The text was updated successfully, but these errors were encountered: