Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users with only manage_token privilege cannot invalidate tokens by username or realmname #47151

Closed
bizybot opened this issue Sep 26, 2019 · 1 comment · Fixed by #47418
Closed

Users with only manage_token privilege cannot invalidate tokens by username or realmname #47151

bizybot opened this issue Sep 26, 2019 · 1 comment · Fixed by #47418
Assignees
@albertzaharovits
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@bizybot
Copy link
Contributor

bizybot commented Sep 26, 2019

Steps:

  • Create a user with manage_token cluster privilege.
  • Use the user to generate tokens using API POST _security/oauth2/token and grant_type as password
  • Use the user to invalidate the tokens for a user using DELETE _security/oauth2/token with the username/realm_name parameter.

The request to invalidate tokens fails since the search action is not executed in the context of XPackSecurityUser. We need to execute the search action with SECURITY_ORIGIN.

https://discuss.elastic.co/t/what-privileges-are-required-to-invalidate-tokens-by-username/201043
@bizybot bizybot added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Sep 26, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@bizybot bizybot changed the title Users with manage_token privilege only cannot invalidate tokens by username or realmname Users with only manage_token privilege cannot invalidate tokens by username or realmname Sep 26, 2019
@albertzaharovits albertzaharovits self-assigned this Sep 29, 2019
@albertzaharovits albertzaharovits mentioned this issue Oct 1, 2019
Merged
@jportner jportner mentioned this issue Oct 17, 2019
Merged
4 tasks
albertzaharovits added a commit that referenced this issue Oct 21, 2019
@albertzaharovits
Fix security origin for TokenService#findActiveTokensFor... (#47418)
9964d89 
All internal searches (triggered by APIs) across the .security index
must be performed while "under the security origin". Otherwise,
the search is performed in the context of the caller which most
likely does not have privileges to search .security (hopefully).
This commit fixes this in the case of two methods in the
TokenService and corrects an overly done such context switch
in the ApiKeyService.

In addition, this makes all tests from the client/rest-high-level
module execute as an all mighty administrator,
but not a literal superuser.

Closes #47151
@albertzaharovits albertzaharovits mentioned this issue Oct 21, 2019
Merged
albertzaharovits added a commit that referenced this issue Oct 21, 2019
@albertzaharovits
Fix security origin for TokenService#findActiveTokensFor... (#47418) (#…
69fc715 
…48280)

All internal searches (triggered by APIs) across the .security index
must be performed while "under the security origin". Otherwise,
the search is performed in the context of the caller which most
likely does not have privileges to search .security (hopefully).
This commit fixes this in the case of two methods in the
TokenService and corrects an overly done such context switch
in the ApiKeyService.

In addition, this makes all tests from the client/rest-high-level
module execute as an all mighty administrator,
but not a literal superuser.

Closes #47151
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@albertzaharovits albertzaharovits

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix security origin for TokenService#findActiveTokensFor... albertzaharovits/elasticsearch
3 participants
@bizybot @albertzaharovits @elasticmachine