Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: b888c48976
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
limitations.asciidoc

limitations.asciidoc 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 
  1. [role="xpack"]
    2. 

  2. [[security-limitations]]
    3. 

  3. == Security limitations
    4. 

  4. [subs="attributes"]
    5. 

  5. ++++
    6. 

  6. <titleabbrev>Limitations</titleabbrev>
    7. 

  7. ++++
    8. 

  8. 

  9. [discrete]
    10. 

  10. === Plugins
    11. 

  11. 

  12. {es}'s plugin infrastructure is extremely flexible in terms of what can
    13. 

  13. be extended. While it opens up {es} to a wide variety of (often custom)
    14. 

  14. additional functionality, when it comes to security, this high extensibility level
    15. 

  15. comes at a cost. We have no control over the third-party plugins' code (open
    16. 

  16. source or not) and therefore we cannot guarantee their compliance with
    17. 

  17. {stack-security-features}. For this reason, third-party plugins are not
    18. 

  18. officially supported on clusters with {security-features} enabled.
    19. 

  19. 

  20. [discrete]
    21. 

  21. === Changes in wildcard behavior
    22. 

  22. 

  23. {es} clusters with the {security-features} enabled apply `_all` and other
    24. 

  24. wildcards to data streams, indices, and aliases the current user has privileges
    25. 

  25. for, not all data streams, indices, and aliases on the cluster.
    26. 

  26. 

  27. [discrete]
    28. 

  28. === Multi document APIs
    29. 

  29. 

  30. Multi get and multi term vectors API throw IndexNotFoundException when trying to access non existing indices that the user is
    31. 

  31. not authorized for. By doing that they leak information regarding the fact that the data stream or index doesn't exist, while the user is not
    32. 

  32. authorized to know anything about those data streams or indices.
    33. 

  33. 

  34. [discrete]
    35. 

  35. === Filtered index aliases
    36. 

  36. 

  37. Aliases containing filters are not a secure way to restrict access to individual
    38. 

  38. documents, due to the limitations described in
    39. 

  39. <<alias-limitations, Index and field names can be leaked when using aliases>>.
    40. 

  40. The {stack-security-features} provide a secure way to restrict access to
    41. 

  41. documents through the
    42. 

  42. <<field-and-document-access-control, document-level security>> feature.
    43. 

  43. 

  44. [discrete]
    45. 

  45. [[field-document-limitations]]
    46. 

  46. === Field and document level security limitations
    47. 

  47. 

  48. When a user's role enables document or <<field-level-security,field level security>> for a data stream or index:
    49. 

  49. 

  50. * The user cannot perform write operations:
    51. 

  51. ** The update API isn't supported.
    52. 

  52. ** Update requests included in bulk requests aren't supported.
    53. 

  53. * The user cannot perform operations that effectively make contents accessible
    54. 

  54. under another name, including actions from the following APIs:
    55. 

  55. ** <<indices-clone-index,Clone index API>>
    56. 

  56. ** <<indices-shrink-index,Shrink index API>>
    57. 

  57. ** <<indices-split-index,Split index API>>
    58. 

  58. ** <<indices-aliases,Aliases API>>
    59. 

  59. 

  60. * The request cache is disabled for search requests if either of the following are true:
    61. 

  61. ** The role query that defines document level security is <<templating-role-query,templated>>
    62. 

  62. using a <<script-stored-scripts,stored script>>.
    63. 

  63. ** The target indices are a mix of local and remote indices.
    64. 

  64. 

  65. When a user's role enables <<document-level-security,document level security>> for a data stream or index:
    66. 

  66. 

  67. * Document level security doesn't affect global index statistics that relevancy
    68. 

  68.   scoring uses. This means that scores are computed without taking the role
    69. 

  69.   query into account. Documents that don't match the role query are
    70. 

  70.   never returned.
    71. 

  71. * The `has_child` and `has_parent` queries aren't supported as query parameters
    72. 

  72. in the role definition. The `has_child` and `has_parent` queries can be used in
    73. 

  73. the search API with document level security enabled.
    74. 

  74. * <<date-math,Date math>> expressions cannot contain `now` in <<ranges-on-dates,range queries with date fields>>
    75. 

  75. * Any query that makes remote calls to fetch query data isn't supported,
    76. 

  76. including the following queries:
    77. 

  77. ** `terms` query with terms lookup
    78. 

  78. ** `geo_shape` query with indexed shapes
    79. 

  79. ** `percolate` query
    80. 

  80. * If suggesters are specified and document level security is enabled, the specified suggesters are ignored.
    81. 

  81. * A search request cannot be profiled if document level security is enabled.
    82. 

  82. * The <<search-terms-enum,terms enum API>> does not return terms if document
    83. 

  83. level security is enabled.
    84. 

  84. * The <<query-dsl-multi-match-query, `multi_match`>> query does not support specifying fields using wildcards.
    85. 

  85. 

  86. NOTE: While document-level security prevents users from viewing restricted documents,
    87. 

  87. it's still possible to write search requests that return aggregate information about the
    88. 

  88. entire index. A user whose access is restricted to specific documents in an index could
    89. 

  89. still learn about field names and terms that only exist in inaccessible
    90. 

  90. documents, and count how many inaccessible documents contain a given term.
    91. 

  91. 

  92. [discrete]
    93. 

  93. [[alias-limitations]]
    94. 

  94. === Index and field names can be leaked when using aliases
    95. 

  95. 

  96. Calling certain {es} APIs on an alias can potentially leak information
    97. 

  97. about indices that the user isn't authorized to access. For example, when you get
    98. 

  98. the mappings for an alias with the `_mapping` API, the response includes the
    99. 

  99. index name and mappings for each index that the alias applies to.
    100. 

  100. 

  101. Until this limitation is addressed, avoid index and field names that contain
    102. 

  102. confidential or sensitive information.
    103. 

  103. 

  104. [discrete]
    105. 

  105. === LDAP realm
    106. 

  106. 

  107. The <<ldap-realm, LDAP Realm>> does not currently support the discovery of nested
    108. 

  108. LDAP Groups. For example, if a user is a member of `group_1` and `group_1` is a
    109. 

  109. member of `group_2`, only `group_1` will be discovered. However, the
    110. 

  110. <<active-directory-realm, Active Directory Realm>> *does* support transitive
    111. 

  111. group membership.
    112. 

  112. 

  113. 

  114. [discrete]
    115. 

  115. [[can-access-resources-check]]
    116. 

  116. === Resource sharing check for users and API keys
    117. 

  117. 

  118. The result of <<async-search,async search>> and <<scroll-api,scroll>> requests can be retrieved later
    119. 

  119. by the same user or API key that submitted the initial request. The verification process involves comparing
    120. 

  120. the username, authentication realm type, and (for realms other than file or native) realm name.
    121. 

  121. If you used an API key to submit the request, only that key can retrieve the results.
    122. 

  122. This logic also has a few limitations:
    123. 

  123. 

  124. * Two different realms can have the same name on different nodes. This is not a
    125. 

  125. recommended way to configure realms, therefore the resource sharing check
    126. 

  126. does not attempt to detect this inconsistency.
    127. 

  127. * Realms can be renamed. This can cause inconsistency for the resource sharing check
    128. 

  128. when you submit an async search or scroll then rename the realm and try to retrieve the results.
    129. 

  129. Hence, changing realm names should be handled with care since it can cause complications for more than
    130. 

  130. just the resource sharing check.
    131. 

  131. * The username is dynamically computed for realms backed by certain external authentication
    132. 

  132. providers. For example, the username can be derived from part of the DN in an LDAP realm.
    133. 

  133. It is in theory possible that two distinct users from the external system get
    134. 

  134. mapped to the same username. Our recommendation is to avoid this situation in the first place.
    135. 

  135. Hence, the resource sharing check does not account for this potential discrepancy.
    136.