elasticsearch icon indicating copy to clipboard operation
elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon elastic

Add permission to give exclusive access to certain files

Open thecoop opened this issue 10 months ago • 10 comments

Add a security permission for code to be able to grant exclusive access to files.

If a codebase grants itself ExclusiveFileAccessPermission on a file or directory, it prevents ES and other plugins from accessing that path at all. This can be used by a plugin to keep secrets stored in files safe from other code.

This removes the forbidden permissions added in https://github.com/elastic/elasticsearch/pull/107481, and replaces it with an exclusive access permission to nothing

thecoop avatar Apr 24 '24 09:04 thecoop

@rjernst @tvernum Requesting review on overall approach, will expand it out with proper tests if what is here is good in principle.

thecoop avatar Apr 29 '24 13:04 thecoop

Hi @thecoop, I've created a changelog YAML for you.

elasticsearchmachine avatar May 01 '24 15:05 elasticsearchmachine

Pinging @elastic/es-security (Team:Security)

elasticsearchmachine avatar May 01 '24 15:05 elasticsearchmachine

Pinging @elastic/es-core-infra (Team:Core/Infra)

elasticsearchmachine avatar May 01 '24 15:05 elasticsearchmachine

I'm not sure how to go about testing this at the plugin level - all the existing plugin security tests just test the permissions that are read, they don't go all the way through to creating an ESPolicy/running it in ES

thecoop avatar May 01 '24 15:05 thecoop

I'm not sure how to go about testing this at the plugin level

Could you add tests to ESPolicyTests which mimic plugins? That is, you can construct mock plugins (see eg how InMemoryModuleFinderTests uses JarUtils to create dynamic jars). They don't need to be "real" plugins in the sense they don't need to have a class inherit from Plugin, nor have a plugin descriptor. All we care about from the ESPolicy perspective is the map of codebases, and the mapping of those codebases to concrete Policy objects.

rjernst avatar May 10 '24 23:05 rjernst

I'm not sure that will test what I want - at the moment, there's nothing testing Security itself, in particular that the exclusive files are configured. Ideally I want something that tests if Security and ESPolicy together work to deny access to the relevant files

thecoop avatar May 14 '24 13:05 thecoop

Ideally I want something that tests if Security and ESPolicy together work to deny access to the relevant files

That's a more difficult test since Security sets up the SM for the running VM. I'm suggesting adding a unit test (ESPolicyTests already exists) to directly check the behavior of implies given some set of arguments to the ctor.

rjernst avatar May 14 '24 13:05 rjernst

That's what I've already added to ESPolicyUnitTests.testExclusiveAccess. Sounds like this is only a manual test then.

thecoop avatar May 14 '24 13:05 thecoop

The permission is now all properly working, checked with a manual test

thecoop avatar May 14 '24 16:05 thecoop