all_projects doesn't limit on resource type
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Searchlight |
Fix Released
|
High
|
Steve McLellan |
Bug Description
Looking at the code in v1/search.py that constructs the eventual elasticsearch query, 'all_projects' passes the query straight through, bypassing the plugin RBAC filter entirely. That appears not to be correct. Using for OS::Nova::Server as an example, which has a simple project-id filter, the query without all_projects will look like:
filtered: {
filter: {
indices: {
filter: {
and: [
]
},
index_name: <index>
}
},
query: { <whatever the query was> }
}
When all_projects is applied, the 'filtered' part is missing entirely. The resource_type IS restricted by an argument to the search API function, but I don't think that's restrictive enough (imagine two live indices, both containing OS::Nova::Server types).
This isn't tremendously serious because it only affects admin queries with all_projects (so there's no security implication, for instance), but I think the code could be more consistent; it seems more accurate to always construct the 'indices' filters but drop the 'term' filter if all_projects is given.
Changed in searchlight: | |
assignee: | nobody → Steve McLellan (sjmc7) |
Changed in searchlight: | |
milestone: | mitaka-3 → mitaka-rc1 |
Looking a bit more at this, i think the query creation code is unnecessarily complicated. There's no reason to run a filtered query against each resource type; the filtering should look like (pseudo code):
FILTER:
INDEX: searchlight TYPE:OS: :Nova:: Server TERM:tenant_id=abc
INDEX: searchlight TYPE:OS: :Nova:: Server TERM:tenant_id=abc
SHOULD:
QUERY: <whatever query is>
The 'common' filters that are getting added (deletion flag, role based) can either be added as a top level MUST to the FILTER part (meaning, 'all of these common things plus one of the SHOULDs plus the query') or inside each SHOULD piece. The former is probably slightly more performant; the latter makes more sense given that facet querying has to use the same information and is self contained in plugins.