Resolve permissions issue with cluster:admin/scripts/painless/execute
#86428
Labels
>bug
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Security
Meta label for security team
Comments
mattkime
added
blocker
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
javanna
added a commit
that referenced
this issue
May 17, 2022
…#85512) Painless execute allows users to validate their scripts. Some of the supported script contexts support providing a sample document as well as an index to pull the mappings from. The painless execute API requires cluster admin privileges today and while that's ok for the contexts that don't support providing an index, it is not ideal when an index is provided. In fact users can run scripts as part of the search API, which requires only the indices/read privilege on the indices that the users is reading from. This commit maps the painless execute action to an indices/read action when an index is specified, so that in that case the same privileges as a search action will be requested to run painless execute. Relates to #48856 Closes #86428
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2nd attempt at #84591
references #48856 (comment)
tldr; the permission structure for the endpoint isn't useful for most users. If users can create runtime fields they should have access to this api, they shouldn't need a specific permission set.
The text was updated successfully, but these errors were encountered: