Constraint overcome from parent folder

[amorellp]

Hi! I was following the instructions on readme.md. I built the same folder structure: /aaa and /bbb with users admin (role admin) and testuser (role user). I constrained /aaa to be accessed only by admin (methods get, post, put and delete) and /bbb only by testuser (method get). Every thing works as expected when a request is done using the complete path (/aaa or /bbb): testuser cannot query /aaa. However, if he runs a query against /, it is allowed, and the content of /aaa appears in the output, effectively overcoming the restriction. Is this the normal behavior? I tried to solve the problem restricting access to / to only admin, but then testuser cannot access /bbb anymore. Am I doing something wrong?
Below I reproduce the problem. Any help will be highly appreciated. Thanks in advance,

Alberto Morell.

I create the documents:
$ curl -XPUT 'http://localhost:9200/aaa/user/1?pretty' -d '{"name":"ana"}'
{
"_index" : "aaa",
"_type" : "user",
"_id" : "1",
"_version" : 1,
"created" : true
}
$ curl -XPUT 'http://localhost:9200/bbb/user/1?pretty' -d '{"name":"bertha"}'
{
"_index" : "bbb",
"_type" : "user",
"id" : "1",
"version" : 1,
"created" : true
}
$
I create the users admin and testuser:
$ curl -XPUT 'http://localhost:9200/_auth/account/' -d '{"authenticator":"index","username":"admin","password":"**","roles":["admin"]}'
{"status":200}
$ curl -XPUT 'http://localhost:9200/_auth/account/' -d '{"authenticator":"index","username":"testuser","password":"**","roles":["user"]}'
{"status":200}
$
I create the constraints: admin can read and modify /aaa, testuser can read /bbb
$ curl -XPOST 'http://localhost:9200/security/constraint/' -d '{"authenticator":"index","paths":["/aaa"],"methods":["get","post","put","delete"],"roles":["admin"]}'
{"_index":"security","_type":"constraint","_id":"5rCfY7OsQs-d_1SfWNtuTQ","_version":1,"created":true}
$ curl -XPOST 'http://localhost:9200/security/constraint/' -d '{"authenticator":"index","paths":["/bbb"],"methods":["get"],"roles":["user"]}'
{"_index":"security","_type":"constraint","_id":"Vi1H1bdaSEu29gdGfx-0fw","version":1,"created":true}
$
I reload the configuration:
$ curl -XPOST 'http://localhost:9200/_auth/reload'
{"status":200}
$
Now both indexes are restricted:
$ curl 'http://localhost:9200/aaa/_search?q=_&pretty'
{"status":403,"message":"Forbidden. Not authorized."}
$ curl 'http://localhost:9200/bbb/_search?q=_&pretty'
{"status":403,"message":"Forbidden. Not authorized."}
$
Then, I login:
$ curl -XPOST 'http://localhost:9200/login' -d '{"username":"admin","password":"**"}'{"status":200,"token":"d0c2a57f0eb91cc370766f588bb3c0626563fd96f980dad32f284e75f80e1eda4fec38a03cee7eb5ce2b9f1ce8fe7227f8b5227e63c2617340fa7c5e947e49c7"}
$ curl -XPOST 'http://localhost:9200/login' -d '{"username":"testuser","password":"ok"}'
{"status":200,"token":"becd87b639b98d102f5effea2b852a264e7e50a2fee5cee14fdfa52aee87f0ba8ff7197c6167150d0ec2776e604eccc6dd2b497f964ede54d07be7f868c3a09c"}
$
Now testuser can access /bbb:
$ curl 'http://localhost:9200/bbb/_search?q=_&token=becd87b639b98d102f5effea2b852a264e7e50a2fee5cee14fdfa52aee87f0ba8ff7197c6167150d0ec2776e604eccc6dd2b497f964ede54d07be7f868c3a09c&pretty'
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
"_index" : "bbb",
"_type" : "user",
"_id" : "1",
"_score" : 1.0,
"_source":{"name":"bertha"}
} ]
}
}
$
and not /aaa:
$ curl 'http://localhost:9200/aaa/_search?q=_&token=becd87b639b98d102f5effea2b852a264e7e50a2fee5cee14fdfa52aee87f0ba8ff7197c6167150d0ec2776e604eccc6dd2b497f964ede54d07be7f868c3a09c&pretty'
{"status":403,"message":"Forbidden. Not authorized."}
$
but can access / (and therefore /aaa):
$ curl 'http://localhost:9200/_search?q=_&token=becd87b639b98d102f5effea2b852a264e7e50a2fee5cee14fdfa52aee87f0ba8ff7197c6167150d0ec2776e604eccc6dd2b497f964ede54d07be7f868c3a09c&pretty&size=100' | less
...
{
"_index" : "aaa",
"_type" : "user",
"_id" : "1",
"_score" : 1.0,
"_source":{"name":"ana"}
},
...
$
effectively overcoming the original constraint.

I can restrict the access to /:
$ curl -XPOST 'http://localhost:9200/security/constraint/' -d '{"authenticator":"index","paths":["/"],"methods":["get","post","put","delete"],"roles":["admin"]}'
{"_index":"security","_type":"constraint","_id":"_4j0lGjBSLmq5wzXxJp9og","_version":1,"created":true}
$ curl -XPOST 'http://localhost:9200/_auth/reload'
{"status":200}
$
but now testuser loose access to /bbb:
$ curl 'http://localhost:9200/bbb/_search?q=*&token=becd87b639b98d102f5effea2b852a264e7e50a2fee5cee14fdfa52aee87f0ba8ff7197c6167150d0ec2776e604eccc6dd2b497f964ede54d07be7f868c3a09c&pretty&size=100'
{"status":403,"message":"Forbidden. Not authorized."}

[r0hitsharma]

+1 I'm encountering the same issue. Adding a constraint on / enforces it on all the other indices, and without this constraint the security doesn't make much sense.

[sjovanovic]

+1 I agree that this is what's missing. It would be great to be able to override constrain on / by other more specific constraints