Cross-cluster API key query not working when replication is also defined

[renekalff]

Elasticsearch Version

8.12.1

Installed Plugins

No response

Java Version

bundled

OS Version

ECK

Problem Description

When a Cross-Cluster API key is created in the Kibana interface the default access template is to allow everything for both search and replication. When a query is added to the search definition to limit the search scope to specific documents access to all documents is still granted by the "replication" definition when a cross cluster search is performed.

Steps to Reproduce

1. Create a cross cluster api key in the remote cluster with the following definition:

{
  "search": [
    {
      "names": [
        "*"
      ],
      "query": "{\"term\":{\"myfield\":{\"value\":\"this_should_never_match\"}}}",
      "allow_restricted_indices": false
    }
  ],
  "replication": [
    {
      "names": [
        "*"
      ],
      "allow_restricted_indices": false
    }
  ]
}

2. Setup cross cluster search using the API key
3. Query the remote cluster from the local cluster. You get results that do not match the query.
4. Update the API key access to:

{
  "search": [
    {
      "names": [
        "*"
      ],
      "query": "{\"term\":{\"myfield\":{\"value\":\"this_should_never_match\"}}}",
      "allow_restricted_indices": false
    }
  ]
}

5. Query the remote cluster from the local cluster. You now get only results that match the query.

Logs (if relevant)

No response

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[jakelandis]

This has been resolved with #108600

8.14 will be the GA release of this functionality and will prohibit defining DLS/FLS queries when both search and replication are defined. Cross Cluster API keys created with this configuration before 8.14 will also be rejected. Unfortunately, rejecting this scenerio is the only plausible way to address this in the short term due to some deeply baked in implementation details.

If you need both search and replication, and need DLS for the search, you will need to use 2 different API keys with different 2 different remote cluster connections (one for search, and the other for replication). The technical overhead of 2 connections to the same cluster is minimal, and hopefully the functional overhead of managing 2 cross cluster API keys is also minimal. Alternatively, if it is the same admin that controls both clusters, then you could also omit the DLS on the cross cluster API key and introduce it instead on the local side via the "remote_indices" to enforce DLS.

Also, thanks @renekalff for the bug report ! If you want to send an email to [email protected] and reference this issue we may be able to provide some credit for this discovery per our security policy: https://github.com/elastic/elasticsearch/security/policy.