[BUG] `GET /_alias/<alias>` requires `indices:admin/aliases/get` on `*` instead of target index

[cwperks]

Description

Currently, using the GET /_alias/<alias> API requires the caller to have the indices:admin/aliases/get permission on the * index pattern, even when the alias resolves to a specific index (or set of indices).

This is overly permissive and prevents least-privilege configurations. A user with access to a specific index (or alias) should not need cluster-wide alias permissions in order to resolve that alias.

This issue also manifests indirectly through the SQL plugin due to changes introduced in:

opensearch-project/sql#2960

After that change, SQL queries that rely on alias resolution fail unless the user has indices:admin/aliases/get on *.

Steps to Reproduce

1. Create an index and alias:

   PUT my-index
   {
     "aliases": {
       "my-alias": {}
     }
   }

2. Create a role with limited permissions:

   {
     "index_permissions": [
       {
         "index_patterns": ["my-alias"],
         "allowed_actions": [
           "read",
           "indices:admin/aliases/get"
         ]
       }
     ]
   }

3. Assign the role to a user.

4. Call:

   GET /_alias/my-alias

Actual Behavior

The request fails with a security exception unless indices:admin/aliases/get is granted on the * index pattern.

The same issue causes SQL queries involving aliases to fail unless the user has alias permissions on *.

Expected Behavior

• GET /_alias/<alias> should authorize based on:

  • The alias supplied in the call

• A user with access to my-alias should be able to resolve my-index without requiring cluster-wide alias privileges.

• Forces overly broad index permissions

• Causes regressions in SQL usage involving aliases (post Resolve Alias Issues in Legacy SQL with Filters sql#2960)

Related

• SQL plugin regression: Resolve Alias Issues in Legacy SQL with Filters sql#2960
• Alias resolution authorization logic

[cwperks]

Closing this issue as expected behavior. GET /_alias/<alias> should require * on indices:admin/aliases/get because it needs to scan all indices to see if any of them have the supplied alias as an alias.

[cwperks]

I think the fix for this would rely in the SQL plugin..does the SQL plugin needs to even issue a GetAliasesRequest?

[cwperks]

Error message on the linked issue seems to be coming from GetFieldMappingsRequest: https://github.com/opensearch-project/sql/blob/cbcdbd6fc918e4a356480300c208aa76f468fbf1/legacy/src/main/java/org/opensearch/sql/legacy/executor/format/SelectResultSet.java#L174-L187

[aparajita31pandey]

@cwperks Naive question, how did we find this GET /_alias/<alias> requiring indices:admin/aliases/get is only coming via SQL Plugin ?