DLS in RC1

23 views
Skip to first unread message

djtecha

unread,
Jun 13, 2016, 1:56:54 PM6/13/16
to Search Guard
So I'm trying to play with the DLS stuff and I downloaded the jar and try to set up a anonymous user like so:

sg_public:
  cluster:
    - '*'
  indices:
    '*':
     '*':
        - READ
        - indices:admin/mappings/fields/get*
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*
  dls: '{"term" : {"_type" : "courier"}}'


This should all any user to to view documents of type courier. But when I try to navigate in kibana I get the following in the ES logs:

RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index]]; nested: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];
Caused by: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];
Caused by: [.kibana][[.kibana][0]] DocumentAlreadyExistsException[[config][4.5.0]: document already exists]
at org.elasticsearch.index.engine.InternalEngine.innerCreateNoLock(InternalEngine.java:421)
at org.elasticsearch.index.engine.InternalEngine.innerCreate(InternalEngine.java:378)
at org.elasticsearch.index.engine.InternalEngine.create(InternalEngine.java:349)
at org.elasticsearch.index.shard.IndexShard.create(IndexShard.java:545)
at org.elasticsearch.index.engine.Engine$Create.execute(Engine.java:810)
at org.elasticsearch.action.index.TransportIndexAction.executeIndexRequestOnPrimary(TransportIndexAction.java:237)
at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:158)
at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:66)
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryPhase.doRun(TransportReplicationAction.java:639)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:279)
at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:271)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService.messageReceivedDecorate(SearchGuardSSLTransportService.java:161)
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:232)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:100)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)
at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)


If I comment out the dls stuff it works fine, but obviously the user isn't restricted. Should I just wait for a later release or am I doing something wrong here?

Daniel Kasen

unread,
Jun 13, 2016, 2:15:26 PM6/13/16
to search...@googlegroups.com
Hmm nvm, I suppose it just took a little bit to work. Although that error still shows up, but the DLS is working correctly.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/275f97f3-3ede-4a13-b638-2eb0c94af105%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daniel Kasen

unread,
Jun 13, 2016, 4:30:16 PM6/13/16
to search...@googlegroups.com
Well now i'm not sure, appears to do some weird caching. And if it's a fresh load it gives you the status page with the error:  [document_already_exists_exception] [config][4.5.0]: document already exists, with: {"shard":"0","index":".kibana"}

SG

unread,
Jun 15, 2016, 4:00:04 AM6/15/16
to search...@googlegroups.com
this will be fixed in the final release, thx
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAArf3736UFf0JypzmOUWMrQip2jS3FUmghVCXa5wm2PurmH37Q%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages