Are terms lookups incompatible within a document level security query?

[Peter Wain]

Terms lookup works as normal query for an admin user with no dls defined:

{"query": {"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}}

Using the same query within a role dls in sg_roles.yml:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'

Causes this error when a user with that role performs any query:

{
  "error": {
    "root_cause": [
      {
        "type": "engine_exception",
        "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
        "shard": "0",
        "index": "securetest"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "securetest",
        "node": "empZA0Z2R_WIMH7CJzDlag",
        "reason": {
          "type": "engine_exception",
          "reason": "failed to acquire searcher, source search",
          "shard": "0",
          "index": "securetest",
          "caused_by": {
            "type": "engine_exception",
            "reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
            "shard": "0",
            "index": "securetest"
          }
        }
      }
    ]
  },
  "status": 500
}

But switching the roles dls to use a regular terms query works fine:

sg_role_billy:
  cluster:
    - '*'
  indices:
    'securetest':
      '*':
        - '*'
      _dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'

Any ideas?

[SG]

Good catch, thx. The current user was not propagated for the lookup.

Fixed in master with https://github.com/floragunncom/search-guard-module-dlsfls/commit/530547c8b2e61fc38ffb7003871d50d07ab17510

Can you download and test it?:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-module-dlsfls/2.3.3.2-SNAPSHOT/dlic-search-guard-module-dlsfls-2.3.3.2-20160728.000827-249-jar-with-dependencies.jar

Just delete the old dlsfls jar and use the above mentioned one

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/39b157d8-3853-428e-8dad-82768de8fb90%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Peter Wain]

Hey - thanks for the quick turnaround on that. Tested it and it appears to work as advertised :-)