Terms lookup works as normal query for an admin user with no dls defined:
{"query": {"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}}
Using the same query within a role dls in sg_roles.yml:
sg_role_billy:
cluster:
- '*'
indices:
'securetest':
'*':
- '*'
_dls_: '{"terms": {"_label": {"index": "securetest", "type": "userlabels", "id": "billy", "path": "allowedlabelids" }}}'
Causes this error when a user with that role performs any query:
{
"error": {
"root_cause": [
{
"type": "engine_exception",
"reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
"shard": "0",
"index": "securetest"
}
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
{
"shard": 0,
"index": "securetest",
"node": "empZA0Z2R_WIMH7CJzDlag",
"reason": {
"type": "engine_exception",
"reason": "failed to acquire searcher, source search",
"shard": "0",
"index": "securetest",
"caused_by": {
"type": "engine_exception",
"reason": "Unable to handle document level security due to: [securetest] QueryParsingException[Failed to parse [{\"terms\": {\"_label\": {\"index\": \"securetest\", \"type\": \"userlabels\", \"id\": \"billy\", \"path\": \"allowedlabelids\" }}}]]; nested: ElasticsearchException[unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=[]]];",
"shard": "0",
"index": "securetest"
}
}
}
]
},
"status": 500
}
But switching the roles dls to use a regular terms query works fine:
sg_role_billy:
cluster:
- '*'
indices:
'securetest':
'*':
- '*'
_dls_: '{"terms": {"_label": [ "AVYqSb1yfHqgYd1N3Po5", "AVYqSb21fHqgYd1N3Po_" ]}}'
Any ideas?