Document Level Security & nested search
46 views
Skip to first unread message
Andreas Berre
Jan 30, 2018, 4:32:03 AM1/30/18
to Search Guard Community Forum
Hi,
Using elastic 6.1.2 and search guard 6.1.2-20.1, and setting up a solution which includes the following DSL configuration
indices:
'some_index':
'*':
- UNLIMITED
_dls_: '{"term": {"a_field": "${attr.jwt.a_claim}"}}'
This works fine, any result where the field does not match is excluded.
However, the type being filtered contains nested objects, and the search includes a nested query on this type. I notice that when the dsl is applied I loose all nested hits in the query result. Removing the dsl solves the problem.
Im guessing the solution is related to how the dsl query is applied? Any suggestions?
Regards,
Andreas
Andreas Berre
Jan 30, 2018, 8:57:39 AM1/30/18
to Search Guard Community Forum
Tested on a minimal setup, with DLS on the sg_all_access role:
sg_all_access:
indices:
'*':
'*':
- UNLIMITED
_dls_: '{"term": {"owner": "${user.name}"}}'
indices:
'*':
'*':
- UNLIMITED
_dls_: '{"term": {"owner": "${user.name}"}}'
PUT /my_index
{
"mappings": {
"my_type" : {
"properties" : {
"owner" : {"type": "text"},
"my_nested_object" : {"type" : "nested"}
}
}
}
}
PUT /my_index/my_type/1
{
"owner" : "admin",
"my_nested_object" : {"name": "spock"}
}
GET /_search
{
"query": {
"nested": {
"path": "my_nested_object",
"query": {
"match": {"my_nested_object.name" : "spock"}
},
"inner_hits": {}
}
}
}
Result without DLS:
{
"_shards": {
"failed": 0,
"skipped": 0,
"successful": 5,
"total": 5
},
"hits": {
"hits": [
{
"_id": "1",
"_index": "my_index",
"_score": 0.2876821,
"_source": {
"owner": "admin",
"my_nested_object": {
"name": "spock"
}
},
"_type": "my_type",
"inner_hits": {
"my_nested_object": {
"hits": {
"hits": [
{
"_nested": {
"field": "my_nested_object",
"offset": 0
},
"_score": 0.2876821,
"_source": {
"name": "spock"
}
}
],
"max_score": 0.2876821,
"total": 1
}
}
}
}
],
"max_score": 0.2876821,
"total": 1
},
"timed_out": false,
"took": 59
}
Result with DLS:
{
"_shards": {
"failed": 0,
"skipped": 0,
"successful": 5,
"total": 5
},
"hits": {
"hits": [
{
"_id": "1",
"_index": "my_index",
"_score": 0.2876821,
"_source": {
"owner": "admin",
"my_nested_object": {
"name": "spock"
}
},
"_type": "my_type",
"inner_hits": {
"my_nested_object": {
"hits": {
"hits": [],
"max_score": null,
"total": 0
}
}
}
}
],
"max_score": 0.2876821,
"total": 1
},
"timed_out": false,
"took": 39
}
SG
Jan 31, 2018, 3:34:51 PM1/31/18
to search...@googlegroups.com
Good catch, i looked into this and will fix it soon.
Thx for reporting
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thx for reporting
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/57d0bb81-10d5-4ebb-8f53-ca04fe2403af%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jochen Kressin
Feb 5, 2018, 5:20:31 AM2/5/18
to Search Guard Community Forum
Will be fixed with the next version of Search Guard this Wednesday/Thursday.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
Jochen Kressin
Feb 9, 2018, 7:52:24 PM2/9/18
to Search Guard Community Forum
This is fixed with 6.x-21 version of Search Guard.
Reply all
Reply to author
Forward
0 new messages