System/Clusterconfig: ES5.4.1 on 2 Nodes, SG-SSL-5.4.1-22 with Plugins: DFS/FLS, KibanaMultitenancy, LDAP
Hello Community,
I'm trying to configure the DLS/FLS-Feature. Looking into the example from
https://github.com/floragunncom/search-guard-docs/blob/master/addendum_b_permission_settings_examples.md i configured my installation like follow:
>>>>>> sg_internal_users.yml
frb_main:
hash: $2a$12$Fc0X...9YcFi
>>>>>> sg_roles_mapping.yml
sg_abteilung_main:
backendroles:
- 'Rolle Abteilung MAIN'
users:
- frb_main
>>>>>> sg_roles.yml
# Read all, but no write permissions
sg_abteilung_main:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
_dls_: '{"term" : {"_type" : "secure"}}'
_fls_:
- 'message'
- '_type'
tenants:
main_tenant: RW
support_tenant: RO
I access the ES-Cluster via Kibana, login as user frb_main is possible without error.
As of the explaination in the example, i expected, with this configuration that user frb_main should only have access to documents of "_type"="secure" out of all indices, limited to fields "message" and "_type". But unfortunately this isn't working, the user has a) access to all documents in all indices and b) the _fls_ settings are also ignored, all fields are offered to the user.
Because i can not see any errors in the Logs, i checked already if the plugin is working in general by inserting a faulty query in "_dls_" -> as expected i can see errors in the logs, so the plugin is working (i think). Moving the DLSFLS-Settings to one Index doesn't resolve the problem. I also checked the index permission settings in sg_roles.yml in general by modifying the "indices"-Section -> this settings work as expected.
Can someone give me a hint, whats wrong with my config? Or some troubeshooting steps to find the problem?
I am thankful for every help :)
Kind regards
Frank