Dls and fls not working in my roles
8 views
Skip to first unread message
David Albela
Mar 25, 2019, 12:20:18 PM3/25/19
to search...@googlegroups.com
Hello,
I installed Elasticsearch 6.6.1 version with Search Guard 24.1, Community Edition I used a Docker image created from https://github.com/khezen/docker-elasticsearch/ repository.
I added a new role in sg_roles.yml for the following index, type and all permission but with a _dls_ rule limitation:
test_role:
indices:
'humanresources':
'employees':
- '*'
_dls_: '{ "bool": { "must_not": { "match": { "department": "Management" }}}}'
Then, I created the user with the right hash:
test:
hash: 'HASHME'
roles:
- test_role
And set the mapping in the sg_roles_mapping.yml file:
test_role:
backendroles:
- test_role
hosts:
- "*"
users:
- test
I tried the same example with _dls_ y _fls_ options just to give only access to the matched document, creating before several different documents and indexes.
I run in other Docker image a Kibana with Search Guard that can connect to the ES and I can login with the use. Unfortunally, the user can access to all kind of documents and indexes, and of course, to all the fields. Looks like the _dsl_ and _fls_ is not working.
Do someone know what I am doing wrong?
Thanks in advance.
SG
Mar 25, 2019, 12:25:52 PM3/25/19
to search...@googlegroups.com
DLS and FLS are enterprise edition features and therefore not included (and not working) in the community version.
Pls. refer to our "Feature Comparison" to determine which features are included in the community version: https://search-guard.com/product/
> Am 25.03.2019 um 17:20 schrieb David Albela <elm...@gmail.com>:
>
> When asking questions, please provide the following information:
>
> * Search Guard and Elasticsearch version
> * Installed and used enterprise modules, if any
> * JVM version and operating system version
> * Search Guard configuration files
> * Elasticsearch log messages on debug level
> * Other installed Elasticsearch or Kibana plugins, if any
> hash: 'HASHME'
> roles:
> - test2_role
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3b819d2a-d192-41bb-8e21-1a163f3a4f83%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Pls. refer to our "Feature Comparison" to determine which features are included in the community version: https://search-guard.com/product/
> Am 25.03.2019 um 17:20 schrieb David Albela <elm...@gmail.com>:
>
> When asking questions, please provide the following information:
>
> * Search Guard and Elasticsearch version
> * Installed and used enterprise modules, if any
> * JVM version and operating system version
> * Search Guard configuration files
> * Elasticsearch log messages on debug level
> * Other installed Elasticsearch or Kibana plugins, if any
>
> Hello,
>
> I installed Elasticsearch 6.6.1 version with Search Guard 24.1, Community Edition I used a Docker image created from https://github.com/khezen/docker-elasticsearch/ repository.
>
> I added a new role in sg_roles.yml with the following roles:
> Hello,
>
> I installed Elasticsearch 6.6.1 version with Search Guard 24.1, Community Edition I used a Docker image created from https://github.com/khezen/docker-elasticsearch/ repository.
>
>
> test_role:
> indices:
> 'humanresources':
> 'employees':
> - '*'
> _dls_: '{ "bool": { "must_not": { "match": { "department": "Management" }}}}'
>
> Then, I created the user with the right hash:
>
> test2:
> test_role:
> indices:
> 'humanresources':
> 'employees':
> - '*'
> _dls_: '{ "bool": { "must_not": { "match": { "department": "Management" }}}}'
>
> Then, I created the user with the right hash:
>
> hash: 'HASHME'
> roles:
> - test2_role
>
>
> And set the mapping in the sg_roles_mapping.yml file:
>
> test_role:
> backendroles:
> - test_role
> hosts:
> - "*"
> users:
> - test
>
>
> I tried the same example with _dls_ y _fls_ options just to give only access to the matched document, creating before several different documents and indexes.
>
> I run in other Docker image a Kibana with Search Guard that can connect to the ES and I can login with the use. Unfortunally, the user can access to all kind of documents and indexes, and of course, to all the fields. Looks like the _dsl_ and _fls_ is not working.
>
> Do someone know what I am doing wrong?
>
> Thanks in advance.
>
>
>
> --
>
> And set the mapping in the sg_roles_mapping.yml file:
>
> test_role:
> backendroles:
> - test_role
> hosts:
> - "*"
> users:
> - test
>
>
> I tried the same example with _dls_ y _fls_ options just to give only access to the matched document, creating before several different documents and indexes.
>
> I run in other Docker image a Kibana with Search Guard that can connect to the ES and I can login with the use. Unfortunally, the user can access to all kind of documents and indexes, and of course, to all the fields. Looks like the _dsl_ and _fls_ is not working.
>
> Do someone know what I am doing wrong?
>
> Thanks in advance.
>
>
>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3b819d2a-d192-41bb-8e21-1a163f3a4f83%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages