Attribute Based Security

I have a use case where I need to restrict access to documents in an Elasticsearch index based on the user executing the query ACL and the security attributes on the document. i was told to use Attribute based Security and it seems to work with "terms set" where the user ACL will have to match with the Document Security Attribute. But what we are interested in is the user could have an ACL equal to or/and greater than the Document ACL.
simple example.
DOC1= SEC_ATTR[1, 2],
Users Info


now when searching the expected results are
USER1 will see just DOC2
USER2 will see NO document
USER3 will see DOC1 and DOC2
USER4 will see all 3 docs.

but the observed results are
USER1 will see just DOC2
USER2 will see NO document
USER3 will see DOC1 and DOC2
USER4 will NOT SEE ANY DOCUMENT. (which is wrong for our use case).

If I understand it correctly, what you need is to dynamically define minimum_should_match to be the length of SEC_ATTR from the document. You can achieve this with minimum_should_match_script and Document level security's role query templating.

Assuming the document is something like the follows:

  "sec_attr": ["1", "2", "3"],

and the user has metadata like the follows

  "username": "user4",
  "metadaeta": {
    "sec_attr": [ "1", "2", "3", "4" ]

You can define the role query to be something like:

  "terms_set": {
    "attributes": {
      "terms": {{#toJson}}_user.metadata.sec_attr{{/toJson}},
      "minimum_should_match_script": {
        "source": "doc['sec_attr'].size()"

Note you'll need escape the double quotes when composing the role as shown in the documentation.

Please provide a minimal, working example of what you have tried so far that produced the "observed results" you reported.

Here are the steps I have done

  1. Created users as in the screenshot with relevant attributes for DLS as in Users – USER1, USER2, USER3, USER4 as in the attachment users.PNG
  2. Created role record_index_ro_role as in the screenshot roles.PNG
  3. Record_index_ro_role has permissions as in the screenshot Index_permissions.PNG and index_permissions1.PNG
  4. I mapped users to the role as in the screenshot mapped_users.PNG
  5. record_index_acl_test is the index I created for the documents



security_attributes: "AUTHORIZED_USERS, ACL_001"



security_attributes: "AUTHORIZED_USERS,ACL_001,ACL_002"



security_attributes: "ACL_002,ACL_003,ACL_004"



security_attributes: "ACL_002,ACL_003"

Document ids and corresponding security_attributes for each document



7485251 - ACL_001, ACL_002

866739 - ACL_003, ACL_004, ACL_002

23543526 - ACL_001, ACL_005, ACL_002

Problem :

When I log in as USER1 and run the query GET /record_index_acl_test/_search, it returns all the documents not respecting the permissions on the documents. It is the same behavior for other users too.

Expectation :

USER1 search on record_index_acl_test should return 24442682, 24442675

USER2 search on record_index_acl_test should return 24442682, 24442675, 7485251

USER3 search on record_index_acl_test should return 866739

USER4 search on record_index_acl_test should return nothing

Here is the version of elastic search that we are using


"name" : "odfe-opendistro-es-client-55b5597759-7b8mp",

"cluster_name" : "elasticsearch",

"cluster_uuid" : "9k9XkFJ4QmuFAiT_rzNdlw",

"version" : {​​​​​​​

"number" : "7.10.2",

"build_flavor" : "oss",

"build_type" : "tar",

"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",

"build_date" : "2021-01-13T00:42:12.435326Z",

"build_snapshot" : false,

"lucene_version" : "8.7.0",

"minimum_wire_compatibility_version" : "6.8.0",

"minimum_index_compatibility_version" : "6.0.0-beta1"


"tagline" : "You Know, for Search"


In order to help you here we really need a self contained, step by step example of where you've gotten to.

For example:

I created these users:

PUT /_security/user/user1
  "password": "password",
  "roles": [ "dls-test" ],
  "metadata": { "security_attributes": [ "ACL_001" ] }
PUT /_security/user/user2
  "password": "password",
  "roles": [ "dls-test" ],
  "metadata": { "security_attributes": [ "ACL_001", "ACL_002" ] }


And these documents:

PUT /dls-index/_doc/7485251
  "name": "test doc 1",
  "acl": [ "ACL_001", "ACL_002" ], 
  "acl_count": 2


Then I used this role ...

PUT /_security/role/dls-test
// ...

and I got these results ...

If you provide an worked example with details like that, then I can work through it and offer suggestions about where you're running into problems and how to resolve them.

Otherwise I need to build up a complete reproduction myself, guess all the details you haven't provided, and then guess where the problem might be.

We're very happy to help you out, but there's only so much time we have available to offer help on these forums - you can make it easy for us by giving us everything we need to quickly reproduce your issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.