Here are the steps I have done
- Created users as in the screenshot with relevant attributes for DLS as in Users – USER1, USER2, USER3, USER4 as in the attachment users.PNG
- Created role record_index_ro_role as in the screenshot roles.PNG
- Record_index_ro_role has permissions as in the screenshot Index_permissions.PNG and index_permissions1.PNG
- I mapped users to the role as in the screenshot mapped_users.PNG
- record_index_acl_test is the index I created for the documents
USER1
kibanauser
security_attributes: "AUTHORIZED_USERS, ACL_001"
USER2
kibanauser
security_attributes: "AUTHORIZED_USERS,ACL_001,ACL_002"
USER3
kibanauser
security_attributes: "ACL_002,ACL_003,ACL_004"
USER4
kibanauser
security_attributes: "ACL_002,ACL_003"
Document ids and corresponding security_attributes for each document
24442682 - AUTHORIZED_USERS
24442675 - AUTHORIZED_USERS
7485251 - ACL_001, ACL_002
866739 - ACL_003, ACL_004, ACL_002
23543526 - ACL_001, ACL_005, ACL_002
Problem :
When I log in as USER1 and run the query GET /record_index_acl_test/_search, it returns all the documents not respecting the permissions on the documents. It is the same behavior for other users too.
Expectation :
USER1 search on record_index_acl_test should return 24442682, 24442675
USER2 search on record_index_acl_test should return 24442682, 24442675, 7485251
USER3 search on record_index_acl_test should return 866739
USER4 search on record_index_acl_test should return nothing
Here is the version of elastic search that we are using
{
"name" : "odfe-opendistro-es-client-55b5597759-7b8mp",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "9k9XkFJ4QmuFAiT_rzNdlw",
"version" : {
"number" : "7.10.2",
"build_flavor" : "oss",
"build_type" : "tar",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}