Attribute Based Security

workenehg · August 5, 2021, 7:54pm

I have a use case where I need to restrict access to documents in an Elasticsearch index based on the user executing the query ACL and the security attributes on the document. i was told to use Attribute based Security and it seems to work with "terms set" where the user ACL will have to match with the Document Security Attribute. But what we are interested in is the user could have an ACL equal to or/and greater than the Document ACL.
simple example.
DOC1= SEC_ATTR[1, 2],
DOC2= SEC_ATTR[1]
DOC3=SEC_ATTR[1,2,3]
Users Info

USER1 = SEC_ATTR[1]
USER2 = SEC_ATTR[2,3]
USER3 = SEC_ATTR[1,2]
USER4=SEC_ATTR[1.2.3.4]

now when searching the expected results are
USER1 will see just DOC2
USER2 will see NO document
USER3 will see DOC1 and DOC2
USER4 will see all 3 docs.

but the observed results are
USER1 will see just DOC2
USER2 will see NO document
USER3 will see DOC1 and DOC2
USER4 will NOT SEE ANY DOCUMENT. (which is wrong for our use case).

Yang_Wang · August 9, 2021, 1:04am

If I understand it correctly, what you need is to dynamically define minimum_should_match to be the length of SEC_ATTR from the document. You can achieve this with minimum_should_match_script and Document level security's role query templating.

Assuming the document is something like the follows:

{
  "sec_attr": ["1", "2", "3"],
  ... 
}

and the user has metadata like the follows

{
  "username": "user4",
  "metadaeta": {
    "sec_attr": [ "1", "2", "3", "4" ]
  },
  ...
}

You can define the role query to be something like:

{
  "terms_set": {
    "attributes": {
      "terms": {{#toJson}}_user.metadata.sec_attr{{/toJson}},
      "minimum_should_match_script": {
        "source": "doc['sec_attr'].size()"
      }
    }
  }
}

Note you'll need escape the double quotes when composing the role as shown in the documentation.

TimV · August 9, 2021, 5:37am

Please provide a minimal, working example of what you have tried so far that produced the "observed results" you reported.

workenehg · August 11, 2021, 9:12pm

Here are the steps I have done

Created users as in the screenshot with relevant attributes for DLS as in Users – USER1, USER2, USER3, USER4 as in the attachment users.PNG
Created role record_index_ro_role as in the screenshot roles.PNG
Record_index_ro_role has permissions as in the screenshot Index_permissions.PNG and index_permissions1.PNG
I mapped users to the role as in the screenshot mapped_users.PNG
record_index_acl_test is the index I created for the documents

USER1

kibanauser

security_attributes: "AUTHORIZED_USERS, ACL_001"

USER2

kibanauser

security_attributes: "AUTHORIZED_USERS,ACL_001,ACL_002"

USER3

kibanauser

security_attributes: "ACL_002,ACL_003,ACL_004"

USER4

kibanauser

security_attributes: "ACL_002,ACL_003"

Document ids and corresponding security_attributes for each document

24442682 - AUTHORIZED_USERS

24442675 - AUTHORIZED_USERS

7485251 - ACL_001, ACL_002

866739 - ACL_003, ACL_004, ACL_002

23543526 - ACL_001, ACL_005, ACL_002

Problem :

When I log in as USER1 and run the query GET /record_index_acl_test/_search, it returns all the documents not respecting the permissions on the documents. It is the same behavior for other users too.

Expectation :

USER1 search on record_index_acl_test should return 24442682, 24442675

USER2 search on record_index_acl_test should return 24442682, 24442675, 7485251

USER3 search on record_index_acl_test should return 866739

USER4 search on record_index_acl_test should return nothing

Here is the version of elastic search that we are using

{

"name" : "odfe-opendistro-es-client-55b5597759-7b8mp",

"cluster_name" : "elasticsearch",

"cluster_uuid" : "9k9XkFJ4QmuFAiT_rzNdlw",

"version" : {

"number" : "7.10.2",

"build_flavor" : "oss",

"build_type" : "tar",

"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",

"build_date" : "2021-01-13T00:42:12.435326Z",

"build_snapshot" : false,

"lucene_version" : "8.7.0",

"minimum_wire_compatibility_version" : "6.8.0",

"minimum_index_compatibility_version" : "6.0.0-beta1"

},

"tagline" : "You Know, for Search"

}

TimV · August 13, 2021, 1:46am

In order to help you here we really need a self contained, step by step example of where you've gotten to.

For example:

I created these users:

PUT /_security/user/user1
{
  "password": "password",
  "roles": [ "dls-test" ],
  "metadata": { "security_attributes": [ "ACL_001" ] }
}

PUT /_security/user/user2
{
  "password": "password",
  "roles": [ "dls-test" ],
  "metadata": { "security_attributes": [ "ACL_001", "ACL_002" ] }
}

etc

And these documents:

PUT /dls-index/_doc/7485251
{
  "name": "test doc 1",
  "acl": [ "ACL_001", "ACL_002" ], 
  "acl_count": 2
}

...

Then I used this role ...

PUT /_security/role/dls-test
{
// ...
}

and I got these results ...

If you provide an worked example with details like that, then I can work through it and offer suggestions about where you're running into problems and how to resolve them.

Otherwise I need to build up a complete reproduction myself, guess all the details you haven't provided, and then guess where the problem might be.

We're very happy to help you out, but there's only so much time we have available to offer help on these forums - you can make it easy for us by giving us everything we need to quickly reproduce your issue.

system · September 10, 2021, 1:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Document Level Security Based On External Data Elasticsearch elastic-stack-security	4	414	December 11, 2018
Document level security not behaving as expected Elasticsearch elastic-stack-security	3	228	November 8, 2022
[terms_set] query does not support [minimum_should_match_script] Elasticsearch	9	3071	March 2, 2018
Thoughts on an approach of ACL filtering on content Elasticsearch	1	1464	July 5, 2017
Range query in doc lvl security Elasticsearch elastic-stack-security	2	419	December 7, 2020

Attribute Based Security

Related Topics