Courier Fetch Error when using document level filtering

I'm having a issue when trying to use the document level filtering feature in the roles.yml file. When I try to enable it I am presented with the following error

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [csi_user]

Here is the Shield section of elasticsearch.yml

shield:
    dls_fls.enabled: true
    authc:
        realms:
           esusers1:
            type: esusers
            order: 0

The role form roles.yml

Customer1_ro:
 cluster:
   - cluster:monitor/nodes/info
  - cluster:monitor/health
indices:
'logstash-*':
  privileges: read
  query:
    term:
     Customer.raw: "Customer1"	  
'.kibana': 
  - indices:admin/create
  - indices:admin/exists
  - indices:admin/mapping/put
  - indices:admin/mappings/fields/get
  - indices:admin/refresh
  - indices:admin/validate/query
  - indices:data/read/get
  - indices:data/read/mget
  - indices:data/read/search
  - indices:data/write/delete
  - indices:data/write/index
  - indices:data/write/update

Error from the logs:

 [2016-02-03 10:21:48,851][INFO ][rest.suppressed          ] /_mget Params: {preference=1454494892371, timeout=0, ignore_unavailable=true}
ElasticsearchSecurityException[action [indices:data/read/mget] is unauthorized for user [csi_user]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.support.AbstractClient.multiGet(AbstractClient.java:555)
at org.elasticsearch.rest.action.get.RestMultiGetAction.handleRequest(RestMultiGetAction.java:70)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:207)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:281)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:262)
at org.elasticsearch.shield.rest.ShieldRestFilter.process(ShieldRestFilter.java:77)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:265)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:348)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)
    ......

I have tried many different configurations but having no luck. Any help would be much appreciated.

Note* If I remove the query section everything is fine.

Do you see any of this these error logs:

invalid role definition [Customer1_ro] in roles file

The indentation in your yaml files look incorrect, so I think the roles and settings aren't picked up correctly. For example the spaces required before the second line here:

shield:
  dls_fls.enabled: true

Sorry the incorrect indentation was just bad formatting in the post I have corrected.
As for the "Invalid role definition [Customer1_ro]" I dont see that in the logs when trying to access kibana with a user of this role, I do a error I have added it above.

Also to point out, this role works fine once the query section is reomved.

Can you please send the mapping of your index and also an example of the document you are trying to fetch?