I'm having a issue when trying to use the document level filtering feature in the roles.yml file. When I try to enable it I am presented with the following error
Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [csi_user]
Here is the Shield section of elasticsearch.yml
shield:
dls_fls.enabled: true
authc:
realms:
esusers1:
type: esusers
order: 0
The role form roles.yml
Customer1_ro:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'logstash-*':
privileges: read
query:
term:
Customer.raw: "Customer1"
'.kibana':
- indices:admin/create
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/search
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update
Error from the logs:
[2016-02-03 10:21:48,851][INFO ][rest.suppressed ] /_mget Params: {preference=1454494892371, timeout=0, ignore_unavailable=true}
ElasticsearchSecurityException[action [indices:data/read/mget] is unauthorized for user [csi_user]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.support.AbstractClient.multiGet(AbstractClient.java:555)
at org.elasticsearch.rest.action.get.RestMultiGetAction.handleRequest(RestMultiGetAction.java:70)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:207)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:281)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:262)
at org.elasticsearch.shield.rest.ShieldRestFilter.process(ShieldRestFilter.java:77)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:265)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:348)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)
......
I have tried many different configurations but having no luck. Any help would be much appreciated.
Note* If I remove the query section everything is fine.