Courier Fetch Error when using document level filtering

security

(Thomas Nolan) #1

I'm having a issue when trying to use the document level filtering feature in the roles.yml file. When I try to enable it I am presented with the following error

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [csi_user]

Here is the Shield section of elasticsearch.yml

shield:
    dls_fls.enabled: true
    authc:
        realms:
           esusers1:
            type: esusers
            order: 0

The role form roles.yml

Customer1_ro:
 cluster:
   - cluster:monitor/nodes/info
  - cluster:monitor/health
indices:
'logstash-*':
  privileges: read
  query:
    term:
     Customer.raw: "Customer1"	  
'.kibana': 
  - indices:admin/create
  - indices:admin/exists
  - indices:admin/mapping/put
  - indices:admin/mappings/fields/get
  - indices:admin/refresh
  - indices:admin/validate/query
  - indices:data/read/get
  - indices:data/read/mget
  - indices:data/read/search
  - indices:data/write/delete
  - indices:data/write/index
  - indices:data/write/update

Error from the logs:

 [2016-02-03 10:21:48,851][INFO ][rest.suppressed          ] /_mget Params: {preference=1454494892371, timeout=0, ignore_unavailable=true}
ElasticsearchSecurityException[action [indices:data/read/mget] is unauthorized for user [csi_user]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.support.AbstractClient.multiGet(AbstractClient.java:555)
at org.elasticsearch.rest.action.get.RestMultiGetAction.handleRequest(RestMultiGetAction.java:70)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:207)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:281)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:262)
at org.elasticsearch.shield.rest.ShieldRestFilter.process(ShieldRestFilter.java:77)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:265)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:348)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)
    ......

I have tried many different configurations but having no luck. Any help would be much appreciated.

Note* If I remove the query section everything is fine.


(Martijn Van Groningen) #2

Do you see any of this these error logs:

invalid role definition [Customer1_ro] in roles file

The indentation in your yaml files look incorrect, so I think the roles and settings aren't picked up correctly. For example the spaces required before the second line here:

shield:
  dls_fls.enabled: true

(Thomas Nolan) #3

Sorry the incorrect indentation was just bad formatting in the post I have corrected.
As for the "Invalid role definition [Customer1_ro]" I dont see that in the logs when trying to access kibana with a user of this role, I do a error I have added it above.

Also to point out, this role works fine once the query section is reomved.


(Bahaaldine AZARMI) #4

Can you please send the mapping of your index and also an example of the document you are trying to fetch?


(system) #5