Document Level Security Problems

I'm trying to set up document level security for a user on my found/elastic-cloud cluster, with the following config:

user-list
me: big_hash
user-role map:
my_role: me
role-list

my_role:
  indices:
    '*':
      privileges: read
      query: '{"query":{"nested":{"path":"project","query":{"term":{"project.raw":"P1"}}}}}'

But when I try to query ES as such:

{"search_type":"count","ignore_unavailable":true,"index":["logstash-2016.03"]}
{"size":0,"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":"project:P1"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":"1456955764205","lte":"1457560564206","format":"epoch_millis"}}}]}}}},"aggs":{"2":{"date_histogram":{"interval":"5m","field":"@timestamp","min_doc_count":0,"extended_bounds":{"min":"1456955764205","max":"1457560564206"},"format":"epoch_millis"},"aggs":{}}}}

I get the error:

action [indices:data/read/msearch] is unauthorized for user [me]

Can someone help me sort this out?

Ok I've tried literally every possible query I could think of, and nothing works. Every time the query is rejected unless I remove the query from the role.

I even get the same error with this role:

my_role:
  indices:
    '*':
      privileges: indices:data/read/msearch
      query:
        term:
         message: '*'

I think you may be hitting a bug where document and field level security is disabled by default. Can you set shield.dls_fls.enabled: true in your elasticsearch.yml?

Note a message should have been logged stating that the role was being skipped because document and field level security is not enabled.

I'd love to, but I use the hosted elasticsearch (Found/Elastic Cloud), so how would I do that?

With elastic cloud, we do not have the ability to change elasticsearch.yml settings yet. A bugfix release, 2.2.1, should be coming out shortly, which will address the need to change this setting.

Jay, I'm also interested in implementing document level security and am hosted on Cloud, running 2.2.0, using Shield for security. I'm using Kibana 4.4.0. I've successfully limited access to different index patterns (following this documentation) but I really also need to limit access to specific queries.

Do you have any idea when this will be fixed? Would upgrading to 2.2.2 give me this capability?

Yes upgrading to 2.2.2 should allow you to use document level security on Cloud.