Document Level Security Problems

CamJN · March 9, 2016, 10:02pm

I'm trying to set up document level security for a user on my found/elastic-cloud cluster, with the following config:

user-list
me: big_hash
user-role map:
my_role: me
role-list

my_role:
  indices:
    '*':
      privileges: read
      query: '{"query":{"nested":{"path":"project","query":{"term":{"project.raw":"P1"}}}}}'

But when I try to query ES as such:

{"search_type":"count","ignore_unavailable":true,"index":["logstash-2016.03"]}
{"size":0,"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":"project:P1"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":"1456955764205","lte":"1457560564206","format":"epoch_millis"}}}]}}}},"aggs":{"2":{"date_histogram":{"interval":"5m","field":"@timestamp","min_doc_count":0,"extended_bounds":{"min":"1456955764205","max":"1457560564206"},"format":"epoch_millis"},"aggs":{}}}}

I get the error:

action [indices:data/read/msearch] is unauthorized for user [me]

Can someone help me sort this out?

CamJN · March 10, 2016, 12:00am

Ok I've tried literally every possible query I could think of, and nothing works. Every time the query is rejected unless I remove the query from the role.

I even get the same error with this role:

my_role:
  indices:
    '*':
      privileges: indices:data/read/msearch
      query:
        term:
         message: '*'

jaymode · March 10, 2016, 1:49am

I think you may be hitting a bug where document and field level security is disabled by default. Can you set shield.dls_fls.enabled: true in your elasticsearch.yml?

Note a message should have been logged stating that the role was being skipped because document and field level security is not enabled.

CamJN · March 10, 2016, 2:15am

I'd love to, but I use the hosted elasticsearch (Found/Elastic Cloud), so how would I do that?

jaymode · March 10, 2016, 11:25am

With elastic cloud, we do not have the ability to change elasticsearch.yml settings yet. A bugfix release, 2.2.1, should be coming out shortly, which will address the need to change this setting.

Katy_Gero · April 22, 2016, 1:57pm

Jay, I'm also interested in implementing document level security and am hosted on Cloud, running 2.2.0, using Shield for security. I'm using Kibana 4.4.0. I've successfully limited access to different index patterns (following this documentation) but I really also need to limit access to specific queries.

Do you have any idea when this will be fixed? Would upgrading to 2.2.2 give me this capability?

jaymode · April 22, 2016, 2:13pm

Yes upgrading to 2.2.2 should allow you to use document level security on Cloud.