Document Level Security Problems


(Camden Narzt) #1

I'm trying to set up document level security for a user on my found/elastic-cloud cluster, with the following config:

me: big_hash
user-role map:
my_role: me

      privileges: read
      query: '{"query":{"nested":{"path":"project","query":{"term":{"project.raw":"P1"}}}}}'

But when I try to query ES as such:


I get the error:

action [indices:data/read/msearch] is unauthorized for user [me]

Can someone help me sort this out?

(Camden Narzt) #2

Ok I've tried literally every possible query I could think of, and nothing works. Every time the query is rejected unless I remove the query from the role.

I even get the same error with this role:

      privileges: indices:data/read/msearch
         message: '*'

(Jay Modi) #3

I think you may be hitting a bug where document and field level security is disabled by default. Can you set shield.dls_fls.enabled: true in your elasticsearch.yml?

Note a message should have been logged stating that the role was being skipped because document and field level security is not enabled.

(Camden Narzt) #4

I'd love to, but I use the hosted elasticsearch (Found/Elastic Cloud), so how would I do that?

(Jay Modi) #5

With elastic cloud, we do not have the ability to change elasticsearch.yml settings yet. A bugfix release, 2.2.1, should be coming out shortly, which will address the need to change this setting.

(Katy Gero) #6

Jay, I'm also interested in implementing document level security and am hosted on Cloud, running 2.2.0, using Shield for security. I'm using Kibana 4.4.0. I've successfully limited access to different index patterns (following this documentation) but I really also need to limit access to specific queries.

Do you have any idea when this will be fixed? Would upgrading to 2.2.2 give me this capability?

(Jay Modi) #7

Yes upgrading to 2.2.2 should allow you to use document level security on Cloud.

(system) #8