Document-level security query failing

jmcginty · February 2, 2017, 10:06pm

Hi,
I want to add a document level filter that uses user metadata. My user metadata is defined as:

"metadata": {
"sids": [1,2,3]
}
}

My role for the user is defined as:

{
"cluster": [
"all"
],
"indices": [
{
"names": [
""
],
"privileges": [
"read"
],
"query": {"term":{"securityIds":"{{_user.metadata.sids}}}}"}}
}
],
"run_as": [
""
],
"metadata": {}
}

When I execute a query I get the error:

failed to create query: {
"term" : {
"securityIds" : {
"value" : "{{_user.metadata.sids}}}}",
"boost" : 1.0
}

I've tried adding the {{#toJson}} as decribed here:

But that does work either.

I know that he query works without the _user variable because if I substitute a hard-code value it works, e.g.
"query": {"term":{"securityIds":1}}

I set up the query using filterWithHeader(..) to specify the user.

Any ideas? Thanks.

jaymode · February 2, 2017, 10:24pm

Heya, I think the missing piece is the template object around the query, see the examples in the docs: https://www.elastic.co/guide/en/x-pack/current/field-and-document-access-control.html#templating-role-query

jmcginty · February 2, 2017, 10:33pm

Thank you! That makes _user.metadata.sids resolve.

But now it resolves _user_metadata.sids to a string-wrapped json value. The value in the actual user metadata is:
"sids": [1,2,3]

And the query error is:

caused by: failed to create query: {
"term" : {
"securityIds" : {
"value" : "[1,2,3]",
"boost" : 1.0
}

jaymode · February 2, 2017, 10:50pm

I think you'll need to add the toJson into the query in the role

jmcginty · February 2, 2017, 11:02pm

Thanks. I've tried it both ways and neither resolves to an array.

With "securityIds": "{{_user.metadata.sids}}"
the error is:
caused by: failed to create query: {
"term" : {
"securityIds" : {
"value" : "{0=1, 1=2, 2=3}",
"boost" : 1.0
}
With "securityIds": "{{#toJson}}_user.metadata.sids{{/toJson}}"
the error is:
caused by: failed to create query: {
"term" : {
"securityIds" : {
"value" : "[1,2,3]",
"boost" : 1.0
}

2 is almost correct, except that it's wrapped in a string.

jaymode · February 2, 2017, 11:12pm

I think the query needs to be defined as a string like this:

"query": "{\"template\":{\"inline\":\"{\"term\":{\"securityIds\": {{#toJson}}_user.metadata.sids{{/toJson}} }}\"}}"

jmcginty · February 2, 2017, 11:48pm

Thanks. With:
"query": "{ "template":{"inline":"{"term":{"securityIds": {{#toJson}}_user.metadata.sids{{/toJson}} }}"}} }"

I get exception:

aused by: [script] failed to parse object
org.elasticsearch.common.xcontent.ObjectParser.apply(ObjectParser.java:186)
org.elasticsearch.script.Script.parse(Script.java:322)
org.elasticsearch.script.Script.parse(Script.java:231)
org.elasticsearch.xpack.security.authz.accesscontrol.SecurityIndexSearcherWrapper.evaluateTemplate(SecurityIndexSearcherWrapper.java:317)
org.elasticsearch.xpack.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:170)
org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:75)
org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:898)
org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:588)
org.elasticsearch.search.SearchService.createContext(SearchService.java:547)
...

caused by: Unexpected character ('t' (code 116)): was expecting comma to separate Object entries
at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@5536ea; line: 1, column: 30]
com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1702)
com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:558)
com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:456)
com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:761)
org.elasticsearch.common.xcontent.json.JsonXContentParser.nextToken(JsonXContentParser.java:52)
org.elasticsearch.common.xcontent.ObjectParser.parse(ObjectParser.java:157)
org.elasticsearch.common.xcontent.ObjectParser.apply(ObjectParser.java:184)
org.elasticsearch.script.Script.parse(Script.java:322)
org.elasticsearch.script.Script.parse(Script.java:231)
...

jaymode · February 3, 2017, 12:54am

Sorry about that, I took this from a working test:

query: {
    "template": {
        "inline": "{\"terms\" : { \"securityIds\" : {{#toJson}}_user.metadata.sids{{/toJson}} } }"
    }
}

jmcginty · February 3, 2017, 4:24pm

Hey Jay, that works - THANK YOU!

system · March 3, 2017, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
X-Pack Security : Role definition query template with 'terms' Elasticsearch	11	1914	July 6, 2017
Document-level security query params Elasticsearch	5	761	December 25, 2017
Document Level Security Problems Elasticsearch elastic-stack-security	7	1410	July 6, 2017
Can we filter document in nested object with user.metadata jobs? Elasticsearch elastic-stack-security	2	491	July 15, 2019
Document level security in Kibana with X Pack Kibana	7	1372	July 7, 2017

Document-level security query failing

Related topics