Field level security

Nee_Defeng · October 15, 2019, 7:20am

I am trying to setup one role to have read permission on particular fields, but the testing is a bit confusing.

In Role Management, I choose one indice with Read privilege, and then turn on the Grant Access to specific field and choose a few fields.

{
  "doc-readonly" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "myfirstfsjob*"
        ],
        "privileges" : [
          "read"
        ],
        "field_security" : {
          "grant" : [
            "content",
            "path.real.fulltext",
            "meta.keywords"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [
      "elastic"
    ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Now in Kibana, I am not able to query any data (while the same query returns result prior to the role setup).

Here is the Kibana query result (using readonly aka ro):

At the same time, the GET _Search API returns all documents (Unexpected) with the list of fields (Expected).

Here is the excerpt of the return (using 'ro' user which has 'doc-readonly' role):

sni@elk:~$ sudo curl -H 'Content-Type: application/json' -s --cacert ca.crt -u ro:xxx -XPOST https://localhost:9200/_search?pretty&q=content:DBS
[1] 7424
sni@elk:~$ {
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 2,
    "successful" : 2,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {

Any thoughts?

ikakavas · October 15, 2019, 8:19am

Please be a little more explicit in your example and share some more details so that we can help you.

Can you share the role definition ? From kibana dev tools ( logged in as a prvileged user ) run GET _security/role/<the_name_of_the_role_here>
As which user do you run " the GET _Search API " ? Does this user have the aforementioned role ? Do you use kibana dev tools or the elasticsearch REST API directly?

Nee_Defeng · October 15, 2019, 9:21am

Sorry, and please see my edited post.

ikakavas · October 15, 2019, 9:51am

Hi again,

At the same time, the GET _Search API returns all documents (Unexpected)

Field Level Security controls the fields in the documents that the user has access to and not the documents themselves. Your role says that the user has read access to all the indices that match the index pattern myfirstfsjob* and should only be able to read "content", "path.real.fulltext", "meta.keywords" fields.

You can read through our documentation in Setting up field and document level security | Elasticsearch Guide [7.4] | Elastic and if you have further question about how this works, feel free to reach out!

Nee_Defeng · October 15, 2019, 11:08am

Thank Ioannis,

But here my question is around why Kibana did not return any documents since it was configured for the field.

ikakavas · October 15, 2019, 11:16am

Not sure. While logged in as your ro user, can you run these following requests from the kibana dev tools ?

GET /_security/_authenticate

and

GET /_search

and share the results ?

Nee_Defeng · October 15, 2019, 11:45am

Yes, here it is:

{
  "username" : "ro",
  "roles" : [
    "doc-readonly",
    "kibana_user"
  ],
  "full_name" : "readonly",
  "email" : "ro@tongyao.com.au",
  "metadata" : { },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "default_native",
    "type" : "native"
  },
  "lookup_realm" : {
    "name" : "default_native",
    "type" : "native"
  }
}

and

{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 2,
    "successful" : 2,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "myfirstfsjob",
        "_type" : "_doc",
        "_id" : "e2d83ef7979136474d4f8f911c5821d",
        "_score" : 1.0,
        "_source" : {
          "content" : """

Yogesh_Gaikwad · October 16, 2019, 3:47am

Hi @Nee_Defeng,

Thank you for sharing the output, though the output for GET /_search is truncated so of not much use.

Now in Kibana, I am not able to query any data (while the same query returns result prior to the role setup).
Here is the Kibana query result (using readonly aka ro):

Not sure but the image that you shared for Kibana does not even show you fields like _id, _index, that is weird.
It can happen only if there is no index that matches the pattern and it would look something like what you see there.
Can you please try to refresh the index patterns in the Kibana UI and check? Or maybe delete the index pattern and recreate it.

Hope this helps.

Thanks and Regards,
Yogesh Gaikwad

Nee_Defeng · October 17, 2019, 4:25am

Thanks Yogesh, I think I found the root cause of this behaviour: the timestamp field was not granted for this user. As soon as I grant the file.created to this user, all the documents returned ( with * as query) but the fields are empty (-).

One interesting thing is that, with all the returned documents, only these fields are listed. Why is it so?

ikakavas · October 17, 2019, 4:52am

You haven't shown us an example of your documents (so that we can see the fields ) and the updated role with the FLS part grants so it gets tricky to answer this. Can you share an example of a doc ? ( feel free to scrub out the values)

Nee_Defeng · October 17, 2019, 4:58am

system · November 14, 2019, 4:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.