Field level security

Elastic Stack Elasticsearch
1

I am trying to setup one role to have read permission on particular fields, but the testing is a bit confusing.

In Role Management, I choose one indice with Read privilege, and then turn on the Grant Access to specific field and choose a few fields.

{
  "doc-readonly" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "myfirstfsjob*"
        ],
        "privileges" : [
          "read"
        ],
        "field_security" : {
          "grant" : [
            "content",
            "path.real.fulltext",
            "meta.keywords"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [
      "elastic"
    ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Now in Kibana, I am not able to query any data (while the same query returns result prior to the role setup).

Here is the Kibana query result (using readonly aka ro):

com%20-%20Outlook
2019-10-15 20_12_51-@Me - sni@informatica.com - Outlook.png1912×576 68.5 KB

At the same time, the GET _Search API returns all documents (Unexpected) with the list of fields (Expected).

Here is the excerpt of the return (using 'ro' user which has 'doc-readonly' role):

sni@elk:~$ sudo curl -H 'Content-Type: application/json' -s --cacert ca.crt -u ro:xxx -XPOST https://localhost:9200/_search?pretty&q=content:DBS
[1] 7424
sni@elk:~$ {
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 2,
    "successful" : 2,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {

Any thoughts?

2

Please be a little more explicit in your example and share some more details so that we can help you.

  • Can you share the role definition ? From kibana dev tools ( logged in as a prvileged user ) run GET _security/role/<the_name_of_the_role_here>

  • As which user do you run " the GET _Search API " ? Does this user have the aforementioned role ? Do you use kibana dev tools or the elasticsearch REST API directly?

3

Sorry, and please see my edited post.

4

Hi again,

At the same time, the GET _Search API returns all documents (Unexpected)

Field Level Security controls the fields in the documents that the user has access to and not the documents themselves. Your role says that the user has read access to all the indices that match the index pattern myfirstfsjob* and should only be able to read "content", "path.real.fulltext", "meta.keywords" fields.

You can read through our documentation in Setting up field and document level security | Elasticsearch Guide [7.4] | Elastic and if you have further question about how this works, feel free to reach out!

5

Thank Ioannis,

But here my question is around why Kibana did not return any documents since it was configured for the field.

6

Not sure. While logged in as your ro user, can you run these following requests from the kibana dev tools ?

GET /_security/_authenticate

and

GET /_search

and share the results ?

7

Yes, here it is:

{
  "username" : "ro",
  "roles" : [
    "doc-readonly",
    "kibana_user"
  ],
  "full_name" : "readonly",
  "email" : "ro@tongyao.com.au",
  "metadata" : { },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "default_native",
    "type" : "native"
  },
  "lookup_realm" : {
    "name" : "default_native",
    "type" : "native"
  }
}

and

{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 2,
    "successful" : 2,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "myfirstfsjob",
        "_type" : "_doc",
        "_id" : "e2d83ef7979136474d4f8f911c5821d",
        "_score" : 1.0,
        "_source" : {
          "content" : """
8

Hi @Nee_Defeng,

Thank you for sharing the output, though the output for GET /_search is truncated so of not much use.

Now in Kibana, I am not able to query any data (while the same query returns result prior to the role setup).
Here is the Kibana query result (using readonly aka ro):

Not sure but the image that you shared for Kibana does not even show you fields like _id, _index, that is weird.
It can happen only if there is no index that matches the pattern and it would look something like what you see there.
Can you please try to refresh the index patterns in the Kibana UI and check? Or maybe delete the index pattern and recreate it.

Hope this helps.

Thanks and Regards,
Yogesh Gaikwad

9

Thanks Yogesh, I think I found the root cause of this behaviour: the timestamp field was not granted for this user. As soon as I grant the file.created to this user, all the documents returned ( with * as query) but the fields are empty (-).

One interesting thing is that, with all the returned documents, only these fields are listed. Why is it so?

2019-10-17%2015_13_04-Discover%20-%20Kibana
2019-10-17 15_13_04-Discover - Kibana.png357×547 17.2 KB

10

You haven't shown us an example of your documents (so that we can see the fields ) and the updated role with the FLS part grants so it gets tricky to answer this. Can you share an example of a doc ? ( feel free to scrub out the values)

11

2019-10-17%2015_57_29-
2019-10-17 15_57_29-.png1875×1037 202 KB

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.