Field security level Kibana

Hi,

I'm trying to set up field security level, but it doesn't seem to work.

I'm using the Elastic cloud trial (Deployment version v7.6.0) and the Flights dataset that comes as a demo.

I've created a role (flight_data) with read privileges, and a user (flight-user) with that role.
Then, I went to the Dev Tools and tried the following configuration following the documentation (https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html)

The idea is to create a role that can only see the data when the OriginCityName of the flights is "London"

POST /_security/role/flight-data
{
"run_as": [ "flight-user" ],
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "kibana_sample_data_flights" ],
"privileges": [ "read" ],
"field_security" : {
"grant" : [ "*" ]
},
"query": "{"match": {"OriginCityName": "London"}}"
}
]
}

However, that user can see all the data. So, what am I missing?

Thanks

What you want is document level security, to do that you need to create a new role like the one below that restricts read only to documents from EZE airport. Then you can assign that role to a new user.

POST /_security/role/eze-read
{
  "indices": [
    {
      "names": [
        "kibana_sample_data_flights"
      ],
      "privileges": [
        "read"
      ],
      "query": {
        "template": {
          "source": {
            "term": {
              "OriginAirportID": "EZE"
            }
          }
        }
      }
    }
  ]
}

If the user is called eze you can run this and see how the count is just 258:

$ curl -u "eze:changeme" "localhost:9200/kibana_sample*/_count" 
{"count":258,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}

While if you do the same using the super user you get all the docs 13059:

$ curl -u "elastic:changeme" "localhost:9200/kibana_sample*/_count" 
{"count":13059,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}

Let us know if this is what you need. Best.

1 Like

Hi @jsanz

YES!! That was what I wanted to do. You nailed it.

Thank you very much :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.